Konni Campaign Distributed Via Malicious Document

2023-11-20 • Fortinet •

https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document

#Konni

FortiGuard described an ongoing Konni campaign using a Russian-language Word document with malicious macros. When the victim enables content, VBA extracts embedded ZIP contents, runs hidden batch scripts, deploys UPX-packed DLLs, and uses a wusa.exe UAC bypass before launching netpp.bat with elevated privileges. The RAT decrypts AES-CTR C2 configuration, collects system and process data, uploads encrypted CAB files to up.php, and polls dn.php for commands or payloads.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	kmdqj1.c1.biz	2023-11-20	2024-09-05
HASH	83e66d912ca592bc2accfd9c275647f…	2023-11-20	2023-11-20
HASH	793b8e72fded73ae6839e678b03bd5c…	2023-11-20	2023-11-20
HASH	656dd6e67a51aebc6c69dc35eaba2e1…	2023-11-20	2023-11-20
HASH	ac9b814b98a962bc77b2ab862d9c3b1…	2023-11-20	2023-11-20
HASH	cfbc7e6a89e4a23a72c7bcd90191977…	2023-11-20	2023-11-20
HASH	f07e55ce20e944706232013241d2328…	2023-11-20	2023-11-20
HASH	085cdb09aba0024c0cadbefe4288178…	2023-11-20	2023-11-20
DOMAIN	vqt9i1.c1.biz	2023-11-20	2023-11-20
DOMAIN	rziju6.c1.biz	2023-11-20	2023-11-20
DOMAIN	ouvxu2.c1.biz	2023-11-20	2023-11-20
DOMAIN	m2jymd.c1.biz	2023-11-20	2023-11-20
DOMAIN	3pl0y5.c1.biz	2023-11-20	2023-11-20
DOMAIN	ewqqa4.c1.biz	2023-11-20	2023-11-20
DOMAIN	7qnbae.c1.biz	2023-11-20	2023-11-20
DOMAIN	3897lb.c1.biz	2023-11-20	2023-11-20
DOMAIN	glws5m.c1.biz	2023-11-20	2023-11-20
DOMAIN	bg5pl1.c1.biz	2023-11-20	2023-11-20
DOMAIN	6e2nbc.c1.biz	2023-11-20	2023-11-20
DOMAIN	aocsff.c1.biz	2023-11-20	2023-11-20
DOMAIN	9b31n8.c1.biz	2023-11-20	2023-11-20
DOMAIN	caoy9n.c1.biz	2023-11-20	2023-11-20
DOMAIN	pm90p1.c1.biz	2023-11-20	2023-11-20
DOMAIN	pxyunf.c1.biz	2023-11-20	2023-11-20
DOMAIN	b91stf.c1.biz	2023-11-20	2023-11-20
DOMAIN	558ga9.c1.biz	2023-11-20	2023-11-20
DOMAIN	dpgbep.c1.biz	2023-11-20	2023-11-20