Threat Spotlight: KONNI – A Stealthy Remote Access Trojan
« Back to Blog

Threat Spotlight: KONNI – A Stealthy Remote Access Trojan

By Cylance Threat Guidance Team

Overview

In early July, TALOS blogged about a new variant of the KONNI remote access trojan (RAT), a malware family they discovered and wrote about in another blog post in early May. As an active threat under development, we decided to take a closer look at this RAT to understand some of its inner workings and capabilities. Our analysis confirms the excellent investigative work done by TALOS and expands on what they found.

Threat Background

On July 3rd, 2017, North Korea completed a successful intercontinental ballistic missile (ICBM) launch test, dubbed “Hwasong-14”. The launch, according to North’s state-run Korean Central News Agency, successfully tested the functions of the missile’s two propulsive stages and the warhead’s ability to endure the intense heat and vibrations as it entered the earth’s atmosphere. 

As a result of this, another KONNI campaign was launched.

According to TALOS, previous KONNI campaigns targeting North Korea included:

•  2014 CAMPAIGN: FATAL BEAUTY
•  2016 CAMPAIGN: "HOW CAN NORTH KOREAN HYDROGEN BOMB WIPE OUT MANHATTAN.SCR"
•  PYONGYANG DIRECTORY GROUP EMAIL APRIL 2017 RC_OFFICE_COORDINATION_ASSOCIATE.SCR
•  INTER AGENCY LIST AND PHONEBOOK - APRIL 2017 RC_OFFICE_COORDINATION_ASSOCIATE.SC

The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs. 

In addition to TALOS investigation on KONNI, on July 18 2017, BitDefender released a whitepaper on a DarkHotel campaign titled ‘Bitdefender-Whitepaper-Inexsmar-A4-en-EN.’ What’s interesting about this whitepaper is that it included a SHA 1 hash (a6c7a7bcaabc3584b1fb4d6aeb66ec158b65d444) of a malicious dropper called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_OFFICE_Coordination_Associatewxcod.scr.’

On execution, the dropper launches a word document that is similar to the one used in campaign, ‘Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr.’

We have included two screenshots, Figure 1 and Figure 2, to show the comparison of these two documents, as well as their differences:


Figure 1. Document Comparison

Figure 2. Document Comparison

Impact  

KONNI is a uniquely crafted RAT which leverages basic anti-analysis techniques, social engineering, and intelligence gathering features. KONNI has been seen to be distributed through phishing campaigns.

The social engineering techniques deployed by KONNI allows the malware to hide in the background while users are duped into executing its payload. KONNI’s intelligence gathering techniques gives the malware the ability to profile an organization’s interconnected computer systems through host enumeration, keystroke logging, and screen captures. The information that gets collected can then be used to craft specific attacks based on the information that was scraped.

Attacks leveraging social engineering techniques and intelligence gathering can be devastating for the companies involved, as these attacks target user’s (very human) emotions of trust, and can lead to a total take over.

Analysis Overview

The sample the Cylance Threat Guidance team analyzed was a Windows 32-bit executable, compiled with Microsoft Visual C++ v10 on 07/04/2017. The following sections include information about the variant’s internal configuration and dynamic behavior.

Physical Structural Overview

Examining the executable statically, we noticed some interesting strings within the resource section, which are shown in Figure 3.

Figure 3. Resource Section

Investigating further, we identified functions from the Kernel32.dll module that can be used to locate and extract binaries from the resource section. Figure 4 shows some of these functions, which include FindResourceA, LoadResource, LockResource, SizeResource, and WriteFile.


Figure 4. Kernel32.dll Functions

An examination of the resource section shows two embedded documents and two dynamic link libraries (DLLs), this being a 32-bit DLL packed with Aspack and a 64-bit DLL packed with UPX. Notably, both samples retain similar strings in their file version information section.


Table 1. Comparison of File Version Info of 32- and 64-bit DLLs

The location of the first embedded document can be found at offset 0xBA48 and the second document can be found at offset 0x31AAC, shown in Figure 5 and 6.

Figure 5. PKZIP_0xBA4B

Figure 6. PKZIP_0x31AAC

The location of the first DLL is located at offset 0xFAAC and the second DLL is located at offset 0x214AC, seen in Figure 7 and 8.

Figure 7. DLL sha256 Hash Located at offset_0xFAAC

Figure 8. DLL Located at offset_0x214AC

Dynamic Behavior Overview

When the file is executed, it will create a Windows directory under the current user’s local settings folder with the path MFAData\\event, and extract two malicious DLLs if it’s executed on a 64-bit OS, or one DLL if executed on a 32-bit OS. It will then write to the registry path of HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and create a key value called RTHDVCP or RTHDVCPE based on the architecture of the infected environment.

This registry path is commonly used for auto-persistence, as it will autostart a process after a successful login. Once the task is completed, the parent process terminates and the file deletes itself.

Figure 9. Dynamic Behavior Overview

Once the dropped DLL (hereafter referred to as virus-dl.dll) is initiated, it will use RegOpenKeyExA to open the registry key path of HCKU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate and query the value of the key using RegQueryValueA to check if the host has already been infected, this check can be found at offset 0x6830 and is seen in Figure 10.


Figure 10. Fingerprint Infected Host

Core Capabilities of Virus-DLL.DLL

Keylogging. Virus-dl.dll captures keystrokes by using SetWindowsHookExW. The captured keys are written to a log file located under the current user’s local settings folder at Packages\\microsoft\\debug.tmp, which can be found at offset 0x6989, and is shown in Figure 11 and Figure 12.


Figure 11. Keylogging


Figure 12. Log File

Host Enumeration. virus-dl.dll collects the operating system information and installed software of the infected host, shown at offset 0x6D87 in Figure 13 below.


Figure 13. Collect OS Details and Installed Software

Intelligence Gathering. virus-dl.dll contains the ability to collect the hostname and IP Address of the infected host, which is seen at offset 0x6B70 in Figure 14.


Figure 14. Collect IP Address and Hostname Information

Host Profiling. virus-dl.dll contains the ability to collect the computer name, username, and logical drive information of the infected host, this can found at offset 0x6C0C and shown in Figure 15.


Figure 15. Collect Username and Logical Drive Information. 

Screen Capture. virus-dl.dll capture screenshots by leveraging the Graphics Device Interface (GDI) functions, which can be found at offset 0x6E80 and is described in Figure 16.


Figure 16. Screen Capture

Additional information on screenshots captures works can be read from the below Microsoft MSDN link.

https://msdn.microsoft.com/en-us/library/windows/desktop/dd183402(v=vs.85).aspx

Data Exfiltration. Virus-dl.dll contains the ability to upload collected intel to a C2 server, this can be found at offset 0x7629 and is illustrated in Figure 17.

Figure 17. Upload Information

The DLL pulls down instructions every 15 minutes from a C2 server. This can be found at offset 0x78A0 and is highlighted in Figure 18 and Figure 19.

Figure 18. Download Instructions


Figure 19. HTTP Response Body

The information exchanged between the C2 server and virus-dl.dll is decrypted using a two byte XOR key, which can be found at offset 0x74D0 and seen in Figure 20.

Figure 20. XOR Decryption

Conclusion

The KONNI malware is a relatively new RAT. The implemented features are straightforward to analyze and there has been little attempt to mask the malware’s true purpose. The basic features for a backdoor are all present, including host profiling and remote access and control. 

Given the recent attention, we expect to see new variants surface in the coming months with better obfuscation and perhaps additional capabilities.

If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.

Indicators of Compromise (IoCs)

KONNI Droppers

SHA256_Hash        33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90
Imphash                    c8ee7609f6a6dccf28243ecf68c3a320
Arch                            x86
Compiled_Time       2017-07-04 07:22:35
Compiler                    Microsoft Visual C++ 8
PDB_File                   F:\0_work\planes\2017\0704\Doc7\Release\Doc.pdb
PDB_File                   F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb

SHA256_Hash        3b1b94c1f69f2bc34d8ad63fccaca2df0881464b0694f9e21a237b03ead88e42
Imphash                    d1d511079f7756c064bbd1bc19d9b83d
Arch                            x86
Compiled_Time      2017-05-08 03:54:49
Compiler                   Microsoft Visual C++ 8
PDB_File                  F:\0_work\planes\2017\0508\Doc7\Release\Doc.pdb
PDB_File                  F:\0_work\planes\2017\0502\virus-load\_Result\virus-dll.pdb

SHA256_Hash       97b1039612eb684eaec5d21f0ac0a2b06b933cc3c078deabea2706cb69045355
Imphash                    d31baa216ad0d2859713bec9ba1015b3
Arch                            x86
Compiled_Time      2017-04-19 02:32:02
Compiler                   Microsoft Visual C++ 8
PDB_File                  F:\0_work\planes\2017\0414\Doc7\Release\Doc.pdb
PDB_File                  F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
PDB_File                  F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url        ailibaba(dot)site88(dot)net
Resovled_IP             31.170.162.63

SHA256_Hash       0f327d67b601a87e575e726dc67a10c341720267de58f3bd2df3ce705055e757
Imphash                    6e4635c661ce4c2cb79a51bc1bb29a4a
Arch                            x86
Compiled_Time      2017-04-14 00:02:30
Compiler                   Microsoft Visual C++ 8
PDB_File                  F:\0_work\planes\2017\0414\Doc7\Release\Doc.pdb
PDB_File                   F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
PDB_File                  F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url        pactchfilepacks(dot)net23(dot)net
Resovled_IP            31.170.163.30

SHA256_Hash       69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
Imphash                   6e4635c661ce4c2cb79a51bc1bb29a4a
Arch                            x86
Compiled_Time      2017-04-13 23:59:59
Compiler                   Microsoft Visual C++ 8
PDB_File                  F:\0_work\planes\2017\0414\Doc7\Release\Doc.pdb
PDB_File                  F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
PDB_File                  F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url       pactchfilepacks(dot)net23(dot)net
Resolved_IP            31.170.163.30

SHA256_Hash        39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Imphash                    01753d51b6c53824aaa7dc289e0add0f
Arch                           x86
Compiled_Time       2017-04-13 00:13:06
Compiler                   Microsoft Visual C++ 8
PDB_File                  F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url       checkmail(dot)phpnet(dot)us/upload/download(dot)php
Resolved_IP           185.27.134.119

SHA256_Hash       94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
Imphash                   6e4635c661ce4c2cb79a51bc1bb29a4a
Arch                            x86
Compiled_Time      2016-03-14 09:11:01
Compiler                   Microsoft Visual C++ 8
PDB_File                  F:\0_work\planes\complete_exe\Doc7\Release\Doc.pdb
Harcoded_URL       dowhelsitjs(dot)netau(dot)net
Resolved_IP            31.170.160.129

KONNI DLLs

SHA256_Hash        8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad
Imphash                    cafd0827797d14bc9491f3b873eb1de1
Arch                            x64
Compiled_Time      2017-07-04 06:41:25
Packer                        UPX 3.91w
PDB_File                   F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb

SH256_Hash          290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a
Imphash                    75643d26a6a379e6fa0ab204c3894410
Arch                            x86
Compiled_Time       2017-07-04 06:41:11
Packer                       ASProtect V2

SHA256_Hash        2ce64720ffb559becae983ce5341f0455122a8b9e9a7f3103c208d5b13706dcb
Imphash                    27b0762d5846e62366b995119e2b442e
Arch                            x64
Compiled_Time       2017-07-04 06:41:25
Compiler                    Microsoft Visual C++ 10
PDB_File                  F:\0_work\planes\2017\0626\virus-load\_Result64\virus-dll.pdb
Hardcoded_Url        member-daumchk(dot)netai(dot)net

SHA256_Hash        290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a
Imphash                   75643d26a6a379e6fa0ab204c3894410
Arch                            x86
Compiled_Time      2017-07-04 06:41:11
Compiler                    Microsoft Visual C++ 10
Packer                       ASProtect V2
PDB_File                   F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb  

SHA256_Hash        d1ad53674e2a111d940c6b6ceeb0a88877f553c54bea16928bf43bf5cdbb1545
Imphash                    377b7b186d7992f014fb12f58de36092
Arch                            x86
Compiled_Time       2017-07-03 00:46:17
PDB_File                   F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
Hardcoded_Url       member-daumchk(dot)netai(dot)net

SHA256_Hash        dd229dc098f0a96c3c702b8c6cb8d7119ad1f2d2f297d2d63c001d2926a164ff}
Imphash                    fa0f357e5321b5427b172efffe7b49e3
Arch                            x86
Compiled_Time       2017-07-03 02:17:13
PDB_File                   F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
Hardcoded_Url        member-daumchk(dot)netai(dot)net

SHA256_Hash        ecc3f1378b49194206c30e08b3a28acc55da4c9ee6c5cdf10e9ba6fab6773ad8
Imphash                    fa0f357e5321b5427b172efffe7b49e3
Arch                            x86
Compiled_Time       2017-07-03 00:46:56
PDB_File                   F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
Hardcoded_Url        member-daumchk(dot)netai(dot)net

SHA256_Hash        c813648d64b339271fb592fcdfc2c173c94ffd1fc835aae9fe338641993237cb
Imphash                    fa0f357e5321b5427b172efffe7b49e3
Arch                            x86
Compiled_Time      2017-06-20 01:40:22
Compiler                   Microsoft Visual C++ 10
PDB_File                  F:\0_work\planes\2017\0502\virus-load\_Result\virus-dll.pdb
Hardcoded_Url       member-daumchk(dot)netai(dot)net

SHA256_Hash       425da4c48a212c0bf1c1a1b4f3d326505615a25b7adccab30818553599c24929
Imphash                    fa0f357e5321b5427b172efffe7b49e3
Arch                            x86
Compiled_Time      2017-05-05 02:08:02
Compiler                   Microsoft Visual C++ 10
PDB_File                  F:\0_work\planes\2017\0502\virus-load\_Result\virus-dll.pdb

SHA256_Hash        234f9d50aadb605d920458cc30a16b90c0ae1443bc7ef3bf452566ce111cece8
Imphash                    fa0f357e5321b5427b172efffe7b49e3
Arch                            x86
Compiled_Time      2017-04-19 02:12:31
Compiler                   Microsoft Visual C++ 10
PDB_File                  F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
Hardcoded_Url        ailibaba(dot)site88(dot)net
Resovled_IP             31.170.162.63  

Yara Rule

rule Konni_variants

{
              meta:
                             description = "Konni_variants"
                             author = "Threat Guidance"
              strings:
                             $s0 = { 78 7A 78 7A 78 7A }
                             $s1 = "virus-dl.dll" fullword wide
                             $s2 = "Workstation Service Client DLL" fullword wide
                             $s3 = "id=%s&time=%s&title=%s %s&passwd=%s" fullword ascii
                             $s4 = "This computer's IP Address is%s " fullword ascii
                             $s5 = "This computer's username is %s" fullword ascii
                             $s6 = "This computer's name is %s" fullword ascii
                             $s7 = "%s%s%s\\*" fullword ascii
                             $s8 = "%s\\sulted.ocx" fullword ascii
                             $s9 = "%s\\tedsul.ocx" fullword ascii
                             $s10 = "%s\\trepsl.ocx" fullword ascii
                             $s11 = "%s\\psltred.ocx" fullword ascii
                             $pdb1 = "F:\\0_work\\planes\\" ascii
                             
              condition:
                             ( uint16(0) == 0x5a4d and filesize < 800KB and ( 3 of ($s*) ) ) or ( ($pdb1))
}

About the Cylance Threat Guidance Team

The Cylance Threat Guidance team examines malware and suspected malware to better identify its abilities, function and attack vectors. Threat Guidance is on the frontline of information security and often deeply examines malicious software, which puts us in a unique position to discuss never-seen-before threats.

Tags: