NEWS  Security  November 22, 2023  Reading time: 2 Minute(s)

Max (RS editor)

Security experts have uncovered a concerning development in the cyber threat landscape, as the notorious Konni RAT deploys a sophisticated strategy to infiltrate Windows systems. The malware capitalizes on the unsuspecting nature of users who open or download Word documents containing malicious macros.

The Konni RAT at a Glance:

This remote access trojan boasts self-defense mechanisms and a broad range of capabilities, from stealing login credentials to executing remote commands with elevated privileges. It is not limited to espionage, as it can effortlessly download and upload files, showcasing its multifaceted threat.

 THE E-MAIL SENT BY HACKERS [IMAGE BY FORTYGUARD LABS] 

A Familiar Adversary:

Previously associated with cyber activities targeting Russia, the Konni RAT resurfaced in a notable campaign following North Korea's missile tests in August 2017. Now, it has reemerged with a renewed focus, leveraging Word documents written in Russian to deceive users. The malicious files disguise themselves as legitimate documents like invoices, contracts, or job applications, luring victims into a false sense of security.

Persistent and Active Campaign:

Despite the document's creation date in September 2023, FortiGuard Labs has detected ongoing activity with the campaign's command and control (C2) server. This suggests that the Konni campaign is persistent, continuously infecting new victims.

Advanced Techniques:

Researchers have identified a 'sophisticated threat actor' utilizing an advanced toolset embedded within Word documents. The payload employs batch scripts and DLL files, facilitating UAC bypass and encrypted communication with the C2 server. This enables the execution of privileged commands, underscoring the gravity of the threat.

Infection Process Unveiled:

Upon opening the Word document, users are prompted to enable content, initiating a VBA script that triggers the download and execution of a 'check.bat' batch script. This script, in turn, executes various checks, bypasses UAC, and exploits Windows utilities to launch commands with elevated privileges. The Konni RAT then establishes persistence on the system, allowing for remote control and malicious activities.

Data Extraction and Remote Control:

Once installed, the Konni RAT operates stealthily, extracting information and executing commands on infected devices. It empowers attackers to control systems remotely, enabling the theft of sensitive data, deployment of additional malware, or unauthorized activities. The malware communicates with the C2 server, fetching and sending data through compressed and encrypted channels, showcasing a high level of sophistication.

Global Targets:

The Konni campaign demonstrates a global reach, targeting individuals and organizations worldwide, with a specific focus on the Middle East and North Africa. To safeguard against this threat and similar malware attacks, users are advised to exercise caution when handling email attachments from unknown senders or suspicious subject lines.

Protective Measures:

Mitigating the risk involves disabling macros in Word documents unless the source is known and trusted. Regularly updating operating systems and applications is also crucial to address known security vulnerabilities. As of 2022, the Microsoft Office Suite remains a prime target for hackers, emphasizing the importance of maintaining vigilant cybersecurity practices.

 SOURCE: DEEBA AHMED VIA HACKREAD | COVER IMAGE BY MASTER1305 ON FREEPIK