Hacked Microsoft Word documents being used to trick Windows users

Macro-laced Microsoft Word documents still work in some attacks

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

North Koreans are looking to steal sensitive data from Russian targets using maliciousMicrosoftWord documents, experts have claimed.

These are the findings of Fortinet’s researcher Cara Lin, who observed a group called Konni (but could be Kimsuky AKA APT43 due to a number of overlaps it has with the known threat actor) trying to deliver a malicious Russian-language Microsoft document to its victims.

Themalware, as you might expect, comes in the form of a macro. This script will launch an interim Batch script that will check the system, bypass User Account Control (UAC) settings, and finally deploy an infostealing DLL.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

Friend or foe?

“This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices,” Lin said in the report. “The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands.”

The document being distributed carries an article in the Russian language, allegedly about “Western assessments of the progress of the Special Military Operation”.

In its writeup,The Hacker Newssays Konni is “notable” for its targeting of Russia.

Most of the time, the group would engage in spear-phishing emails and malicious documents in order to gain access to targetendpoints. Earlier attacks, spotted by cybersecurity researchers Knowsec and ThreatMon, abused a vulnerability in WinRAR (CVE-2023-38831), it was added. “Konni’s primary objectives include data exfiltration and conducting espionage activities,” ThreatMon said. “To achieve these goals, the group employs a wide array of malware and tools, frequently adapting their tactics to avoid detection and attribution.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This is not the first time we’ve seen North Korean hackers targeting Russian firms. Last summer, two separate groups - ScarCruft and Lazarus Group, went for NPO Mashinostroyenia, an important Russian missile engineering company. While ScarCruft managed to compromise “sensitive internal IT infrastructure”, including an email server, Lazarus used a Windows backdoor known as OpenCarrot.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics