Posted on Leave a comment

New Malware Campaign Targetting Russia

Malwarebytes researcher have come across a new  malware campaign targeting Russia with multiple documents with  Konni RAT. The malware which was found was first identified in the wild from 2014 and was possibly connected with the APT37 and Thallium in North Korea. At the end of July 2021, scientists discovered a continuous spear  campaign,which uses two documents written in Russian and armed with the same malicious macro. After enabling the macro, the infection chain begins to install a new severely obfuscated Konni RAT.

The major differences between the current and previous campaign are alos observed by the researcher which are listed below:

  • The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.
  • In the new campaign JavaScript files have been used to execute batch and PowerShell files.
  • The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file.
  • The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.
  • In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.

The diagram below shows the overall flow of victims used  by this actor. A document executing a macro and a chain of activities, which finally deploys the Konni Rat, is behind this malicious activity.

We found two lures used by Konni APT. The first document “Economic relations.doc” contains a 12 page article that seems to have been published in 2010 with the title: “The regional economic contacts of Far East Russia with Korean States (2010s)“. The second document is the outline of a meeting happening in Russia in 2021: “23th meeting of the intergovernmental Russian-Mongolian commission on Trade, Economic, scientific and technical operation“

Source: Malwarebytes

“These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the "^var" string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls WscriptShell function to executes the Java Script file (y.js).”reads the blogpost.

One of the interesting technique used by the threat actor is that hiding the malicious JS at the end of the document and not using it  directly inside the macro to bypass  the AV’s detection capabilities.

CyberWorkx news readers can checkout the IOC’s for the identified malware campaign from below:

nameSha256
N/Afccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa
economics relations.docd283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f
y.js7f82540a6b3fc81d581450dbdf7dec7ad45d2984d3799084b29150ba91c004fd
yy.js7a8f0690cb0eb7cbe72ddc9715b1527f33cec7497dcd2a1010def69e75c46586
y.ps1617f733c05b42048c0399ceea50d6e342a4935344bad85bba2f8215937bc0b83
 tmpBD2B.tmp10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f
check.bata7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d
install.bat4876a41ca8919c4ff58ffb4b4df54202d82804fd85d0010669c7cb4f369c12c3
xwtpui.dll062aa6a968090cf6fd98e1ac8612dd4985bf9b29e13d60eba8f24e5a706f8311
xmlprov.dllf702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12
xmlprov.dll80641207b659931d5e3cad7ad5e3e653a27162c66b35b9ae9019d5e19e092362
xmlprov.ini491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6


Domains:
takemetoyouheart[.]c1[.]biz
taketodjnfnei898[.]ueuo[.]com
taketodjnfnei898[.]c1[.]biz
romanovawillkillyou[.]c1[.]biz

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply