Malicious Word Files Used to Disseminate Konni RAT Malware Campaign
Security researchers have uncovered a new campaign involving the notorious Konni RAT malware, which exploits malicious Word files as its delivery mechanism. In these campaigns, threat actors employ Word documents containing harmful macros to infect targeted systems.
FortiGuard Labs recently published a blog post detailing their discovery of active Konni RAT malware campaigns in the wild. According to their findings, the perpetrators utilize Microsoft Word documents as a means to propagate this malware. Specifically, they send Word files embedded with malicious macros to Windows users, successfully compromising the systems.
Konni RAT is a well-known threat that has previously gained notoriety for its focus on targets in Russia and North Korea. This remote access trojan exhibits a range of malicious capabilities, including credential theft, execution of commands with elevated privileges, and the ability to upload and download files to and from the compromised devices.
In a recent campaign, researchers observed that the attack typically begins when a victim receives a deceptively crafted Word document. This document tricks users into opening it by masquerading as legitimate attachments, often posing as invoices or contracts. Once opened, the Word document prompts the user to enable content, initiating a VBA script execution. This script then downloads a malicious batch script, which proceeds to validate system information, particularly focusing on Windows systems. It subsequently takes steps to remain concealed, including User Account Control (UAC) bypass and gaining elevated privileges.
Upon establishing itself on the targeted systems, the malware achieves persistence and extracts data, forwarding it to a Command and Control (C&C) server. Furthermore, it remains responsive to commands received from the C&C server, executing payloads as instructed.
For a more comprehensive analysis of this attack, researchers have provided detailed information in their blog post. While the Konni RAT malware poses a significant threat, users can fortify their systems against such attacks by implementing robust anti-malware solutions. Given the malware’s presence over several years, most anti-malware software should be capable of detecting and blocking this threat before it can execute. Additionally, users should exercise caution when dealing with email attachments from untrusted or unsolicited sources.