# Hackers take over diplomat's email, target Russian deputy minister **[bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/](https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) January 12, 2022 03:35 AM 0 Hackers believed to work for the North Korean government have compromised the email account of a staff member of Russia’s Ministry of Foreign Affairs (MID) and deployed spearphishing attacks against the country’s diplomats in other regions. One of the targets was Sergey Alexeyevich Ryabko, the deputy foreign minister for the Russian Federation, among other things responsible for bilateral relations with North and South America. The phishing campaign started since at least October 19, 2021, deploying Konni malware, a remote administration tool (RAT) associated with the cyber activity from North Korean hackers known as APT37 (or StarCruft, Group123, Operation Erebus, and Operation Daybreak). ----- ## Russian diplomatic targets [Cybersecurity firm Cluster25 last week published research about a phishing campaign](https://cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/) towards the end of December 2021 that delivered Konni RAT to individuals in the Russian diplomatic apparatus. The researchers found that the hackers used the New Year theme as a decoy in emails to staff at the Russian embassy in Indonesia. source: Cluster25 It was a congratulatory message that appeared to be from fellow diplomats at the Russian embassy in Serbia sending a ZIP archive with a holiday screensaver. When extracted, the file was an executable that ultimately delivered the Konni RAT disguised as Windows service “scrnsvc.dll.” ----- source: Cluster25 Researchers at Lumen’s Black Lotus Labs were also tracking these spear-phishing campaigns that had started at least two months earlier, the likely goal being to harvest credentials of an active MID account. To achieve their objective, the attackers relied on spoofed hostnames for email services common in Russia, Mail.ru and Yandex. Another campaign started around November 7, delivering URLs for downloading an archive with documents asking for information on the vaccination status. The archive also included an executable posing as legitimate software used for checking the Covid-19 vaccination status, which executed a malware loader that infected the system with Konni. According to Black Lotus Labs researchers, the campaign in December also spotted by Cluster25 was the third one from the same threat actor and used the compromised MID account “mskhlystova@mid[.]ru” to send out malicious emails. The recipients of the malicious messages were the Russian embassy in Indonesia and Russian politician Sergey Alexeyevich Ryabkov, currently serving as Deputy Foreign Minister. ----- source: Lumen's Black Lotus Labs Looking at the email headers revealed that the source of the messages was the same IP address, 152.89.247[.]26, used for the phishing campaign in October, Black Lotus Labs found. Technical analysis of the infection chain from Lumen’s researchers confirmed Cluster25’s findings, including the evasion technique of hiding a payload in a “401 unauthorized” server error response. source: Cluster25 Black Lotus Labs researchers say that this was a highly targeted campaign that “downloaded a first-stage agent which is nearly identical to the agent” discovered by Malwarebytes in a Konni attack against Russian targets. Both cybersecurity outfits are confident in attributing the spear-phishing campaigns against the Russian diplomatic entities to the Konni advanced persistent threat. ## Related Articles: ----- [North Korean hackers attack EU targets with Konni RAT malware](https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/) [Android emulator supply-chain attack targets gamers with malware](https://www.bleepingcomputer.com/news/security/android-emulator-supply-chain-attack-targets-gamers-with-malware/) [Hacker uses new RAT malware in Cuba Ransomware attacks](https://www.bleepingcomputer.com/news/security/hacker-uses-new-rat-malware-in-cuba-ransomware-attacks/) [Russian organizations attacked with new Woody RAT malware](https://www.bleepingcomputer.com/news/security/russian-organizations-attacked-with-new-woody-rat-malware/) [Australia charges dev of Imminent Monitor RAT used by domestic abusers](https://www.bleepingcomputer.com/news/security/australia-charges-dev-of-imminent-monitor-rat-used-by-domestic-abusers/) [Credential Theft](https://www.bleepingcomputer.com/tag/credential-theft/) [Konni](https://www.bleepingcomputer.com/tag/konni/) [Phishing](https://www.bleepingcomputer.com/tag/phishing/) [RAT](https://www.bleepingcomputer.com/tag/rat/) [Remote Access Trojan](https://www.bleepingcomputer.com/tag/remote-access-trojan/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. [Previous Article](https://www.bleepingcomputer.com/news/security/state-hackers-use-new-powershell-backdoor-in-log4j-attacks/) [Next Article](https://www.bleepingcomputer.com/news/security/ea-50-high-profile-fifa-22-accounts-taken-over-by-phishing-actors/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----