Meeting the “Ministrer” | Fortinet Blog

Things not always being as they seem is a common adage that lends itself well to the cyber world. Phishing tries explicitly to convince an email recipient that a message is legitimate and trustworthy when it is not. This applies equally to cases where the sender is interested in criminal exploits or nation-state activity.

FortiGuard Labs recently came across an unassuming phishing email that proved to be far more than it initially seemed. Written in Russian, it attempts to lure the recipient into deploying malware on their system. The actions used to execute this strategy are consistent with previous instances of Konni, a remote administration tool (RAT) that has been tied to the group APT 37 (aka: Ricochet Chollima, InkySquid, ScarCruft, Reaper, and Group123). This group has been known to align its targeting and objectives with those of the government of the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea.

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium

The Phishing Email

As mentioned, the email is unassuming and streamlined. It aims to appear official by spoofing an address for the Consulate General of Russia in Shenyang, China. It is targeted at another Russian government address.

Interestingly, the subject of the message is “Re: Посольство России в Японии”, which translates to “Re: Russian Embassy in Japan”. This technique of including a previous thread in the email is commonly used in an attempt to look more credible to the recipient.

The body text of the email asks the recipient to check the attached details to execute a request for a transfer of funds between the sender and receiver.

Attached to the email is a Zip archive, “Donbass.zip”. This is interesting because this is the English spelling of an area of Ukraine.

Donbass.zip

Contained within the Zip archive are two Microsoft PowerPoint files, “_Pyongyang in talks with Moscow on access to Donbass.pptx” and “Donbass.ppam”

File 1: _Pyongyang in talks with Moscow on access to Donbass.pptx

This PowerPoint file is actually a decoy. The slide deck contains news referencing high-level meetings between the DPRK and the Donetsk Peoples Republic (DPR). Links between the two entities were covered by mainstream news outlets around the time this file was created.

While Figure 6 shows several hyperlinks embedded in the file, all are benign. They simply direct traffic to an Internet news source. Two additional slides in Russian are just text.

There are no macros present in the file or anything that could be considered malicious.

File 2: Donbass.ppam

PPAM is an add-in file format used by Microsoft PowerPoint and generally requires the application to open. Should that occur, a malicious macro will execute.

The macro initially presents the user with the message box in Figure 8. Using a command prompt, it then deposits a large block of base 64-encoded text into a file called “oup.dat” that is then stored within the user’s “temp” directory (%TMP%). Using the Microsoft “Certutil” tool (https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), the encoded text within “oup.dat” is then decoded to “oup.vbs”, a VBScript file that will be deposited into the Microsoft Office directory (%LOCALAPPDATA%MicrosoftOffice).

As shown in Figure 9, “oup.vbs” has two purposes. The first is to create a scheduled task called “Office Updatev2.2”. The purpose of this task is to continually run “oup.vbs” once every 5 minutes.

The second purpose of “oup.vbs” is to execute a base 64-encoded PowerShell command. 

The PowerShell command attempts to provide some environment information (e.g., machine name) and connect to a URL at gg1593[.]c1[.]biz. This domain points to IP address185[.]176[.]43[.]106. As of the time of this writing, however, the command and control (C2) server was not responding to connections, preventing further analysis.

With the C2 site no longer available, obtaining the executable for the RAT for further analysis was not possible. That said, the activity to ensure persistence and connect to a C2 matches prior attempts at deploying Konni.

Conclusion

Phishing doesn’t always have to be a perfect facsimile of a legitimate email to be effective. This example shows that even where nation-state objectives may be involved, there just has to be enough of a hook to reel in a user. What appears at first glance to be a simple phish is still effective.

They become more believable using familiar terms, or as in this case, the inclusion of what appears to be a previous thread with the recipient.

As this example shows, once attackers are in, they mean to stay through the use of persistence mechanisms and frequent check-ins with command and control.

This makes prevention and detection all the more critical to ward off potential disaster.

Fortinet Protections

Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

The following (AV) signatures detect the malware samples mentioned in this blog

VBA/Agent.AIF!tr

The WebFiltering client blocks all network-based URIs.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

We also suggest that organizations have their end users undergo our FREE NSE training program: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

IOCs

Network IOCs:

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.