Konni Campaign Deploys Advanced RAT With UAC Bypass Capabilities

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Security researchers have detected a Russian-language Word document carrying a malicious macro in the ongoing Konni campaign. 

Despite its September 2023 creation date, FortiGuard Labs’ internal telemetry revealed continued activity on the campaign’s command-and-control (C2) server. 

This long-running campaign utilizes a remote access Trojan (RAT) capable of extracting information and executing commands on compromised devices, employing diverse strategies for initial access, payload delivery and persistence within victim networks.

According to an advisory published by Fortinet security researcher Cara Lin on Monday, a Visual Basic for Applications (VBA) script is triggered upon opening the document, displaying Russian text related to a military operation. 

“A VBA script is initiated that displays an article in Russian that translates to ‘Western Assessments of the Progress of the Special Military Operation,’” Lin explained.

Read more on VBA-based attacks: Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads

The script retrieves information and runs a discreet batch script that performs system checks, UAC bypass and DLL file manipulations. The User Account Control (UAC) bypass module, in particular, leverages a legitimate Windows utility to execute commands with elevated privileges without triggering UAC prompts.

The subsequent script stops redundant execution, copies files, creates a new service, configures registry settings and initiates the service. The final payload encrypts its C2 configuration using AES-CTR encryption, gathers system information, compresses and uploads data to the C2 server, and fetches commands.

“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands. As this malware continues to evolve, users are advised to exercise caution with suspicious documents,” Lin wrote.

“We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.”

More information on the Konni campaign’s techniques and strategies for initial access, payload delivery and persistence within victim networks is available in the Fortinet advisory.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware
DeceptionAds Delivers 1M+ Daily Impressions via 3,000 Sites, Fake CAPTCHA Pages
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
CISA and EPA Warn of Cyber Risks to Water System Interfaces

Leave a Reply

Your email address will not be published. Required fields are marked *