CyberSecurityBoard
Sponsor Register Login

Konni Campaign Deploys Advanced RAT With UAC Bypass Capabilities

Security researchers have detected a Russian-language Word document carrying a malicious macro in the ongoing Konni campaign. Despite its September 2023 creation date, FortiGuard Labs' internal telemetry revealed continued activity on the campaign's command-and-control server. This long-running campaign utilizes a remote access Trojan capable of extracting information and executing commands on compromised devices, employing diverse strategies for initial access, payload delivery and persistence within victim networks. According to an advisory published by Fortinet security researcher Cara Lin on Monday, a Visual Basic for Applications script is triggered upon opening the document, displaying Russian text related to a military operation. "A VBA script is initiated that displays an article in Russian that translates to 'Western Assessments of the Progress of the Special Military Operation,'" Lin explained. The script retrieves information and runs a discreet batch script that performs system checks, UAC bypass and DLL file manipulations. The User Account Control bypass module, in particular, leverages a legitimate Windows utility to execute commands with elevated privileges without triggering UAC prompts. The subsequent script stops redundant execution, copies files, creates a new service, configures registry settings and initiates the service. The final payload encrypts its C2 configuration using AES-CTR encryption, gathers system information, compresses and uploads data to the C2 server, and fetches commands. "The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands. As this malware continues to evolve, users are advised to exercise caution with suspicious documents," Lin wrote. "We also suggest that organizations go through Fortinet's free NSE training module: NSE 1 - Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks." More information on the Konni campaign's techniques and strategies for initial access, payload delivery and persistence within victim networks is available in the Fortinet advisory.

This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to Konni Campaign Deploys Advanced RAT With UAC Bypass Capabilities

Konni Malware Alert: Uncovering The Russian-Language Threat - In the ever-evolving landscape of cybersecurity, a recent discovery sheds light on a new phishing attack being dubbed the Konni malware. This cyber assault employs a Russian-language Microsoft Word document malware delivery as its weapon of choice, ...
2 years ago Securityboulevard.com Kimsuky Lazarus Group
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
2 years ago Cyberdefensemagazine.com
Konni Campaign Deploys Advanced RAT With UAC Bypass Capabilities - Security researchers have detected a Russian-language Word document carrying a malicious macro in the ongoing Konni campaign. Despite its September 2023 creation date, FortiGuard Labs' internal telemetry revealed continued activity on the campaign's ...
2 years ago Infosecurity-magazine.com
Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
2 years ago Cysecurity.news
WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms - In the realm of cybersecurity, vigilance is paramount, and recent developments reveal a persistent threat facing Ukrainian entities. In this blog post, we'll look into the intricate details of the persistent cybersecurity threat posed by LONEPAGE ...
2 years ago Securityboulevard.com
Konni RAT Exploit Windows Explorer To Launches a Multi-Stage Attack in Windows - The updated Konni variant specifically targets vulnerabilities in Windows Explorer’s file handling processes, enabling the malware to establish persistence and execute malicious code without triggering traditional security alerts. Organizations ...
11 months ago Cybersecuritynews.com
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE - A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software. Threat actors previously have used the RAT ...
1 year ago Darkreading.com
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities - The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and ...
2 years ago Thehackernews.com CVE-2023-38831 APT3 SideCopy Transparent Tribe
New NightShadeC2 Botnet Uses UAC Prompt Bombing to Evade Detection - A new botnet named NightShadeC2 has been discovered employing a novel technique called UAC prompt bombing to bypass User Account Control (UAC) defenses on Windows systems. This innovative approach overwhelms the UAC prompts, effectively desensitizing ...
6 months ago Cybersecuritynews.com
UAC Bypass: 3 Methods Used Malware In Windows 11 in 2024 - User Account Control is one of the security measures introduced by Microsoft to prevent malicious software from executing without the user's knowledge. Modern malware has found effective ways to bypass this barrier and ensure silent deployment on the ...
1 year ago Cybersecuritynews.com
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets - A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan. The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in ...
2 years ago Darkreading.com
Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
2 years ago Darkreading.com
Microsoft: New RAT malware used for crypto theft, reconnaissance - Last but not least, Microsoft says StilachiRAT allows command execution and potential SOCKS-like proxying using commands from a command-and-control (C2) server to the infected devices, which can let the threat actors reboot the compromised system, ...
11 months ago Bleepingcomputer.com
SugarGh0st RAT Delivered via Malicious Windows & JavaScript - RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-. Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that's been ...
2 years ago Cybersecuritynews.com
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
8 months ago Cybersecuritynews.com
Konni APT Hackers Using Multi-Stage Malware to Attack Organizations - Broadcom analysts identified the final payload as a sophisticated Remote Access Trojan (RAT) specifically engineered to establish persistence, collect system information, harvest directory listings, and exfiltrate the gathered data to compromised ...
10 months ago Cybersecuritynews.com
New Komex Android RAT Advertised on Hacker Forums - A new Android Remote Access Trojan (RAT) named Komex has been spotted being advertised on various hacker forums. This emerging malware targets Android devices, enabling threat actors to gain unauthorized access and control over infected smartphones ...
3 months ago Cybersecuritynews.com
KongTuke Attacking Windows Users With New Interlock RAT Variant Using FileFix Technique - A sophisticated malware campaign leveraging the KongTuke threat cluster has emerged, targeting Windows users through a novel FileFix technique that deploys an advanced PHP-based variant of the Interlock remote access trojan (RAT). Upon accessing an ...
7 months ago Cybersecuritynews.com
Chinese hackers target Russian govt with upgraded RAT malware - Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) spotted the updated implant while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word ...
10 months ago Bleepingcomputer.com CVE-2021-40449
FBI seizes Warzone RAT infrastructure, arrests malware vendor - The FBI dismantled the Warzone RAT malware operation, seizing infrastructure and arresting two individuals associated with the cybercrime operation. Daniel Meli, 27, a resident of Malta, was arrested last week for his role in the proliferation of ...
2 years ago Bleepingcomputer.com
FBI Shuts Down Warzone RAT; Cybercriminals Arrested - In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from ...
2 years ago Cysecurity.news
Android Devices Targeted by Konni APT in Espionage Campaign - The Konni APT group has been actively targeting Android devices in a sophisticated espionage campaign. This threat actor is known for its persistent and stealthy tactics, focusing on gathering intelligence through mobile platforms. The campaign ...
3 months ago Infosecurity-magazine.com Konni APT
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
2 years ago Esecurityplanet.com
NEPTUNE RAT Attacking Windows Users to Exfiltrate Passwords from 270+ Apps - Security experts recommend users maintain updated antivirus software, implement application whitelisting, disable PowerShell execution for standard users, and be vigilant about suspicious links or commands. As Neptune RAT continues to evolve with new ...
11 months ago Cybersecuritynews.com
Phishing Campaign Using UpCrypter Deploys Remote Access Trojan - A recent phishing campaign has been identified leveraging the UpCrypter tool to deploy a Remote Access Trojan (RAT), posing significant risks to targeted organizations. This campaign uses sophisticated social engineering tactics to trick victims into ...
6 months ago Infosecurity-magazine.com

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)