Overview
In early July, TALOS blogged about a new variant of the KONNI remote access trojan (RAT), a malware family they discovered and wrote about in another blog post in early May. As an active threat under development, we decided to take a closer look at this RAT to understand some of its inner workings and capabilities. Our analysis confirms the excellent investigative work done by TALOS and expands on what they found.
Threat Background
On July 3rd, 2017, North Korea completed a successful intercontinental ballistic missile (ICBM) launch test, dubbed “Hwasong-14”. The launch, according to North’s state-run Korean Central News Agency, successfully tested the functions of the missile’s two propulsive stages and the warhead’s ability to endure the intense heat and vibrations as it entered the earth’s atmosphere.
As a result of this, another KONNI campaign was launched.
According to TALOS, previous KONNI campaigns targeting North Korea included:
- 2014 CAMPAIGN: FATAL BEAUTY
- 2016 CAMPAIGN: "HOW CAN NORTH KOREAN HYDROGEN BOMB WIPE OUT MANHATTAN.SCR"
- PYONGYANG DIRECTORY GROUP EMAIL APRIL 2017 RC_OFFICE_COORDINATION_ASSOCIATE.SCR
- INTER AGENCY LIST AND PHONEBOOK - APRIL 2017 RC_OFFICE_COORDINATION_ASSOCIATE.SC
The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs.
In addition to TALOS investigation on KONNI, on July 18 2017, BitDefender released a whitepaper on a DarkHotel campaign titled ‘Bitdefender-Whitepaper-Inexsmar-A4-en-EN.’ What’s interesting about this whitepaper is that it included a SHA 1 hash (a6c7a7bcaabc3584b1fb4d6aeb66ec158b65d444) of a malicious dropper called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_OFFICE_Coordination_Associatewxcod.scr.’
On execution, the dropper launches a word document that is similar to the one used in campaign, ‘Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr.’
We have included two screenshots, Figure 1 and Figure 2, to show the comparison of these two documents, as well as their differences:
Figure 1. Document Comparison
Figure 2. Document Comparison
Impact
KONNI is a uniquely crafted RAT which leverages basic anti-analysis techniques, social engineering, and intelligence gathering features. KONNI has been seen to be distributed through phishing campaigns.
The social engineering techniques deployed by KONNI allows the malware to hide in the background while users are duped into executing its payload. KONNI’s intelligence gathering techniques gives the malware the ability to profile an organization’s interconnected computer systems through host enumeration, keystroke logging, and screen captures. The information that gets collected can then be used to craft specific attacks based on the information that was scraped.
Attacks leveraging social engineering techniques and intelligence gathering can be devastating for the companies involved, as these attacks target user’s (very human) emotions of trust, and can lead to a total take over.
Analysis Overview
The sample the Cylance Threat Guidance team analyzed was a Windows 32-bit executable, compiled with Microsoft Visual C++ v10 on 07/04/2017. The following sections include information about the variant’s internal configuration and dynamic behavior.
Physical Structural Overview
Examining the executable statically, we noticed some interesting strings within the resource section, which are shown in Figure 3.
Figure 3. Resource Section
Investigating further, we identified functions from the Kernel32.dll module that can be used to locate and extract binaries from the resource section. Figure 4 shows some of these functions, which include FindResourceA, LoadResource, LockResource, SizeResource, and WriteFile.
Figure 4. Kernel32.dll Functions
An examination of the resource section shows two embedded documents and two dynamic link libraries (DLLs), this being a 32-bit DLL packed with Aspack and a 64-bit DLL packed with UPX. Notably, both samples retain similar strings in their file version information section.
Table 1. Comparison of File Version Info of 32- and 64-bit DLLs
The location of the first embedded document can be found at offset 0xBA48 and the second document can be found at offset 0x31AAC, shown in Figure 5 and 6.
Figure 5. PKZIP_0xBA4B
Figure 6. PKZIP_0x31AAC
The location of the first DLL is located at offset 0xFAAC and the second DLL is located at offset 0x214AC, seen in Figure 7 and 8.
Figure 7. DLL sha256 Hash Located at offset_0xFAAC
Figure 8. DLL Located at offset_0x214AC
Dynamic Behavior Overview
When the file is executed, it will create a Windows directory under the current user’s local settings folder with the path MFAData\\event, and extract two malicious DLLs if it’s executed on a 64-bit OS, or one DLL if executed on a 32-bit OS. It will then write to the registry path of HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and create a key value called RTHDVCP or RTHDVCPE based on the architecture of the infected environment.
This registry path is commonly used for auto-persistence, as it will autostart a process after a successful login. Once the task is completed, the parent process terminates and the file deletes itself.
Figure 9. Dynamic Behavior Overview
Once the dropped DLL (hereafter referred to as virus-dl.dll) is initiated, it will use RegOpenKeyExA to open the registry key path of HCKU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate and query the value of the key using RegQueryValueA to check if the host has already been infected, this check can be found at offset 0x6830 and is seen in Figure 10.
Figure 10. Fingerprint Infected Host
Core Capabilities of Virus-DLL.DLL
Keylogging. Virus-dl.dll captures keystrokes by using SetWindowsHookExW. The captured keys are written to a log file located under the current user’s local settings folder at Packages\\microsoft\\debug.tmp, which can be found at offset 0x6989, and is shown in Figure 11 and Figure 12.
Figure 11. Keylogging
Figure 12. Log File
Host Enumeration. virus-dl.dll collects the operating system information and installed software of the infected host, shown at offset 0x6D87 in Figure 13 below.
Figure 13. Collect OS Details and Installed Software
Intelligence Gathering. virus-dl.dll contains the ability to collect the hostname and IP Address of the infected host, which is seen at offset 0x6B70 in Figure 14.
Figure 14. Collect IP Address and Hostname Information
Host Profiling. virus-dl.dll contains the ability to collect the computer name, username, and logical drive information of the infected host, this can found at offset 0x6C0C and shown in Figure 15.
Figure 15. Collect Username and Logical Drive Information.
Screen Capture. virus-dl.dll capture screenshots by leveraging the Graphics Device Interface (GDI) functions, which can be found at offset 0x6E80 and is described in Figure 16.
Figure 16. Screen Capture
Additional information on screenshots captures works can be read from the below Microsoft MSDN link.
https://msdn.microsoft.com/en-us/library/windows/desktop/dd183402(v=vs.85).aspx
Data Exfiltration. Virus-dl.dll contains the ability to upload collected intel to a C2 server, this can be found at offset 0x7629 and is illustrated in Figure 17.
Figure 17. Upload Information
The DLL pulls down instructions every 15 minutes from a C2 server. This can be found at offset 0x78A0 and is highlighted in Figure 18 and Figure 19.
Figure 18. Download Instructions
Figure 19. HTTP Response Body
The information exchanged between the C2 server and virus-dl.dll is decrypted using a two byte XOR key, which can be found at offset 0x74D0 and seen in Figure 20.
Figure 20. XOR Decryption
Conclusion
The KONNI malware is a relatively new RAT. The implemented features are straightforward to analyze and there has been little attempt to mask the malware’s true purpose. The basic features for a backdoor are all present, including host profiling and remote access and control.
Given the recent attention, we expect to see new variants surface in the coming months with better obfuscation and perhaps additional capabilities.
If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.
Indicators of Compromise (IoCs)
KONNI Droppers
SHA256_Hash 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90
Imphash c8ee7609f6a6dccf28243ecf68c3a320
Arch x86
Compiled_Time 2017-07-04 07:22:35
Compiler Microsoft Visual C++ 8
PDB_File F:\0_work\planes\2017\0704\Doc7\Release\Doc.pdb
PDB_File F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
SHA256_Hash 3b1b94c1f69f2bc34d8ad63fccaca2df0881464b0694f9e21a237b03ead88e42
Imphash d1d511079f7756c064bbd1bc19d9b83d
Arch x86
Compiled_Time 2017-05-08 03:54:49
Compiler Microsoft Visual C++ 8
PDB_File F:\0_work\planes\2017\0508\Doc7\Release\Doc.pdb
PDB_File F:\0_work\planes\2017\0502\virus-load\_Result\virus-dll.pdb
SHA256_Hash 97b1039612eb684eaec5d21f0ac0a2b06b933cc3c078deabea2706cb69045355
Imphash d31baa216ad0d2859713bec9ba1015b3
Arch x86
Compiled_Time 2017-04-19 02:32:02
Compiler Microsoft Visual C++ 8
PDB_File F:\0_work\planes\2017\0414\Doc7\Release\Doc.pdb
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url ailibaba(dot)site88(dot)net
Resovled_IP 31.170.162.63
SHA256_Hash 0f327d67b601a87e575e726dc67a10c341720267de58f3bd2df3ce705055e757
Imphash 6e4635c661ce4c2cb79a51bc1bb29a4a
Arch x86
Compiled_Time 2017-04-14 00:02:30
Compiler Microsoft Visual C++ 8
PDB_File F:\0_work\planes\2017\0414\Doc7\Release\Doc.pdb
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url pactchfilepacks(dot)net23(dot)net
Resovled_IP 31.170.163.30
SHA256_Hash 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
Imphash 6e4635c661ce4c2cb79a51bc1bb29a4a
Arch x86
Compiled_Time 2017-04-13 23:59:59
Compiler Microsoft Visual C++ 8
PDB_File F:\0_work\planes\2017\0414\Doc7\Release\Doc.pdb
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url pactchfilepacks(dot)net23(dot)net
Resolved_IP 31.170.163.30
SHA256_Hash 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Imphash 01753d51b6c53824aaa7dc289e0add0f
Arch x86
Compiled_Time 2017-04-13 00:13:06
Compiler Microsoft Visual C++ 8
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-exe.pdb
Hardcoded_Url checkmail(dot)phpnet(dot)us/upload/download(dot)php
Resolved_IP 185.27.134.119
SHA256_Hash 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
Imphash 6e4635c661ce4c2cb79a51bc1bb29a4a
Arch x86
Compiled_Time 2016-03-14 09:11:01
Compiler Microsoft Visual C++ 8
PDB_File F:\0_work\planes\complete_exe\Doc7\Release\Doc.pdb
Harcoded_URL dowhelsitjs(dot)netau(dot)net
Resolved_IP 31.170.160.129
KONNI DLLs
SHA256_Hash 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad
Imphash cafd0827797d14bc9491f3b873eb1de1
Arch x64
Compiled_Time 2017-07-04 06:41:25
Packer UPX 3.91w
PDB_File F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
SH256_Hash 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a
Imphash 75643d26a6a379e6fa0ab204c3894410
Arch x86
Compiled_Time 2017-07-04 06:41:11
Packer ASProtect V2
SHA256_Hash 2ce64720ffb559becae983ce5341f0455122a8b9e9a7f3103c208d5b13706dcb
Imphash 27b0762d5846e62366b995119e2b442e
Arch x64
Compiled_Time 2017-07-04 06:41:25
Compiler Microsoft Visual C++ 10
PDB_File F:\0_work\planes\2017\0626\virus-load\_Result64\virus-dll.pdb
Hardcoded_Url member-daumchk(dot)netai(dot)net
SHA256_Hash 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a
Imphash 75643d26a6a379e6fa0ab204c3894410
Arch x86
Compiled_Time 2017-07-04 06:41:11
Compiler Microsoft Visual C++ 10
Packer ASProtect V2
PDB_File F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
SHA256_Hash d1ad53674e2a111d940c6b6ceeb0a88877f553c54bea16928bf43bf5cdbb1545
Imphash 377b7b186d7992f014fb12f58de36092
Arch x86
Compiled_Time 2017-07-03 00:46:17
PDB_File F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
Hardcoded_Url member-daumchk(dot)netai(dot)net
SHA256_Hash dd229dc098f0a96c3c702b8c6cb8d7119ad1f2d2f297d2d63c001d2926a164ff}
Imphash fa0f357e5321b5427b172efffe7b49e3
Arch x86
Compiled_Time 2017-07-03 02:17:13
PDB_File F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
Hardcoded_Url member-daumchk(dot)netai(dot)net
SHA256_Hash ecc3f1378b49194206c30e08b3a28acc55da4c9ee6c5cdf10e9ba6fab6773ad8
Imphash fa0f357e5321b5427b172efffe7b49e3
Arch x86
Compiled_Time 2017-07-03 00:46:56
PDB_File F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb
Hardcoded_Url member-daumchk(dot)netai(dot)net
SHA256_Hash c813648d64b339271fb592fcdfc2c173c94ffd1fc835aae9fe338641993237cb
Imphash fa0f357e5321b5427b172efffe7b49e3
Arch x86
Compiled_Time 2017-06-20 01:40:22
Compiler Microsoft Visual C++ 10
PDB_File F:\0_work\planes\2017\0502\virus-load\_Result\virus-dll.pdb
Hardcoded_Url member-daumchk(dot)netai(dot)net
SHA256_Hash 425da4c48a212c0bf1c1a1b4f3d326505615a25b7adccab30818553599c24929
Imphash fa0f357e5321b5427b172efffe7b49e3
Arch x86
Compiled_Time 2017-05-05 02:08:02
Compiler Microsoft Visual C++ 10
PDB_File F:\0_work\planes\2017\0502\virus-load\_Result\virus-dll.pdb
SHA256_Hash 234f9d50aadb605d920458cc30a16b90c0ae1443bc7ef3bf452566ce111cece8
Imphash fa0f357e5321b5427b172efffe7b49e3
Arch x86
Compiled_Time 2017-04-19 02:12:31
Compiler Microsoft Visual C++ 10
PDB_File F:\0_work\planes\2017\0414\virus-load\_Result\virus-dll.pdb
Hardcoded_Url ailibaba(dot)site88(dot)net
Resovled_IP 31.170.162.63
Yara Rule
rule Konni_variants
{
meta:
description = "Konni_variants"
author = "Threat Guidance"
strings:
$s0 = { 78 7A 78 7A 78 7A }
$s1 = "virus-dl.dll" fullword wide
$s2 = "Workstation Service Client DLL" fullword wide
$s3 = "id=%s&time=%s&title=%s %s&passwd=%s" fullword ascii
$s4 = "This computer's IP Address is%s " fullword ascii
$s5 = "This computer's username is %s" fullword ascii
$s6 = "This computer's name is %s" fullword ascii
$s7 = "%s%s%s\\*" fullword ascii
$s8 = "%s\\sulted.ocx" fullword ascii
$s9 = "%s\\tedsul.ocx" fullword ascii
$s10 = "%s\\trepsl.ocx" fullword ascii
$s11 = "%s\\psltred.ocx" fullword ascii
$pdb1 = "F:\\0_work\\planes\\" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and ( 3 of ($s*) ) ) or ( ($pdb1))
}