Researchers caught a new campaign from the notorious Konni RAT malware exploiting malicious Word files. The threat actors distribute the malware via malicious macros embedded in Word files that infect the target systems.
Konni RAT Malware Exploiting Word Docs
According to a recent blog post from FortiGuard Labs, their researchers detected active campaigns of the Konni RAT malware in the wild.
As explained, the threat actors behind the malware exploit Microsoft Word documents to spread the malware. The attackers send Word files with malicious macros to the target Windows users, which infects the systems.
Regarding the malware, Konni RAT is a known threat that previously made it to the news for targeting Russia and North Korea. It’s a potent remote access trojan that exhibits various malicious capabilities, such as stealing credentials, executing commands with elevated privileges, and uploading and downloading files to the target devices.
In a recent campaign, the researchers found the attack was initiated when a victim received a maliciously crafted Word document. This document tricks users into opening it by impersonating legitimate attachments, such as invoices or contracts. When clicked, the Word document asks the user to enable content, which executes a VBA script that further downloads malicious batch script.
This script validates the system information, particularly for Windows, and then performs the relevant actions to remain hidden, including UAC bypass and gaining access to elevated privileges.
Once established on the target systems, the malware gains persistence and extracts data, transmitting it to the C&C server. Besides, it receives commands from the C&C and executes payloads as instructed.
The researchers have shared a detailed analysis of this attack in their post.
While the malware seems dangerous, users can protect their systems from this attack by securing their devices with robust anti-malware solutions. Since the threat has been around for years, most antimalware software can potentially detect and block this threat before execution. Besides, users must practice caution when interacting with attachments from unsolicited sources.
Let us know your thoughts in the comments.