Safety researchers have detected a Russian-language Phrase doc carrying a malicious macro within the ongoing Konni marketing campaign.
Regardless of its September 2023 creation date, FortiGuard Labs’ inner telemetry revealed continued exercise on the marketing campaign’s command-and-control (C2) server.
This long-running marketing campaign makes use of a distant entry Trojan (RAT) able to extracting info and executing instructions on compromised units, using numerous methods for preliminary entry, payload supply and persistence inside sufferer networks.
In accordance with an advisory revealed by Fortinet safety researcher Cara Lin on Monday, a Visible Primary for Functions (VBA) script is triggered upon opening the doc, displaying Russian textual content associated to a army operation.
“A VBA script is initiated that shows an article in Russian that interprets to ‘Western Assessments of the Progress of the Particular Army Operation,’” Lin defined.
Learn extra on VBA-based assaults: Authorities, Union-Themed Lures Used to Ship Cobalt Strike Payloads
The script retrieves info and runs a discreet batch script that performs system checks, UAC bypass and DLL file manipulations. The Consumer Account Management (UAC) bypass module, particularly, leverages a professional Home windows utility to execute instructions with elevated privileges with out triggering UAC prompts.
The next script stops redundant execution, copies recordsdata, creates a brand new service, configures registry settings and initiates the service. The ultimate payload encrypts its C2 configuration utilizing AES-CTR encryption, gathers system info, compresses and uploads information to the C2 server, and fetches instructions.
“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the menace actor to execute privileged instructions. As this malware continues to evolve, customers are suggested to train warning with suspicious paperwork,” Lin wrote.
“We additionally recommend that organizations undergo Fortinet’s free NSE coaching module: NSE 1 – Data Safety Consciousness. This module is designed to assist finish customers discover ways to determine and defend themselves from phishing assaults.”
Extra info on the Konni marketing campaign’s methods and techniques for preliminary entry, payload supply and persistence inside sufferer networks is out there within the Fortinet advisory.