Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Remote attackers gain control of the infected systems
Severity Level: Critical
FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document’s creation date of September, ongoing activity on the campaign’s C2 server is evident in internal telemetry, as shown in Figure 1.
This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices. Operating for several years, this campaign employs diverse strategies for initial access, payload delivery, and establishing persistence within victims’ networks. In this blog, we will elaborate on the behavior of the malware at each stage.
Figure 1: Telemetry
Dropper – Word Document
Upon opening the document, a yellow prompt bar appears, displaying “Enable Content” alongside some ambiguous Russian text (Figure 2). Upon selecting the button, a VBA script is initiated that displays an article in Russian that translates to “Western Assessments of the Progress of the Special Military Operation.”
Figure 2: Word document
The VBA script (Figure 3) retrieves information from “OLEFormat.IconLabel” and stores it in a temporary folder under the filename “temp.zip.” After extracting the file’s contents, it runs the “check.bat” script using the “vbHide” parameter, ensuring the batch script executes without presenting a command prompt window to the user. This method is valuable when a threat actor seeks to discreetly run a script in the background, avoiding user interaction or visible windows.
Figure 3: VBA content
Preparation—check.bat
The initial script file, named “check.bat” (Figure 4), performs several checks. Initially, it verifies the presence of a remote connection session. If detected, it directly initiates the “netpp.bat” script. The script then assesses whether the current system is running Windows 10, assigning a value of 1 to the variable “%Num%” regardless of the outcome. This variable later plays a role in selecting the UAC bypass method. This UAC setting is different from KONNI campaigns of the past that set either 4 or 1 for different operation systems.
Additionally, it examines whether the system operates on a 64-bit architecture. If so, it renames the corresponding DLL files to “netpp.dll” and “wpns.dll” and removes extraneous DLL files. Finally, it executes “wpns.dll” with three parameters: “QQQQQQQ” as the targeted entry point name, “%Num%” denoting the chosen UAC bypass method, and “netpp.bat” for further action.
Figure 4: check.bat
UAC Bypass Module—wpns.dll
Each DLL file in the Word document has been compressed using UPX. We will delve into the specifics using the 64-bit version files since their 32-bit counterparts have similar functionalities. Firstly, “wpns.dll” is invoked in the batch file “check.bat.” It is primarily designed for UAC bypass. In the batch file, the parameter is configured as 1, prompting the selection of the sub_180001B90 function, as illustrated in Figure 5.
Figure 5: Assembly code in the entry point of “QQQQQQQ”
It initiates the process “wusa.exe,” a legitimate Windows utility responsible for installing and uninstalling Windows updates and packages. Because it is signed and trusted by the operating system, it runs with elevated privileges without triggering User Account Control (UAC) prompts. After establishing “wusa.exe,” it then duplicates its access token and proceeds to execute a specified command using “CreateProcessWithLogonW” using that token. Finally, it runs a “netpp.bat” script that inherits the elevated privileges. A segment of the code is shown in Figure 6.
Figure 6: UAC bypass module
Installation—netpp.bat
Figure 7: netpp.bat
Figure 7 shows the content of the batch file “netpp.bat.” Here is a concise explanation of its functions:
- Service Stop and Check: The script attempts to stop the “netpp” service to prevent redundant execution. It then verifies the presence of the string “system32” in the system.
- Copy Files: If the string “system32” is absent, the script progresses to the “COPYFILE” function. This segment copies multiple files (e.g., netpp.dll, netpp.dat, netpp.ini) to the “System32” directory within the Windows operating system. Once the copying process is completed, specific files are deleted.
- Service Creation: The script then transitions to the “INSTALL” section, where it generates and configures a service named “netpp” using commands like “sc create,” “sc description,” and “sc config.” It configures the service to initiate automatically using a less conspicuous name, “Internet Print Provider Service.”
- Registry Settings: Next, it adds a registry entry in the “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost” key with the new value ”netpp.” This registry setting likely associates the “netpp” service with the Windows Service Host. It then adds the “HKLMSYSTEMCurrentControlSetServicesnetppParameters” key and creates a new value named “Serviceb11” of type REG_EXPAND_SZ with the value data “%windir%System32netpp.dll.” This registry setting appears to define a parameter for the “netpp” service, specifying the location of the “netpp.dll” file within the Windows system directory.
- Service Start and Cleanup: Finally, the script starts the “netpp” service and performs trace removal.
Final Payload—netpp.dll
Initially, the program verifies several Windows API functions across various libraries, as shown in Figure 8. If it succeeds in loading those functions, the program continues; otherwise, it returns 0 and terminates. The C2 configuration stored in “netpp.ini” is encrypted using AES-CTR, and the key is derived from the service name established in the preceding step, namely, “netpp.” The first 16 bytes of “netpp.ini” are used as the Initialization Vector (IV) to decrypt and unveil the C2 server list, as seen in Figure 9.
