Brother
Professional
- Messages
- 2,590
- Reaction score
- 526
- Points
- 113
Hackers have found a way to invade and control victims computers without being noticed.
FortiGuard Labs has discovered that the Konni APT group linked to North Korea is using an infected Word document as part of an ongoing phishing campaign.
Konni was first detected by Cisco Talos in 2017, but the Konni RAT Trojan has been around since 2014 and remained invisible until 2017, as it was used in highly targeted attacks. The Remote Access Trojan (RAT) Konni RAT managed to avoid detection due to constant evolution, is able to execute arbitrary code on target systems and steal data.
In the current campaign, attackers use a RAT Trojan to extract information and execute commands on victims ' devices. The attacks use a Word document with a malicious macro. Despite the document creation date in September, activity on the Command and Control (C2) server continues to this day, as can be seen from internal telemetry.
When you open the document, a yellow line appears with the suggestion "Include content". After enabling the macro, the built-in VBA runs the script "check.bat" with the "vbHide" parameter to avoid the victim's command prompt window appearing. Batch script performs system checks and bypasses User Account Control (UAC). The script then performs actions to deploy a DLL file that collects and exfilters the encrypted data to the C2 server.
Experts concluded that the Konni payload includes UAC bypass and encrypted interaction with the C2 server, which allows an attacker to execute privileged commands. As malicious code continues to evolve, users are advised to exercise caution with suspicious documents.
FortiGuard Labs has discovered that the Konni APT group linked to North Korea is using an infected Word document as part of an ongoing phishing campaign.
Konni was first detected by Cisco Talos in 2017, but the Konni RAT Trojan has been around since 2014 and remained invisible until 2017, as it was used in highly targeted attacks. The Remote Access Trojan (RAT) Konni RAT managed to avoid detection due to constant evolution, is able to execute arbitrary code on target systems and steal data.
In the current campaign, attackers use a RAT Trojan to extract information and execute commands on victims ' devices. The attacks use a Word document with a malicious macro. Despite the document creation date in September, activity on the Command and Control (C2) server continues to this day, as can be seen from internal telemetry.
When you open the document, a yellow line appears with the suggestion "Include content". After enabling the macro, the built-in VBA runs the script "check.bat" with the "vbHide" parameter to avoid the victim's command prompt window appearing. Batch script performs system checks and bypasses User Account Control (UAC). The script then performs actions to deploy a DLL file that collects and exfilters the encrypted data to the C2 server.
Experts concluded that the Konni payload includes UAC bypass and encrypted interaction with the C2 server, which allows an attacker to execute privileged commands. As malicious code continues to evolve, users are advised to exercise caution with suspicious documents.
