Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni)

by Prapattimynk, Monday, 11 December 2023 (3 months ago)
Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni)


AhnLab Security Emergency response Center (ASEC) recently identified the distribution of a malicious exe file disguised as material related to a personal data leak, targeting individual users. The final behavior of this malware could not be observed because the C2 was closed, but the malware is a backdoor that receives obfuscated commands from the threat actor and executes them in xml format.

Figure 1. An email impersonating a cyber investigation team
Figure 2. The malicious exe file disguised as a Word file

When the malicious exe file is executed, the files in the .data section are created into the %Programdata% folder. Out of the created files, all files are obfuscated except for the legitimate doc file.

  • Lomd02.png (Malicious jse script)
  • Operator.jse (Malicious jse script)
  • WindowsHotfixUpdate.jse (Malicious jse script)
  • 20231126_9680259278.doc (Legitimate doc file)
  • WindowsHotfixUpdate.ps1 (Malicious PowerShell script)
Figure 3. Files in the .data section

A legitimate document file, ‘20231126_9680259278.doc’, is included among the created files. The threat actor has probably included this to deceive the user into thinking that they opened a legitimate file.

Figure 4. 20231126_9680259278.doc

Operator.jse creates a Task Scheduler entry that executes WindowsHotfixUpdate.jse, which in turn executes the file WindowsHotfixUpdate.ps1. The file WindowsHotfixUpdate.ps1 receives commands from the C2, and it is presumed that these commands are obfuscated, because the jse file with the file name Lomd02.png was observed deobfuscating such commands and loading them in xml format.

While additional commands could not be examined due to the C2 being unavailable for access at the moment, it seems that various additional attacks would be possible depending on the commands sent from the C2.

  • Task Scheduler name: WindowsHotfixUpdate[B409302303-02940492024]
  • Trigger: Repeat every minute indefinitely
  • Action: Execute C:ProgramDataWindowsHotfixUpdate.jse
Figure 5. Deobfuscated Operator.jse
Figure 6. Deobfuscated WindowsHotfixUpdate.jse
Figure 7. Deobfuscated WindowsHotfixUpdate.ps1
Figure 8. Deobfuscated Lomd02.png (jse)

Because the bait file is also run, ordinary users cannot recognize that their systems are infected by malware. Since such malware are aimed at specific targets, users should refrain from running attachments in emails sent from unknown sources.

[File Detection]

  • Backdoor/JS.Konni (2023.12.06.03)
  • Backdoor/Win.Konni (2023.12.06.03)
  • Backdoor/PowerShell.Konni (2023.12.06.03)

[IOC]

  • MD5
    b58eb8a3797d3a52aba30d91d207b688 ([Date]_[Name].exe)
    78ea811850e01544ca961f181030b584 (Lomd02.png)
    682b5a3c93e107511fdd2cdb8e50389a (Operator.jse)
    a93474c3978609c8480b34299bf482b7 (WindowsHotfixUpdate.jse)
    d634cb7b45217ca4fd7eca5685a64f50 (20231126_9680259278.doc)
    d06d1c2ec1490710133dea445f33bd19 (WindowsHotfixUpdate.ps1)
  • C2
    hxxp://gjdow.atwebpages.com/dn[.]php?name=[Computer name]&prefix=tt

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.