Security researchers have detected a Russian-language Word document carrying a malicious macro in the ongoing Konni campaign.
Despite its September 2023 creation date, FortiGuard Labs’ internal telemetry revealed continued activity on the campaign’s command-and-control (C2) server.
This long-running campaign utilizes a remote access Trojan (RAT) capable of extracting information and executing commands on compromised devices, employing diverse strategies for initial access, payload delivery and persistence within victim networks.
According to an advisory published by Fortinet security researcher Cara Lin on Monday, a Visual Basic for Applications (VBA) script is triggered upon opening the document, displaying Russian text related to a military operation.
“A VBA script is initiated that displays an article in Russian that translates to ‘Western Assessments of the Progress of the Special Military Operation,’” Lin explained.
The script retrieves information and runs a discreet batch script that performs system checks, UAC bypass and DLL file manipulations. The User Account Control (UAC) bypass module, in particular, leverages a legitimate Windows utility to execute commands with elevated privileges without triggering UAC prompts.
The subsequent script stops redundant execution, copies files, creates a new service, configures registry settings and initiates the service. The final payload encrypts its C2 configuration using AES-CTR encryption, gathers system information, compresses and uploads data to the C2 server, and fetches commands.
“The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands. As this malware continues to evolve, users are advised to exercise caution with suspicious documents,” Lin wrote.
“We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.”
More information on the Konni campaign’s techniques and strategies for initial access, payload delivery and persistence within victim networks is available in the Fortinet advisory.