Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni)
AhnLab Security Emergency response Center (ASEC) recently identified the distribution of a malicious exe file disguised as material related to a personal data leak, targeting individual users. The final behavior of this malware could not be observed because the C2 was closed, but the malware is a backdoor that receives obfuscated commands from the threat actor and executes them in xml format.
When the malicious exe file is executed, the files in the .data section are created into the %Programdata% folder. Out of the created files, all files are obfuscated except for the legitimate doc file.
- Lomd02.png (Malicious jse script)
- Operator.jse (Malicious jse script)
- WindowsHotfixUpdate.jse (Malicious jse script)
- 20231126_9680259278.doc (Legitimate doc file)
- WindowsHotfixUpdate.ps1 (Malicious PowerShell script)
A legitimate document file, ‘20231126_9680259278.doc’, is included among the created files. The threat actor has probably included this to deceive the user into thinking that they opened a legitimate file.
Operator.jse creates a Task Scheduler entry that executes WindowsHotfixUpdate.jse, which in turn executes the file WindowsHotfixUpdate.ps1. The file WindowsHotfixUpdate.ps1 receives commands from the C2, and it is presumed that these commands are obfuscated, because the jse file with the file name Lomd02.png was observed deobfuscating such commands and loading them in xml format.
While additional commands could not be examined due to the C2 being unavailable for access at the moment, it seems that various additional attacks would be possible depending on the commands sent from the C2.
- Task Scheduler name: WindowsHotfixUpdate[B409302303-02940492024]
- Trigger: Repeat every minute indefinitely
- Action: Execute C:\ProgramData\WindowsHotfixUpdate.jse
Because the bait file is also run, ordinary users cannot recognize that their systems are infected by malware. Since such malware are aimed at specific targets, users should refrain from running attachments in emails sent from unknown sources.
[File Detection]
- Backdoor/JS.Konni (2023.12.06.03)
- Backdoor/Win.Konni (2023.12.06.03)
- Backdoor/PowerShell.Konni (2023.12.06.03)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
