Konni Group Use Weaponized Word Documents Deliver RAT Malware

/in


In the ever-evolving cybersecurity domain, the resurgence of NetSupport RAT, a Remote Access Trojan (RAT), has raised concerns among security professionals. 

This sophisticated malware, initially developed as a legitimate remote administration tool, has been repurposed by malicious actors to infiltrate systems and establish remote control.

NetSupport Manager, the software upon which NetSupport RAT is based, originated as a genuine remote technical support tool three decades ago. 

It provided capabilities for file transfers, support chat, inventory management, and remote access. 

While its initial purpose was legitimate, threat actors have exploited its functionalities for malicious purposes.

Document

Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

In collaboration with the Threat Analysis Unit, the Carbon Black Managed Detection & Response (MDR) team has witnessed a significant increase in NetSupport RAT infections in recent weeks. 

This surge primarily affects Education, Government, and Business Services organizations.

Delivery Mechanisms and Actor Landscape

The distribution of NetSupport RAT involves a variety of tactics, including fraudulent updates, drive-by downloads, exploitation of malware loaders like GhostPulse, and phishing campaigns. 

Unlike some malware exclusively utilized by specific threat actors, NetSupport RAT has been employed by a range of malicious entities, from novice hackers to sophisticated adversaries.

Recent NetSupport RAT attacks typically involve tricking victims into downloading fake browser updates from compromised websites. 

The initial infection process may vary depending on the specific threat actor’s methodology.

One observed infection scenario involves a victim downloading a fake browser update from a compromised website. 

This update hosts a PHP script that displays a seemingly authentic update prompt. 

Upon…

Source…