Watch Out! Cybersecurity and Infrastructure Security Agency Warn of New VBA Attack Designed to Deploy KONNI Remote Administration Tool

A new alert from CISA outlines just how dangerous and intrusive the KONNI malware is in organizations that fall for phishing attacks using Word attachments with malicious VBA code.

The latest warning from the U.S. governments Cybersecurity and Infrastructure Security Agency (CISA) should have you worried. New phishing attacks are deploying KONNI malware – a remote administration tool that performs a number of very valuable and malicious functions once installed that include:

• Establishes persistence on infected endpoints
• Bypasses Windows’ User Account Control “AlwaysNotify” setting when elevated permissions are used
• Collects data about the username, machine name, IP address, and keystrokes of the user (which will eventually include passwords)
• Steals profile and credentials from web browsers
• Takes screenshots
• Has its own FTP service to exfiltrate collected data
• Uses HTTP for remote command and control

Once this RAT hits your network, the bad guys know everything about the infected machine and user. And because they have the ability to launch commands locally, there is little the RAT can’t do that the user can.

Organizations need to be seriously worried about attacks involving KONNI; the possibilities of how the collected data could be misused are massive. The data collected provides contextual details that can be used in social engineering attacks, email addresses impersonate those the compromised user commonly interacts with, and access to internal systems.

You can’t possibly read about KONNI and not worry. Organizations need to implement Security Awareness Training to stop phishing attacks that use malicious attachments just like KONNI does by teaching users to see the attacks for what they truly are, and to not fall for their conniving scams.