Malwarebytes researcher have come across a new malware campaign targeting Russia with multiple documents with Konni RAT. The malware which was found was first identified in the wild from 2014 and was possibly connected with the APT37 and Thallium in North Korea. At the end of July 2021, scientists discovered a continuous spear campaign,which uses two documents written in Russian and armed with the same malicious macro. After enabling the macro, the infection chain begins to install a new severely obfuscated Konni RAT.
The major differences between the current and previous campaign are alos observed by the researcher which are listed below:
- The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.
- The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file.
- The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.
- In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.
The diagram below shows the overall flow of victims used by this actor. A document executing a macro and a chain of activities, which finally deploys the Konni Rat, is behind this malicious activity.
“We found two lures used by Konni APT. The first document “Economic relations.doc” contains a 12 page article that seems to have been published in 2010 with the title: “The regional economic contacts of Far East Russia with Korean States (2010s)“. The second document is the outline of a meeting happening in Russia in 2021: “23th meeting of the intergovernmental Russian-Mongolian commission on Trade, Economic, scientific and technical operation“
“These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the
"^var" string using
findstr and then writes the content of the line staring from “var” into
y.js. At the end it calls
WscriptShell function to executes the Java Script file (
y.js).”reads the blogpost.
One of the interesting technique used by the threat actor is that hiding the malicious JS at the end of the document and not using it directly inside the macro to bypass the AV’s detection capabilities.
CyberWorkx news readers can checkout the IOC’s for the identified malware campaign from below: