Skip to content

S0356 KONNI

KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.42135

Item Value
ID S0356
Associated Names
Type MALWARE
Version 2.0
Created 31 January 2019
Last Modified 13 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify”.35
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.35
enterprise T1134.004 Parent PID Spoofing KONNI has used parent PID spoofing to spawn a new cmd process using CreateProcessW and a handle to Taskmgr.exe.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols KONNI has used HTTP POST for C2.45
enterprise T1560 Archive Collected Data KONNI has encrypted data and files prior to exfiltration.5
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.4
enterprise T1547.009 Shortcut Modification A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.4
enterprise T1115 Clipboard Data KONNI had a feature to steal data from the clipboard.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell KONNI used PowerShell to download and execute a specific 64-bit version of the malware.45
enterprise T1059.003 Windows Command Shell KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.435
enterprise T1059.007 JavaScript KONNI has executed malicious JavaScript code.5
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service KONNI has registered itself as a service using its export function.5
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.4
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding KONNI has used a custom base64 key to encode stolen data before exfiltration.3
enterprise T1005 Data from Local System KONNI has stored collected information and discovered processes in a tmp file.5
enterprise T1140 Deobfuscate/Decode Files or Information KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.35
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography KONNI has used AES to encrypt C2 traffic.6
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking KONNI has modified ComSysApp service to load the malicious DLL payload.3
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol KONNI has used FTP to exfiltrate reconnaissance data out.3
enterprise T1041 Exfiltration Over C2 Channel KONNI has sent data and files to its C2 server.456
enterprise T1083 File and Directory Discovery A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.4
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion KONNI can delete files.4
enterprise T1105 Ingress Tool Transfer KONNI can download files and execute them on the victim’s machine.45
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging KONNI has the capability to perform keylogging.4
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service KONNI has pretended to be the xmlProv Network Provisioning service.5
enterprise T1036.005 Match Legitimate Name or Location KONNI has created a shortcut called “Anti virus service.lnk” in an apparent attempt to masquerade as a legitimate file.4
enterprise T1112 Modify Registry KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.35
enterprise T1106 Native API KONNI has hardcoded API calls within its functions to use on the victim’s machine.5
enterprise T1027 Obfuscated Files or Information KONNI is heavily obfuscated and includes encrypted configuration files.5
enterprise T1027.002 Software Packing KONNI has been packed for obfuscation.6
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment KONNI has been delivered via spearphishing campaigns through a malicious Word document.5
enterprise T1057 Process Discovery KONNI has used the command cmd /c tasklist to get a snapshot of the current processes on the target machine.35
enterprise T1113 Screen Capture KONNI can take screenshots of the victim’s machine.4
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 KONNI has used Rundll32 to execute its loader for privilege escalation purposes.35
enterprise T1082 System Information Discovery KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.435
enterprise T1016 System Network Configuration Discovery KONNI can collect the IP address from the victim’s machine.4
enterprise T1049 System Network Connections Discovery KONNI has used net session on the victim’s machine.5
enterprise T1033 System Owner/User Discovery KONNI can collect the username from the victim’s machine.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File KONNI has relied on a victim to enable malicious macros within an attachment delivered via email.5

References