S0356 KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.42135
| Item | Value |
|---|---|
| ID | S0356 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 31 January 2019 |
| Last Modified | 13 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify”.35 |
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.002 | Create Process with Token | KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.35 |
| enterprise | T1134.004 | Parent PID Spoofing | KONNI has used parent PID spoofing to spawn a new cmd process using CreateProcessW and a handle to Taskmgr.exe.5 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | KONNI has used HTTP POST for C2.45 |
| enterprise | T1560 | Archive Collected Data | KONNI has encrypted data and files prior to exfiltration.5 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.4 |
| enterprise | T1547.009 | Shortcut Modification | A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.4 |
| enterprise | T1115 | Clipboard Data | KONNI had a feature to steal data from the clipboard.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | KONNI used PowerShell to download and execute a specific 64-bit version of the malware.45 |
| enterprise | T1059.003 | Windows Command Shell | KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.435 |
| enterprise | T1059.007 | JavaScript | KONNI has executed malicious JavaScript code.5 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | KONNI has registered itself as a service using its export function.5 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.4 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | KONNI has used a custom base64 key to encode stolen data before exfiltration.3 |
| enterprise | T1005 | Data from Local System | KONNI has stored collected information and discovered processes in a tmp file.5 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.35 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | KONNI has used AES to encrypt C2 traffic.6 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.015 | Component Object Model Hijacking | KONNI has modified ComSysApp service to load the malicious DLL payload.3 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | KONNI has used FTP to exfiltrate reconnaissance data out.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | KONNI has sent data and files to its C2 server.456 |
| enterprise | T1083 | File and Directory Discovery | A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.4 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | KONNI can delete files.4 |
| enterprise | T1105 | Ingress Tool Transfer | KONNI can download files and execute them on the victim’s machine.45 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | KONNI has the capability to perform keylogging.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | KONNI has pretended to be the xmlProv Network Provisioning service.5 |
| enterprise | T1036.005 | Match Legitimate Name or Location | KONNI has created a shortcut called “Anti virus service.lnk” in an apparent attempt to masquerade as a legitimate file.4 |
| enterprise | T1112 | Modify Registry | KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.35 |
| enterprise | T1106 | Native API | KONNI has hardcoded API calls within its functions to use on the victim’s machine.5 |
| enterprise | T1027 | Obfuscated Files or Information | KONNI is heavily obfuscated and includes encrypted configuration files.5 |
| enterprise | T1027.002 | Software Packing | KONNI has been packed for obfuscation.6 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | KONNI has been delivered via spearphishing campaigns through a malicious Word document.5 |
| enterprise | T1057 | Process Discovery | KONNI has used the command cmd /c tasklist to get a snapshot of the current processes on the target machine.35 |
| enterprise | T1113 | Screen Capture | KONNI can take screenshots of the victim’s machine.4 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | KONNI has used Rundll32 to execute its loader for privilege escalation purposes.35 |
| enterprise | T1082 | System Information Discovery | KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.435 |
| enterprise | T1016 | System Network Configuration Discovery | KONNI can collect the IP address from the victim’s machine.4 |
| enterprise | T1049 | System Network Connections Discovery | KONNI has used net session on the victim’s machine.5 |
| enterprise | T1033 | System Owner/User Discovery | KONNI can collect the username from the victim’s machine.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | KONNI has relied on a victim to enable malicious macros within an attachment delivered via email.5 |
References
-
Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. ↩
-
Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. ↩
-
Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022. ↩↩↩