Konni Campaign Distributed Via Malicious Document
Contents
FortiGuard Labs Threat Research
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Remote attackers gain control of the infected systems
Severity Level: Critical
FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document's creation date of September, ongoing activity on the campaign's C2 server is evident in internal telemetry, as shown in Figure 1.
This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices. Operating for several years, this campaign employs diverse strategies for initial access, payload delivery, and establishing persistence within victims' networks. In this blog, we will elaborate on the behavior of the malware at each stage.
Upon opening the document, a yellow prompt bar appears, displaying “Enable Content” alongside some ambiguous Russian text (Figure 2). Upon selecting the button, a VBA script is initiated that displays an article in Russian …
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Remote attackers gain control of the infected systems
Severity Level: Critical
FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document's creation date of September, ongoing activity on the campaign's C2 server is evident in internal telemetry, as shown in Figure 1.
This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices. Operating for several years, this campaign employs diverse strategies for initial access, payload delivery, and establishing persistence within victims' networks. In this blog, we will elaborate on the behavior of the malware at each stage.
Upon opening the document, a yellow prompt bar appears, displaying “Enable Content” alongside some ambiguous Russian text (Figure 2). Upon selecting the button, a VBA script is initiated that displays an article in Russian …
IoC
085cdb09aba0024c0cadbefe428817829bbe4ab0f68598572ebccc2f6f25e78f
656dd6e67a51aebc6c69dc35eaba2e1502f225ae6fd9d0a5ff70879982427844
793b8e72fded73ae6839e678b03bd5c99959f47a1ad632095ba60fb89f66fa91
83e66d912ca592bc2accfd9c275647f287b6dc72a859054a348e616537999b64
ac9b814b98a962bc77b2ab862d9c3b1ba5f7e86b80797259b4fcb40bfb389081
cfbc7e6a89e4a23a72c7bcd9019197721f18506d9ab842011e0ab9d9eb24c2cc
f07e55ce20e944706232013241d23282e652de2c9514904dede14d4a711a5d1d
http://3897lb.c1.biz
http://3pl0y5.c1.biz
http://558ga9.c1.biz
http://6e2nbc.c1.biz
http://7qnbae.c1.biz
http://9b31n8.c1.biz
http://aocsff.c1.biz
http://b91stf.c1.biz
http://bg5pl1.c1.biz
http://caoy9n.c1.biz
http://dpgbep.c1.biz
http://ewqqa4.c1.biz
http://glws5m.c1.biz
http://kmdqj1.c1.biz
http://m2jymd.c1.biz
http://ouvxu2.c1.biz
http://pm90p1.c1.biz
http://pxyunf.c1.biz
http://rziju6.c1.biz
http://vqt9i1.c1.biz
656dd6e67a51aebc6c69dc35eaba2e1502f225ae6fd9d0a5ff70879982427844
793b8e72fded73ae6839e678b03bd5c99959f47a1ad632095ba60fb89f66fa91
83e66d912ca592bc2accfd9c275647f287b6dc72a859054a348e616537999b64
ac9b814b98a962bc77b2ab862d9c3b1ba5f7e86b80797259b4fcb40bfb389081
cfbc7e6a89e4a23a72c7bcd9019197721f18506d9ab842011e0ab9d9eb24c2cc
f07e55ce20e944706232013241d23282e652de2c9514904dede14d4a711a5d1d
http://3897lb.c1.biz
http://3pl0y5.c1.biz
http://558ga9.c1.biz
http://6e2nbc.c1.biz
http://7qnbae.c1.biz
http://9b31n8.c1.biz
http://aocsff.c1.biz
http://b91stf.c1.biz
http://bg5pl1.c1.biz
http://caoy9n.c1.biz
http://dpgbep.c1.biz
http://ewqqa4.c1.biz
http://glws5m.c1.biz
http://kmdqj1.c1.biz
http://m2jymd.c1.biz
http://ouvxu2.c1.biz
http://pm90p1.c1.biz
http://pxyunf.c1.biz
http://rziju6.c1.biz
http://vqt9i1.c1.biz