/>
X

Konni remote access Trojan receives 'significant' upgrades

Researchers say the security community should keep a close eye on this malware strain.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on

The Konni Remote Access Trojan (RAT) has recently received "significant" updates, researchers say, who also urge the community to keep a close eye on the malware.  

On Wednesday, cybersecurity firm Malwarebytes published an advisory on the malware's latest developments, noting that the Trojan is under active development resulting in "major" changes. 

Konni has been detected in the wild for roughly eight years. A report on the malware published by BlackBerry in 2017 said that the malware made use of "basic" anti-analysis techniques and was employed for surveillance purposes, rather than the typical financial attacks often linked to RATs. 

Past campaigns have hinted strongly at a link with North Korea. Phishing documents used to spread the Trojan tend to have themes connected to the Hermit Kingdom, including content relating to missile capabilities, hydrogen bombs, and articles copied from the Yonhap news agency that talked about the country.

The attached documents contained the payload, and once executed on a vulnerable Windows machine, Konni would gather data through file grabs, keystroke logs, and screen capturing. 

Konni is believed to be the work of the Kimsuky threat group, which has attacked South Korean think tanks, political groups in Russia, and entities in both Japan and the United States. 

According to Malwarebytes, the old Trojan has now evolved into a "stealthier" version of itself. New samples show that the phishing attack vector has primarily stayed the same – with the payload deployed through malicious Office documents -- but the Trojan, a .DLL file linked to a .ini file, now contains revised functionality.

Older versions of the RAT relied on two branches to execute using a Windows service: svchost.exe and rundll32.exe strings. 

Malwarebytes explained: "New samples will not show these strings. In fact, rundll is no longer a valid way to execute the sample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages."

The malware has also transitioned from base64 encoding to AES encryption to protect its strings and for obfuscation purposes. In addition, Konni now utilizes AES when configuration and support files are dropped -- such as the .ini file that contains the command-and-control (C2) server address -- as well as when files are sent to the C2.

Some recent Konni samples also used a previously-unknown packer, but threat data collected by the cybersecurity firm suggests it may have been left out of real-world scenarios. 

"As we have seen, Konni is far from being abandoned," Malwarebytes commented. "The authors are constantly making code improvements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted."

Earlier this month, Cisco Talos documented a recent campaign in which vendors' cloud infrastructure, including Microsoft Azure and Amazon Web Services (AWS), was being abused to spread commercial RATs. 

Strains including Nanocore, Netwire, and AsyncRAT were being deployed by the operators, who also abused DuckDNS to facilitate the download of malicious packages. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

Study for Microsoft certifications with over 120 hours of training for $59
replace-this-image.jpg

Study for Microsoft certifications with over 120 hours of training for $59

Deals
Get a refurbished 11.6-inch HP Chromebook with 4GB RAM for just $74
replace-this-image.jpg

Get a refurbished 11.6-inch HP Chromebook with 4GB RAM for just $74

Deals
Australian Taxation Office issues capital gains warning for crypto and NFT sellers
crypto.jpg

Australian Taxation Office issues capital gains warning for crypto and NFT sellers

Crypto Wallets