Researchers describe a KONNI variant delivered through a backdoored Russian-language installer for a MID consular tool called Statistika KZU, highlighting DPRK-linked activity targeting the Russian Ministry of Foreign Affairs. The backdoored installer contains a KONNI payload, uses ViPNet for automated consular reporting, and raises open questions about whether the installer itself is legitimate. #KONNI #TA406 #GosNIIAS #MID #StatistikaKZU #SpravkiBK
Keypoints
- A KONNI sample uploaded to VirusTotal in January 2024 is linked to North Korea–associated activity targeting the Russian Ministry of Foreign Affairs (MID).
- The KONNI payload was delivered via a backdoored Russian-language installer for the tool “Statistika KZU,” suggesting a targeted supply-chain-style delivery.
- Statistika KZU appears to be an internal MID tool for consular statistics, with user manuals and install paths indicating use in overseas consulates.
- The installer configures automatic reporting to the MID using ViPNet, a secure VPN client, embedding a automated reporting workflow.
- C2 communication is conducted over HTTP, and the malware stores its C2 endpoints and keys in a configuration file encrypted with AES-CTR.
- The backdoored installer and KONNI components exhibit legitimate-lookind names and internal documentation, prompting questions about legitimacy and public availability.
MITRE Techniques
- [T1543.003] Create or Modify System Process: Windows Service – Used to achieve persistence by “setting up the Windows service for persistence and execution simultaneously.”
- [T1195] Supply Chain Compromise – Delivery via a backdoored installer for Statistika KZU, a tool associated with MID consular workflows. “backdoored installer … Spravki BK”
- [T1059.005] VBScript – The sample involved a “VBScript and a small executable performing the same tasks.”
- [T1071.001] Web Protocols – Command and control communication described as “done via HTTP.”
- [T1027] Obfuscated/Encrypted Files and Information – The configuration file containing C2 servers is “encrypted using AES-CTR, with the service name used as key.”
- [T1036] Masquerading – The service name is chosen to be inconspicuous, e.g., “Windows image Acquisition Service” to resemble legitimate Windows services.
Indicators of Compromise
- [File] Backdoored installer components – StatRKZU.msi, wiasvc32.dll, and wiasvc64.dll
- [SHA256] Sample hashes – 58bcd90f6f04c005c892267a3dfe91d1154d064482b07715ad5802f57c1ea32d, 9339eaf1d77bb0324e393a08a6180fe0658761fc0cd20ba25081963286dfb9c7
- [Domain] Command-and-control domains – victory-2024.mywebcommunity.org, 3cym4ims.medianewsonline.com
- [Domain] Additional C2 domains – j1p75639.medianewsonline.com, 99695njd.myartsonline.com
- [Path] Install path – C:ConsulSoftStatRKZU