Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni)
Contents
AhnLab Security Emergency response Center (ASEC) recently identified the distribution of a malicious exe file disguised as material related to a personal data leak, targeting individual users. The final behavior of this malware could not be observed because the C2 was closed, but the malware is a backdoor that receives obfuscated commands from the threat actor and executes them in xml format.
When the malicious exe file is executed, the files in the .data section are created into the %Programdata% folder. Out of the created files, all files are obfuscated except for the legitimate doc file.
- Lomd02.png (Malicious jse script)
- Operator.jse (Malicious jse script)
- WindowsHotfixUpdate.jse (Malicious jse script)
- 20231126_9680259278.doc (Legitimate doc file)
- WindowsHotfixUpdate.ps1 (Malicious PowerShell script)
A legitimate document file, ‘20231126_9680259278.doc’, is included among the created files. The threat actor has probably included this to deceive the user into thinking that they opened a legitimate file.
Operator.jse creates a Task Scheduler entry that …
When the malicious exe file is executed, the files in the .data section are created into the %Programdata% folder. Out of the created files, all files are obfuscated except for the legitimate doc file.
- Lomd02.png (Malicious jse script)
- Operator.jse (Malicious jse script)
- WindowsHotfixUpdate.jse (Malicious jse script)
- 20231126_9680259278.doc (Legitimate doc file)
- WindowsHotfixUpdate.ps1 (Malicious PowerShell script)
A legitimate document file, ‘20231126_9680259278.doc’, is included among the created files. The threat actor has probably included this to deceive the user into thinking that they opened a legitimate file.
Operator.jse creates a Task Scheduler entry that …
IoC
682b5a3c93e107511fdd2cdb8e50389a
78ea811850e01544ca961f181030b584
a93474c3978609c8480b34299bf482b7
b58eb8a3797d3a52aba30d91d207b688
d06d1c2ec1490710133dea445f33bd19
d634cb7b45217ca4fd7eca5685a64f50
http://gjdow.atwebpages.com/dn.php?name=
78ea811850e01544ca961f181030b584
a93474c3978609c8480b34299bf482b7
b58eb8a3797d3a52aba30d91d207b688
d06d1c2ec1490710133dea445f33bd19
d634cb7b45217ca4fd7eca5685a64f50
http://gjdow.atwebpages.com/dn.php?name=