Monday, March 10, 2025
HomeMalwareU.S Gov Warns that Hackers Using Phishing Emails Used to Deploy KONNI...

U.S Gov Warns that Hackers Using Phishing Emails Used to Deploy KONNI Malware using Weaponized Word Documents

Published on

SIEM as a Service

Follow Us on Google News

U.S CISA recently noticed that hackers using Phishing Emails to deploy KONNNI malware with the help of weaponized Microsoft word documents.

The KONNI RAT was initially found in May 2017 by researchers at the Cisco Talos team after it was operated in attacks that are aimed at businesses linked to North Korea. 

KONNI has been applied in highly targeted attacks only; these include the United Nations, UNICEF, and entities linked to North Korea. Moreover, the expert’s also classified a link between KONNI and DarkHotel.

The KONNI vulnerability is typically spread through phishing emails holding a Microsoft Word file with an ill-disposed Visual Basic Application (VBA) macro code to deploy the malware. 

The CISA explains that the macro code was created to change the font color to fool the victim into allowing the content, check whether the system design is 32-bit or 64-bit. 

It also creates and runs a command line to download further additional files, while the certificate database tool CertUtil is applied for the download of remote files.

Techniques & Uses

Mitigations

The CISA suggested users and administrators apply the following points to increase the security aspect of their company’s network systems:-

  • Remember to keep up-to-date antivirus signatures and engines.
  • Always maintain your OS patches up to date.
  • Impair the file and printer sharing services. In case if these services are needed, then must apply strong passwords or Active Directory authentication.
  • Always restrict the users’ capability to install and run undesired software applications.
  • Implement a strong password.
  • Practice Caution while you are opening email attachments, even if the attachment is required, and the sender resembles to be known.
  • Allow a private firewall on agency workstations, configured to reject undesirable connection requests.
  • Allow additional services on agency workstations and servers.
  • Always browse for and eliminate all suspicious email attachments; and assure that the scanned attachment is its “true file type.”
  • Always observe the users’ web browsing habits, and restrict entrance to sites with inappropriate content.
  • Practice Caution while using removable media.
  • Always browse all software downloaded from the internet prior to completing it.
  • Manage situational information of the latest threats and perform suitable access limitation lists.

Apart from this, the CISA suggested the users to follow the recommended mitigations carefully so that they can keep themselves protected from all unwanted malicious malware. 

Moreover, the security researchers at CISA are still investigating the whole matter, and they asserted that all the users must follow every recommendation carefully.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read;

Citrix Warns That Hackers May Exploit the New Patched Flaw Quickly

US GOV Exposes Chinese Espionage Malware “TAIDOOR” Secretly Used To For a Decade

Latest articles

Critical Microsoft’s Time Travel Debugging Tool Vulnerability Let Attackers Mask Detection

Microsoft’s Time Travel Debugging (TTD) framework, a powerful tool for recording and replaying Windows...

ServiceNow Acquires Moveworks for $2.85 Billion to Boost AI Capabilities

In a landmark move to strengthen its position in the rapidly evolving artificial intelligence...

Apple iOS 18.4 Beta 3 Released – What’s New!

Apple released iOS 18.4 Beta 3 on March 10, 2025, for developers, with a...

Researcher Hacks Embedded Devices to Uncover Firmware Secrets

In a recent exploration of embedded device hacking, a researcher demonstrated how to extract...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Threat Actors Exploit EncryptHub for Multi-Stage Malware Attacks

EncryptHub, a rising cybercriminal entity, has been under scrutiny by multiple threat intelligence teams,...

Lumma Stealer Using Fake Google Meet & Windows Update Sites to Launch “Click Fix” Style Attack

Cybersecurity researchers continue to track sophisticated "Click Fix" style distribution campaigns that deliver the...

Strela Stealer Malware Attack Microsoft Outlook Users for Credential Theft

The cybersecurity landscape has recently been impacted by the emergence of the Strela Stealer...