Safety researchers have detected a Russian-language Phrase doc carrying a malicious macro within the ongoing Konni marketing campaign.
Regardless of its September 2023 creation date, FortiGuard Labs’ inner telemetry revealed continued exercise on the marketing campaign’s command-and-control (C2) server.
This long-running marketing campaign makes use of a distant entry Trojan (RAT) able to extracting info and executing instructions on compromised gadgets, using numerous methods for preliminary entry, payload supply and persistence inside sufferer networks.
In keeping with an advisory revealed by Fortinet safety researcher Cara Lin on Monday, a Visible Fundamental for Functions (VBA) script is triggered upon opening the doc, displaying Russian textual content associated to a navy operation.
“A VBA script is initiated that shows an article in Russian that interprets to ‘Western Assessments of the Progress of the Particular Army Operation,’” Lin defined.
The script retrieves info and runs a discreet batch script that performs system checks, UAC bypass and DLL file manipulations. The Person Account Management (UAC) bypass module, specifically, leverages a reputable Home windows utility to execute instructions with elevated privileges with out triggering UAC prompts.
The following script stops redundant execution, copies recordsdata, creates a brand new service, configures registry settings and initiates the service. The ultimate payload encrypts its C2 configuration utilizing AES-CTR encryption, gathers system info, compresses and uploads information to the C2 server, and fetches instructions.
“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the menace actor to execute privileged instructions. As this malware continues to evolve, customers are suggested to train warning with suspicious paperwork,” Lin wrote.
“We additionally recommend that organizations undergo Fortinet’s free NSE training module: NSE 1 – Data Safety Consciousness. This module is designed to assist finish customers learn to establish and shield themselves from phishing assaults.”
Extra info on the Konni marketing campaign’s methods and methods for preliminary entry, payload supply and persistence inside sufferer networks is obtainable within the Fortinet advisory.
