Konni remote access Trojan receives 'significant' upgrades

Researchers say the security community should keep a close eye on this malware strain.
Written by Charlie Osborne, Contributing Writer

The Konni Remote Access Trojan (RAT) has recently received "significant" updates, researchers say, who also urge the community to keep a close eye on the malware.  

On Wednesday, cybersecurity firm Malwarebytes published an advisory on the malware's latest developments, noting that the Trojan is under active development resulting in "major" changes. 

Konni has been detected in the wild for roughly eight years. A report on the malware published by BlackBerry in 2017 said that the malware made use of "basic" anti-analysis techniques and was employed for surveillance purposes, rather than the typical financial attacks often linked to RATs. 

Past campaigns have hinted strongly at a link with North Korea. Phishing documents used to spread the Trojan tend to have themes connected to the Hermit Kingdom, including content relating to missile capabilities, hydrogen bombs, and articles copied from the Yonhap news agency that talked about the country.

The attached documents contained the payload, and once executed on a vulnerable Windows machine, Konni would gather data through file grabs, keystroke logs, and screen capturing. 

Konni is believed to be the work of the Kimsuky threat group, which has attacked South Korean think tanks, political groups in Russia, and entities in both Japan and the United States. 

According to Malwarebytes, the old Trojan has now evolved into a "stealthier" version of itself. New samples show that the phishing attack vector has primarily stayed the same – with the payload deployed through malicious Office documents -- but the Trojan, a .DLL file linked to a .ini file, now contains revised functionality.

Older versions of the RAT relied on two branches to execute using a Windows service: svchost.exe and rundll32.exe strings. 

Malwarebytes explained: "New samples will not show these strings. In fact, rundll is no longer a valid way to execute the sample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages."

The malware has also transitioned from base64 encoding to AES encryption to protect its strings and for obfuscation purposes. In addition, Konni now utilizes AES when configuration and support files are dropped -- such as the .ini file that contains the command-and-control (C2) server address -- as well as when files are sent to the C2.

Some recent Konni samples also used a previously-unknown packer, but threat data collected by the cybersecurity firm suggests it may have been left out of real-world scenarios. 

"As we have seen, Konni is far from being abandoned," Malwarebytes commented. "The authors are constantly making code improvements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted."

Earlier this month, Cisco Talos documented a recent campaign in which vendors' cloud infrastructure, including Microsoft Azure and Amazon Web Services (AWS), was being abused to spread commercial RATs. 

Strains including Nanocore, Netwire, and AsyncRAT were being deployed by the operators, who also abused DuckDNS to facilitate the download of malicious packages. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards