Hacked Microsoft Word documents being used to trick Windows users

News
By published

Macro-laced Microsoft Word documents still work in some attacks

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

North Koreans are looking to steal sensitive data from Russian targets using malicious Microsoft Word documents, experts have claimed. 

These are the findings of Fortinet’s researcher Cara Lin, who observed a group called Konni (but could be Kimsuky AKA APT43 due to a number of overlaps it has with the known threat actor) trying to deliver a malicious Russian-language Microsoft document to its victims. 

The malware, as you might expect, comes in the form of a macro. This script will launch an interim Batch script that will check the system, bypass User Account Control (UAC) settings, and finally deploy an infostealing DLL.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Friend or foe?

"This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices," Lin said in the report. "The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands.”

The document being distributed carries an article in the Russian language, allegedly about “Western assessments of the progress of the Special Military Operation”.

In its writeup, The Hacker News says Konni is “notable” for its targeting of Russia. 

Most of the time, the group would engage in spear-phishing emails and malicious documents in order to gain access to target endpoints. Earlier attacks, spotted by cybersecurity researchers Knowsec and ThreatMon, abused a vulnerability in WinRAR (CVE-2023-38831), it was added. "Konni's primary objectives include data exfiltration and conducting espionage activities," ThreatMon said. "To achieve these goals, the group employs a wide array of malware and tools, frequently adapting their tactics to avoid detection and attribution."

This is not the first time we’ve seen North Korean hackers targeting Russian firms. Last summer, two separate groups - ScarCruft and Lazarus Group, went for NPO Mashinostroyenia, an important Russian missile engineering company. While ScarCruft managed to compromise “sensitive internal IT infrastructure”, including an email server, Lazarus used a Windows backdoor known as OpenCarrot.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean Lazarus hackers are targeting nuclear workers
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Latest in Security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Latest in News
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
More about security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X

A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek

Fake DeepSeek installers are infecting your device with dangerous malware
ChatGPT and Gemini Deep Research

I pitted ChatGPT Deep Research against Gemini Deep Research - here's how Google's free tool compares to OpenAI's paid offering
See more latest
Most Popular
Comino Grando Server
Puget Systems partners with Comino to bring more affordable liquid cooled dual-CPU, 8-GPU systems to the masses
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
Elecom 9,000mAh sodium-ion battery
This is the world's first sodium-ion mobile battery, a game changer in environmental sustainability, but it's not cheap
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
Data center server room lit with green lights
Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Thrustmaster Sol-R flight stick
Thrustmaster announces the Sol-R 1 and Sol-R 2 HOSAS flight sticks designed for space sims like Elite Dangerous
Image of AC Shadows cover art & Steam Deck
It's not perfect, but Assassin's Creed Shadows' performance is impressive - it runs smoothly on the Steam Deck and Asus ROG Ally
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware