Malwarebytes researcher have come across a new  malware campaign targeting Russia with multiple documents with  Konni RAT. The malware which was found was first identified in the wild from 2014 and was possibly connected with the APT37 and Thallium in North Korea. At the end of July 2021, scientists discovered a continuous spear  campaign,which uses two documents written in Russian and armed with the same malicious macro. After enabling the macro, the infection chain begins to install a new severely obfuscated Konni RAT.

The major differences between the current and previous campaign are alos observed by the researcher which are listed below:

  • The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.
  • In the new campaign JavaScript files have been used to execute batch and PowerShell files.
  • The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file.
  • The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.
  • In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.

The diagram below shows the overall flow of victims used  by this actor. A document executing a macro and a chain of activities, which finally deploys the Konni Rat, is behind this malicious activity.

We found two lures used by Konni APT. The first document “Economic relations.doc” contains a 12 page article that seems to have been published in 2010 with the title: “The regional economic contacts of Far East Russia with Korean States (2010s)“. The second document is the outline of a meeting happening in Russia in 2021: “23th meeting of the intergovernmental Russian-Mongolian commission on Trade, Economic, scientific and technical operation“

Source: Malwarebytes

“These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the "^var" string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls WscriptShell function to executes the Java Script file (y.js).”reads the blogpost.

One of the interesting technique used by the threat actor is that hiding the malicious JS at the end of the document and not using it  directly inside the macro to bypass  the AV’s detection capabilities.

CyberWorkx news readers can checkout the IOC’s for the identified malware campaign from below:

economics relations.docd283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f


–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s