Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Remote attackers gain control of the infected systems
Severity Level: Critical
FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document’s creation date of September, ongoing activity on the campaign’s C2 server is evident in internal telemetry, as shown in Figure 1.
This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices. Operating for several years, this campaign employs diverse strategies for initial access, payload delivery, and establishing persistence within victims’ networks. In this blog, we will elaborate on the behavior of the malware at each stage.
Dropper – Word Document
Upon opening the document, a yellow prompt bar appears, displaying “Enable Content” alongside some ambiguous Russian text (Figure 2). Upon selecting the button, a VBA script is initiated that displays an article in Russian that translates to “Western Assessments of the Progress of the Special Military Operation.”
The VBA script (Figure 3) retrieves information from “OLEFormat.IconLabel” and stores it in a temporary folder under the filename “temp.zip.” After extracting the file’s contents, it runs the “check.bat” script using the “vbHide” parameter, ensuring the batch script executes without presenting a command prompt window to the user. This method is valuable when a threat actor seeks to discreetly run a script in the background, avoiding user interaction or visible windows.
The initial script file, named “check.bat” (Figure 4), performs several checks. Initially, it verifies the presence of a remote connection session. If detected, it directly initiates the “netpp.bat” script. The script then assesses whether the current system is running Windows 10, assigning a value of 1 to the variable “%Num%” regardless of the outcome. This variable later plays a role in selecting the UAC bypass method. This UAC setting is different from KONNI campaigns of the past that set either 4 or 1 for different operation systems.
Additionally, it examines whether the system operates on a 64-bit architecture. If so, it renames the corresponding DLL files to “netpp.dll” and “wpns.dll” and removes extraneous DLL files. Finally, it executes “wpns.dll” with three parameters: “QQQQQQQ” as the targeted entry point name, “%Num%” denoting the chosen UAC bypass method, and “netpp.bat” for further action.
UAC Bypass Module—wpns.dll
Each DLL file in the Word document has been compressed using UPX. We will delve into the specifics using the 64-bit version files since their 32-bit counterparts have similar functionalities. Firstly, “wpns.dll” is invoked in the batch file “check.bat.” It is primarily designed for UAC bypass. In the batch file, the parameter is configured as 1, prompting the selection of the sub_180001B90 function, as illustrated in Figure 5.
It initiates the process “wusa.exe,” a legitimate Windows utility responsible for installing and uninstalling Windows updates and packages. Because it is signed and trusted by the operating system, it runs with elevated privileges without triggering User Account Control (UAC) prompts. After establishing “wusa.exe,” it then duplicates its access token and proceeds to execute a specified command using “CreateProcessWithLogonW” using that token. Finally, it runs a “netpp.bat” script that inherits the elevated privileges. A segment of the code is shown in Figure 6.
Figure 7 shows the content of the batch file “netpp.bat.” Here is a concise explanation of its functions:
- Service Stop and Check: The script attempts to stop the “netpp” service to prevent redundant execution. It then verifies the presence of the string “system32” in the system.
- Copy Files: If the string “system32” is absent, the script progresses to the “COPYFILE” function. This segment copies multiple files (e.g., netpp.dll, netpp.dat, netpp.ini) to the “System32” directory within the Windows operating system. Once the copying process is completed, specific files are deleted.
- Service Creation: The script then transitions to the “INSTALL” section, where it generates and configures a service named “netpp” using commands like “sc create,” “sc description,” and “sc config.” It configures the service to initiate automatically using a less conspicuous name, “Internet Print Provider Service.”
- Registry Settings: Next, it adds a registry entry in the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” key with the new value ”netpp.” This registry setting likely associates the “netpp” service with the Windows Service Host. It then adds the “HKLM\SYSTEM\CurrentControlSet\Services\netpp\Parameters” key and creates a new value named “Serviceb11” of type REG_EXPAND_SZ with the value data “%windir%\System32\netpp.dll.” This registry setting appears to define a parameter for the “netpp” service, specifying the location of the “netpp.dll” file within the Windows system directory.
- Service Start and Cleanup: Finally, the script starts the “netpp” service and performs trace removal.
Initially, the program verifies several Windows API functions across various libraries, as shown in Figure 8. If it succeeds in loading those functions, the program continues; otherwise, it returns 0 and terminates. The C2 configuration stored in “netpp.ini” is encrypted using AES-CTR, and the key is derived from the service name established in the preceding step, namely, “netpp.” The first 16 bytes of “netpp.ini” are used as the Initialization Vector (IV) to decrypt and unveil the C2 server list, as seen in Figure 9.
The program then adds a registry entry using the command “cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f” and begins gathering information from the compromised system. It uses the command “cmd /c systeminfo” to collect comprehensive details about the target system, including the operating system version, system manufacturer, available hotfixes, system uptime, and network configuration. This data is stored in a temporary file, and the program concatenates the string “rr “ with the system’s time to create the file name. Following this, it executes “cmd /c makecab” to compress the file unless the temporary file has one of the following extensions: “.7z,” “.zip,” “.rar,” “.cab,” “.docx,” or “.xlsx,” as shown in Figure 10.
Next, using the AES-CTR algorithm, it uses the filename as the key to encrypt the CAB file. The encrypted data is then uploaded to the C2 server via a POST request, employing a hardcoded HTTP syntax, as illustrated in Figure 11.
Afterward, it utilizes the command “cmd /c tasklist” to fetch a list of currently active processes on the system. This helps the threat actor understand the system’s status and potentially identify implemented security measures. This data undergoes the same procedure as the earlier process and is transmitted to the C2 server. The entire C2 request is directed to “up.php” with the parameter “name=%PCNAME%,” as shown in Figure 12. Following the upload, the program removes the temporary file to eliminate traces.
Next, it attempts to get a payload or command from the C2 server by dispatching an HTTP request to “dn.php” with the parameters “name=%PCNAME%” and “prefix.” The potential values for “prefix” include “cc” followed by a digit or a straightforward string “tt.” The C2 sessions are illustrated in Figure 13.
Although the actual command from the C2 server remains undisclosed, we can deduce it from the assembly code within the DLL file. Upon receiving a response from the server, the system dissects the data using “#” as a delimiter, performs base64 decoding, and decrypts the information using AES. The deciphered content is then stored as a temporary file. The program then executes “cmd /c expand –R” to retrieve the payload for subsequent actions, as shown in Figure 14.
Figure 15 shows the partial code of how it handles the C2 commands, which include executing a command with specific privileges, downloading a file, and uploading a particular file.
This article explores an advanced toolset employed by a sophisticated threat actor within a Word document using batch scripts and DLL files. The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands. As this malware continues to evolve, users are advised to exercise caution with suspicious documents.
The malware described in this report are detected and blocked by FortiGuard Antivirus as:
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.
Fortinet has also released IPS signatures to proactively protect our customers from the threats contained in the exploit list.
The URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the document.
We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.