FortiGuard Labs has identified a Russian-language Word document with a malicious macro as part of the ongoing Konni campaign, despite its creation date in September. Ongoing activity on the campaign’s command-and-control server has been observed, suggesting sustained cyber threats.
The campaign involves a sophisticated remote access trojan (RAT) capable of extracting information and executing commands on compromised devices, showcasing a prolonged and evolving threat landscape. The malware utilizes various strategies for initial access, payload delivery, and establishing persistence within victims’ networks, underscoring the need for heightened caution and cybersecurity measures.
Upon opening the document, users are prompted with a yellow bar displaying “Enable Content” alongside ambiguous Russian text. Choosing this option initiates a VBA script that presents an article in Russian titled “Western Assessments of the Progress of the Special Military Operation.”
This article serves as a decoy, concealing the malware’s true intent. The payload of the malware incorporates a User Account Control (UAC) bypass and encrypted communication with a command-and-control server, enabling threat actors to execute privileged commands discreetly.
As the Konni campaign continues to evolve, users are strongly advised to exercise vigilance and treat suspicious documents with caution to mitigate potential cyber threats.