Keypoints
- Initial access via a Russian-language Word document that prompts the user to “Enable Content” and triggers a VBA macro to extract a payload into a temp.zip file.
- The VBA downloader extracts a ZIP to a temp folder and runs check.bat hidden via vbHide to start the staged installation.
- check.bat inspects remote session presence, OS version, and architecture, renames and prunes DLLs for 64-bit systems, then launches wpns.dll for privilege escalation.
- wpns.dll performs a UAC bypass by launching wusa.exe, duplicating its token, and using CreateProcessWithLogonW to execute netpp.bat with elevated privileges.
- netpp.bat copies DLLs and support files to System32, creates and configures a service named “netpp” (labeled “Internet Print Provider Service”), writes registry keys, starts the service, and removes traces.
- netpp.dll decrypts netpp.ini (AES-CTR, key derived from service name “netpp”), collects systeminfo and tasklist, packages data with makecab, encrypts the CAB with the filename as the AES key, and uploads via HTTP POST to up.php.
- The implant polls dn.php (with parameters name=%PCNAME% and prefix) to receive base64/AES-encrypted commands, which it decodes, decrypts, expands with expand -R, and executes (download, upload, command execution).
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivery via a malicious Word document that prompts the user to enable macros ( ‘Enable Content’ alongside some ambiguous Russian text ).
- [T1059.005] Visual Basic for Applications – Embedded VBA retrieves OLEFormat.IconLabel, writes contents to a temporary ‘temp.zip’, and launches check.bat (‘retrieves information from “OLEFormat.IconLabel” and stores it in a temporary folder under the filename “temp.zip”’).
- [T1059.003] Command and Scripting Interpreter (Windows Command Shell) – Batch scripts (check.bat, netpp.bat) perform environment checks, file operations, service creation, and cleanup (‘runs the “check.bat” script using the “vbHide” parameter’).
- [T1548.002] Bypass User Account Control – UAC bypass via wpns.dll which spawns wusa.exe, duplicates its access token, and calls CreateProcessWithLogonW to run elevated commands (‘initiates the process “wusa.exe”… duplicates its access token and proceeds to execute a specified command using “CreateProcessWithLogonW”’).
- [T1543.003] Create or Modify System Process: Windows Service – Persistence achieved by creating/configuring a Windows service named “netpp” using sc create/sc config and corresponding registry entries (‘generates and configures a service named “netpp” using commands like “sc create,” “sc description,” and “sc config”’).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication performed over HTTP(S) POST/GET to endpoints like up.php and dn.php for data upload and command retrieval (‘the entire C2 request is directed to “up.php” with the parameter “name=%PCNAME%”’ and requests to ‘dn.php’).
- [T1041] Exfiltration Over C2 Channel – Collected system information and process lists are archived, AES-CTR encrypted (filename-derived key), and uploaded to the C2 via HTTP POST (‘uses the filename as the key to encrypt the CAB file… uploaded to the C2 server via a POST request’).
- [T1082] System Information Discovery – The implant runs systeminfo and tasklist to enumerate host details and running processes for the attacker (‘uses the command “cmd /c systeminfo”’ and ‘cmd /c tasklist’).
- [T1560.001] Archive Collected Data – Data is packaged using makecab before encryption and exfiltration (‘executes “cmd /c makecab” to compress the file’).
Indicators of Compromise
- [Domains] C2 domains used for uploads and commands – kmdqj1.c1.biz, ouvxu2.c1.biz, and 18 more domains.
- [File Names] Dropper and installer artifacts – temp.zip, check.bat, netpp.bat, netpp.dll, wpns.dll, netpp.ini.
- [Service Name / Registry] Persistence identifiers – service “netpp” (displayed as “Internet Print Provider Service”); registry keys under HKLMSYSTEMCurrentControlSetServicesnetpp and HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost referencing ‘netpp’.
- [File Hashes] Sample binaries/hashes observed – ac9b814b98a962bc77b2ab862d9c3b1ba5f7e86b80797259b4fcb40bfb389081, f07e55ce20e944706232013241d23282e652de2c9514904dede14d4a711a5d1d, and 5 more hashes.
Upon user opening and enabling macros in the malicious Word document, the embedded VBA extracts an OLE payload into a temporary ‘temp.zip’, unpacks it, and silently launches check.bat. check.bat evaluates the execution environment (remote session presence, OS version, architecture), renames 64-bit DLLs to standard names (netpp.dll, wpns.dll), removes unnecessary files, and invokes wpns.dll to escalate privileges.
wpns.dll implements a UAC bypass by starting the signed wusa.exe process, duplicating its access token, and creating a new process with CreateProcessWithLogonW so that netpp.bat runs elevated. netpp.bat then copies required components into %windir%System32, registers and configures a service named ‘netpp’ (using sc create/sc config and registry keys under Services and SvcHost), starts the service, and performs cleanup to hide traces.
The installed netpp.dll validates needed Windows APIs, decrypts netpp.ini using AES-CTR (key derived from the service name “netpp” with the first 16 bytes as IV), and enumerates the host (systeminfo, tasklist). Collected data is packaged with makecab, encrypted using the CAB filename as an AES key, and sent to the C2 via an HTTP POST to up.php (name=%PCNAME%). The implant polls dn.php (name=%PCNAME% & prefix) to receive base64/AES-encrypted commands, which it decodes, decrypts, expands with expand -R to extract payloads, and executes operations such as running commands, downloading files, and uploading data.
Read more: https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document