Campaigns
Global Chain of Deception:''Unraveling the Konni Campaign's Cyber Intrigue''

Global Chain of Deception:''Unraveling the Konni Campaign's Cyber Intrigue''

KonniKONNIwin.konniAPT37
This campaign extracts information from devices and executes commands using a Remote Access Trojan (RAT). This campaign, which has been going on for years, uses a variety of methods for initial access and load delivery. Later in this campaign, FortiGuard Labs detected a Word document containing a malicious macro in Russian. Although the document was created in September, activity on the campaign's control server continues.

Indicators of Compromise

m2jymd.c1.biz
3pl0y5.c1.biz
9b31n8.c1.biz
glws5m.c1.biz
rziju6.c1.biz
7qnbae.c1.biz
bg5pl1.c1.biz
ewqqa4.c1.biz
558ga9.c1.biz
kmdqj1.c1.biz
3897lb.c1.biz
aocsff.c1.biz
6e2nbc.c1.biz
b91stf.c1.biz
vqt9i1.c1.biz
pm90p1.c1.biz
ouvxu2.c1.biz
dpgbep.c1.biz
pxyunf.c1.biz
caoy9n.c1.biz
niubab.com
gaweeweb.com

APT Groups1

APT37Korea, Democratic People's Republic of
Moldy PiscesRuby SleetTEMP.ReaperReaperRed EyesCrooked PiscesGroup 123Ricochet ChollimaAPT 37ITG10Opal SleetInkySquidScarCruftATK 4Geumseong121CeriumOsmiumHermitVenus 121

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATIONS
Disabling Macros: Prevent the execution of macros in Microsoft Office documents, especially from unknown sources.

Cyber Security Awareness: Train users to be cautious about enabling macros and to recognize phishing attempts or suspicious documents.

Enhanced Monitoring: Implement monitoring for unusual script executions, Registry changes, and creation of new services, particularly those that mimic legitimate service names.

Regular System Scans: Conduct frequent scans for suspicious files and activities, particularly focusing on temporary folders and system directories.

Network Segmentation: Limit the spread of malware by segmenting networks and restricting access to critical resources.

Incident Response Plan: Have a robust incident response plan to quickly address any signs of infection.

Regular Software Updates: Ensure that all software, including operating systems and antivirus programs, are regularly updated to latest version.

UAC Settings: Configure User Account Control settings to prompt for credentials or approval for any changes that may affect system configuration or security.

These strategies can help mitigate the risks posed by the KONNI malware and similar threats.

Reports & References1

Observed Countries9

CN (897)
IN (721)
JP (751)
KR (613)
KW (526)
NP (650)
RO (356)
RU (388)
VN (87)