Konni RAT Exploiting Word Docs to Steal Data from Windows

The return of Konni RAT and latest findings should not come as a surprise, considering that, as of 2022, the Microsoft Office Suite remains the most exploited set of tools by hackers for spreading malware.

Cybersecurity researchers at FortiGuard Labs have discovered a new malware campaign dubbed ‘Konni,’ which targets Windows systems through Word documents containing malicious macros. When unsuspecting users open or download the document, a remote access trojan (RAT) called Konni is executed.

The Konni RAT is a sophisticated malware incorporating self-defence mechanisms, with capabilities that include stealing login credentials, remote command execution, and the ability to execute commands with elevated privileges. Additionally, it can download and upload files.

It is worth noting that the Konni RAT is known for its previous targeting of Russia. Notably, it was the same malware used against North Korea following its missile tests in August 2017.

As for the latest campaign, the malicious Word document is written in the Russian language, and distributed as a legitimate file, such as invoices, contracts, or job applications, to trick users into opening them.

The malicious email sent by threat actors (screenshit via: FortiGuard Labs)

Even though the document was created in September 2023, FortiGuard Labs’ internal telemetry shows that the campaign’s C2 server remains active. This means the campaign is ongoing, and new victims are being infected. This continuous activity shows the persistent nature of the Konni campaign.

Researchers observed that a ‘sophisticated threat actor’ has employed an advanced toolset within a Word document using ‘batch scripts and DLL files.’ The payload contains a UAC bypass encrypted communication with a C2 server, probably to allow the actor to execute privileged commands

Upon opening the Word document, a prompt requests the user to enable content, triggering a VBA script. This script initiates the download and execution of a ‘check.bat’ batch script. The ‘check.bat’ script conducts various checks, including verifying the presence of a remote connection session, identifying the Windows operating system version, and checking the system architecture.

Subsequently, the script executes the ‘wpns.dll’ library, bypassing UAC (User Account Control), and exploits the legitimate Windows utility ‘wusa.exe’ to launch a command with elevated privileges.

Afterwards, it runs the ‘netpp.bat’ batch script with inherited elevated privileges. The script stops the ‘netpp’ service, copies necessary files to the ‘System32’ directory, and creates a service named ‘netpp” that automatically starts at system startup. The malware begins execution after adding registry entries and starting the “netpp” service.

According to the FortiGuard Labs blog post, Konni RAT can extract information and execute commands on infected devices. Once installed, it lets attackers control the infected system remotely to steal sensitive data, deploy additional malware, or perform unauthorized activities.

The malware fetches a list of active processes on the system, and after performing compression and encryption, it sends the data to the C2 server. It also downloads a payload or command from the C2 server by sending an HTTP request. When it receives a response, it extracts and decrypts the data, stores it as a temporary file and executes the cmd command to expand the payload and initiate further actions.

The latest findings should not come as a surprise, considering that, as of 2022, the Microsoft Office Suite remains the most exploited set of tools by hackers for spreading malware.

The Konni campaign has been observed targeting individuals and organizations worldwide, particularly those in the Middle East and North Africa. To protect yourself from the Konni campaign and similar malware attacks, avoid opening email attachments from unknown senders or emails with suspicious subject lines.

Additionally, disable macros in Word documents and enable only when you know the document’s origin and purpose. Lastly, ensure your operating system and applications are updated to the latest versions to address known security vulnerabilities.

  1. LinkedIn Phishing Scam Steals Microsoft Accounts
  2. Hackers are digging into a 17 year old Microsoft Word flaw
  3. NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook Accounts
  4. Google, Microsoft and Oracle generated most vulnerabilities in 2021
  5. VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

Source link