Konni Campaign Deploys Advanced RAT With UAC Bypass Capabilities


Security researchers have detected a Russian-language Word document carrying a malicious macro in the ongoing Konni campaign. 

Despite its September 2023 creation date, FortiGuard Labs’ internal telemetry revealed continued activity on the campaign’s command-and-control (C2) server. 

This long-running campaign utilizes a remote access Trojan (RAT) capable of extracting information and executing commands on compromised devices, employing diverse strategies for initial access, payload delivery and persistence within victim networks.

According to an advisory published by Fortinet security researcher Cara Lin on Monday, a Visual Basic for Applications (VBA) script is triggered upon opening the document, displaying Russian text related to a military operation. 

“A VBA script is initiated that displays an article in Russian that translates to ‘Western Assessments of the Progress of the Special Military Operation,’” Lin explained.

Read more on VBA-based attacks: Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads

The script retrieves information and runs a discreet batch script that performs system checks, UAC bypass and DLL file manipulations. The User Account Control (UAC) bypass module, in particular, leverages a legitimate Windows utility to execute commands with elevated privileges without triggering UAC prompts.

The subsequent script stops redundant execution, copies files, creates a new service, configures registry settings and initiates the service. The final payload encrypts its C2 configuration using AES-CTR encryption, gathers system information, compresses and uploads data to the C2 server, and fetches commands.

“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands. As this malware continues to evolve, users are advised to exercise caution with suspicious documents,” Lin wrote.

“We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.”

More information on the Konni campaign’s techniques and strategies for initial access, payload delivery and persistence within victim networks is available in the Fortinet advisory.

Products You May Like

Articles You May Like

Phishing Attacks Targeting US and European Organizations Double
Google’s Privacy Sandbox Accused of User Tracking by Austrian Non-Profit
UK General Election: Tech Policy Expert Calls for Law Overhaul to Combat Deepfakes
Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
Ascension Attack Caused by Employee Downloading Malicious File

Leave a Reply

Your email address will not be published. Required fields are marked *