Figure 8: Checking Windows API functions
Figure 9: The decrypted C2 list from “netpp.ini”
The program then adds a registry entry using the command “cmd /c REG ADD HKCUConsole /v CodePage /t REG_DWORD /d 65001 /f” and begins gathering information from the compromised system. It uses the command “cmd /c systeminfo” to collect comprehensive details about the target system, including the operating system version, system manufacturer, available hotfixes, system uptime, and network configuration. This data is stored in a temporary file, and the program concatenates the string “rr “ with the system’s time to create the file name. Following this, it executes “cmd /c makecab” to compress the file unless the temporary file has one of the following extensions: “.7z,” “.zip,” “.rar,” “.cab,” “.docx,” or “.xlsx,” as shown in Figure 10.
Figure 10: Converting collected data into a cab file
Next, using the AES-CTR algorithm, it uses the filename as the key to encrypt the CAB file. The encrypted data is then uploaded to the C2 server via a POST request, employing a hardcoded HTTP syntax, as illustrated in Figure 11.
Figure 11: Creating an HTTP POST request
Afterward, it utilizes the command “cmd /c tasklist” to fetch a list of currently active processes on the system. This helps the threat actor understand the system’s status and potentially identify implemented security measures. This data undergoes the same procedure as the earlier process and is transmitted to the C2 server. The entire C2 request is directed to “up.php” with the parameter “name=%PCNAME%,” as shown in Figure 12. Following the upload, the program removes the temporary file to eliminate traces.
Figure 12: A POST request for uploading task list data
Next, it attempts to get a payload or command from the C2 server by dispatching an HTTP request to “dn.php” with the parameters “name=%PCNAME%” and “prefix.” The potential values for “prefix” include “cc” followed by a digit or a straightforward string “tt.” The C2 sessions are illustrated in Figure 13.
Figure 13: C2 sessions to dn.php
Although the actual command from the C2 server remains undisclosed, we can deduce it from the assembly code within the DLL file. Upon receiving a response from the server, the system dissects the data using “#” as a delimiter, performs base64 decoding, and decrypts the information using AES. The deciphered content is then stored as a temporary file. The program then executes “cmd /c expand –R” to retrieve the payload for subsequent actions, as shown in Figure 14.
Figure 14: Process response data from the C2 server
Figure 15 shows the partial code of how it handles the C2 commands, which include executing a command with specific privileges, downloading a file, and uploading a particular file.
Figure 15: C2 Command
Conclusion
This article explores an advanced toolset employed by a sophisticated threat actor within a Word document using batch scripts and DLL files. The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands. As this malware continues to evolve, users are advised to exercise caution with suspicious documents.
Fortinet Protections
The malware described in this report are detected and blocked by FortiGuard Antivirus as:
VBA/Agent.CXE!tr
BASH/Agent.KON!tr
W64/Agent.ATC!tr
W32/Agent.AEQN!tr
W32/Agent.AFRB!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.
Fortinet has also released IPS signatures to proactively protect our customers from the threats contained in the exploit list.
The URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the document.
We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
C2 List:
kmdqj1[.]c1[.]biz
ouvxu2[.]c1[.]biz
9b31n8[.]c1[.]biz
3pl0y5[.]c1[.]biz
dpgbep[.]c1[.]biz
7qnbae[.]c1[.]biz
glws5m[.]c1[.]biz
ewqqa4[.]c1[.]biz
3897lb[.]c1[.]biz
558ga9[.]c1[.]biz
b91stf[.]c1[.]biz
bg5pl1[.]c1[.]biz
caoy9n[.]c1[.]biz
rziju6[.]c1[.]biz
pm90p1[.]c1[.]biz
pxyunf[.]c1[.]biz
m2jymd[.]c1[.]biz
aocsff[.]c1[.]biz
6e2nbc[.]c1[.]biz
vqt9i1[.]c1[.]biz
Files:
ac9b814b98a962bc77b2ab862d9c3b1ba5f7e86b80797259b4fcb40bfb389081
f07e55ce20e944706232013241d23282e652de2c9514904dede14d4a711a5d1d
085cdb09aba0024c0cadbefe428817829bbe4ab0f68598572ebccc2f6f25e78f
793b8e72fded73ae6839e678b03bd5c99959f47a1ad632095ba60fb89f66fa91
83e66d912ca592bc2accfd9c275647f287b6dc72a859054a348e616537999b64
656dd6e67a51aebc6c69dc35eaba2e1502f225ae6fd9d0a5ff70879982427844
cfbc7e6a89e4a23a72c7bcd9019197721f18506d9ab842011e0ab9d9eb24c2cc
Source: https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document