For HomeFor BusinessFor Partners
Digital Privacy Industry News
2 min read

CISA Warns of Phishing Campaign Used to Deploy KONNI Malware

Silviu STAHIE

August 18, 2020

Promo Protect all your devices, without slowing them down.
Free 30-day trial
CISA Warns of Phishing Campaign Used to Deploy KONNI Malware

The Cybersecurity and Infrastructure Security Agency (CISA) advised users to be wary of an email attachment containing a malicious Microsoft Word document that”s used to deploy KONNI malware.

Phishing is one of the main methods hackers use to spread malware, and there”s a solid reason for that. It doesn”t require technical expertise to infiltrate networks or to compromise security systems. Careless or untrained employees will do the work of hackers when they open an email without double-checking where it comes from.

Phishing emails usually try to trick users into visiting a website that looks very much like the official one, so they can steal their credentials. In some cases, the simple act of visiting a website can compromise a device or PC, if it”s vulnerable. Phishing emails also carry infected attachments, and Word documents are among the most common.

Microsoft Word features Macro automatization functions that have legitimate uses, but bad actors can use them to run commands and install further payloads, all invisible to the users.

“Once the Visual Basic Application (VBA) macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator” says CISA in the advisory. “It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.”

“The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.”

The result is the final installation of KONNI, a remote administration tool that hackers use to steal files, infect other hosts in the same network, take screenshots, capture keystrokes and more.

The best way to protect against this type of attack is to have a security solution installed and up to date, to never open attachments from unknown sources and to keep the Macro function disabled by default.

tags

Digital Privacy Industry News

Author

Silviu STAHIE

Silviu STAHIE

Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between.

View all posts

Right now Top posts

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide
Scam Spam

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide

April 19, 2024

5 min read
Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond
Scam How to Tips and Tricks

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond

April 01, 2024

2 min read
Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts
Spam Industry News Threats

Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts

November 28, 2023

4 min read
Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting
Protecting Your Important How to Tips and Tricks

Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting

November 08, 2023

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

How to keep your Android device immune to malicious vaccine themed apps
Archive

How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine
Archive Industry News

Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands
Archive

Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read

Bookmarks

loader