New Wave of Phishing Attacks Dropshipping the Konni RAT

What happened?

• The malware can now log keystrokes, steal files, capture screenshots, collect information about the infected system, and steal credentials from major browsers.
• The phishing messages use weaponized Microsoft Word documents containing malicious Visual Basic Application (VBA) macro code to deploy KONNI malware.
• The malicious code can change the font color from light grey to black (to trick the victim into enabling content), check whether the Windows OS is a 32-bit or 64-bit version, and run commands to download additional files.

The CISA warning

• They also published a list of MITRE ATT&CK techniques associated with Konni RAT and Snort signatures for use in detecting Konni malware exploits.
• It has recommended users and administrators to follow best practices to strengthen the security posture of their organization's systems.

The backstory

• In January 2020, Konni malware and other associated malware were found targeting a U.S. government agency regarding its ongoing geopolitical relations issues surrounding North Korea.
• In 2017, Konni launched campaigns to target United Nations, UNICEF, and embassies, all linked to North Korea. They also used Inexsmar malware and lures based on several North Korean affairs to target organizations in North Korea.
• Researchers had found links between KONNI malware and NOKKI malware in October 2018. They also found a link between KONNI attacks and the DarkHotel campaigns against North Korea in August 2017.

In essence