KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[1][2][3][4][5]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .015 | 事件触发执行: Component Object Model Hijacking |
KONNI has modified ComSysApp service to load the malicious DLL payload.[4] |
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[1] |
| Enterprise | T1005 | 从本地系统获取数据 |
KONNI has stored collected information and discovered processes in a tmp file.[5] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
KONNI has pretended to be the xmlProv Network Provisioning service.[5] |
| .005 | 伪装: Match Legitimate Name or Location |
KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[1] |
||
| Enterprise | T1112 | 修改注册表 |
KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.[4][5] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
KONNI has registered itself as a service using its export function.[5] |
| Enterprise | T1115 | 剪贴板数据 | ||
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.[4][5] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.[1] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[1] |
||
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[1][5] |
| .003 | 命令与脚本解释器: Windows Command Shell |
KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.[1][4][5] |
||
| .007 | 命令与脚本解释器: JavaScript | |||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1560 | 归档收集数据 |
KONNI has encrypted data and files prior to exfiltration.[5] |
|
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
KONNI has used a custom base64 key to encode stolen data before exfiltration.[4] |
| Enterprise | T1083 | 文件和目录发现 |
A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[1] |
|
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
KONNI has used FTP to exfiltrate reconnaissance data out.[4] |
| Enterprise | T1106 | 本机API |
KONNI has hardcoded API calls within its functions to use on the victim's machine.[5] |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
KONNI is heavily obfuscated and includes encrypted configuration files.[5] |
||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to "AlwaysNotify".[4][5] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
KONNI has relied on a victim to enable malicious macros within an attachment delivered via email.[5] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
KONNI has used Rundll32 to execute its loader for privilege escalation purposes.[4][5] |
| Enterprise | T1082 | 系统信息发现 |
KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
KONNI can collect the username from the victim’s machine.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 | ||
| Enterprise | T1016 | 系统网络配置发现 |
KONNI can collect the IP address from the victim’s machine.[1] |
|
| Enterprise | T1134 | .002 | 访问令牌操控: Create Process with Token |
KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.[4][5] |
| .004 | 访问令牌操控: Parent PID Spoofing |
KONNI has used parent PID spoofing to spawn a new |
||
| Enterprise | T1105 | 输入工具传输 |
KONNI can download files and execute them on the victim’s machine.[1][5] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1057 | 进程发现 |
KONNI has used the command |
|
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
KONNI has been delivered via spearphishing campaigns through a malicious Word document.[5] |
References
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.