To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer
2024-02-21 • DCSO •
DCSO analyzed a KONNI sample uploaded to VirusTotal in January 2024 and assesses it as likely North Korea linked activity targeting Russia's Ministry of Foreign Affairs. The malware was bundled into a Russian language installer for a suspected internal consular reporting tool called Statistika KZU, which the bundled manuals describe as software for sending annual reports from overseas consulates to the MID through ViPNet. DCSO connects the delivery method to earlier KONNI use of backdoored Russian software installers, including a 2023 Spravki BK sample, and to similar activity against the Russian MID reported in 2021. The source is notable because it shows DPRK linked KONNI operators adapting trusted administrative software rather than relying only on document lures.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | victory-2024.mywebcommunity.org | 2024-02-21 | 2024-09-05 |
| DOMAIN | victory-2020.atwebpages.com | 2022-01-05 | 2024-09-05 |
| HASH | b60dc12833110098f5eec9a51749d22… | 2024-02-21 | 2024-02-21 |
| HASH | 58bcd90f6f04c005c892267a3dfe91d… | 2024-02-21 | 2024-02-21 |
| HASH | 9339eaf1d77bb0324e393a08a6180fe… | 2024-02-21 | 2024-02-21 |
| DOMAIN | 88zr7cua.atwebpages.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | w9uzs9la.mywebcommunity.org | 2024-02-21 | 2024-02-21 |
| DOMAIN | p8tebfel.getenjoyment.net | 2024-02-21 | 2024-02-21 |
| DOMAIN | 24ev0apa.scienceontheweb.net | 2024-02-21 | 2024-02-21 |
| DOMAIN | zcvbm1zv.onlinewebshop.net | 2024-02-21 | 2024-02-21 |
| DOMAIN | c6cdg4su.sportsontheweb.net | 2024-02-21 | 2024-02-21 |
| DOMAIN | g66nzt8q.mygamesonline.org | 2024-02-21 | 2024-02-21 |
| DOMAIN | mbfasq54.mypressonline.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | 99695njd.myartsonline.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | 3cym4ims.medianewsonline.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | tl2j38w9.mypressonline.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | t8nptw2h.mywebcommunity.org | 2024-02-21 | 2024-02-21 |
| DOMAIN | jbkza9h7.atwebpages.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | 694qf6w8.scienceontheweb.net | 2024-02-21 | 2024-02-21 |
| DOMAIN | mhhnv7s9.myartsonline.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | j1p75639.medianewsonline.com | 2024-02-21 | 2024-02-21 |
| DOMAIN | 5s6bqbea.sportsontheweb.net | 2024-02-21 | 2024-02-21 |
| DOMAIN | p593d8g9.mygamesonline.org | 2024-02-21 | 2024-02-21 |
| DOMAIN | cor8xcib.getenjoyment.net | 2024-02-21 | 2024-02-21 |
| DOMAIN | zomfaa9a.onlinewebshop.net | 2024-02-21 | 2024-02-21 |