This blog was authored by Paul Rascagneres
Over the past 3 years, Talos has been monitoring the KONNI Remote Administration Tool, which we has not been described elsewhere. During this time it has managed to avoid scrutiny by the security community. The most recent version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host.
Throughout the multiple campaigns observed over the last 3 years, the actor has continued to use an email attachment as the initial infection vector and this has remained fairly similar throughout the multiple campaigns we have observed over the period of 3 years. Additional social engineering to prompt the target to open a .src file, display a decoy document to the users, and finally execute the malware on the victim’s machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provide: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:
- at the beginning the malware was only an information stealer without remote administration;
- it moved from a single file malware to a dual file malware (an executable and a dynamic library);
- the malware has supported more and more features over the time;
- the decoy documents have become more and more advanced;
- The different versions contain copy/pasted code from previous versions. Moreover the new version searches for files generated by previous versions. (This implies that the malware has been used several times against the same targets).
This evolution is illustrated across 4 campaigns: one in 2014, one in 2016 and finally two in 2017. The decoy document of the 2 last campaigns suggests that the targets are public organisations. Both documents contained email addresses, phone numbers and contacts of members of official organizations such as United Nations, UNICEF, and Embassies linked to North Korea.
3 Years Of Campaigns
2014 Campaign: Fatal Beauty
In this campaign, the dropper filename was beauty.src. Based on the compilation date of the 2 binaries, this campaign took place in September 2014. Once executed, 2 files were dropped on the targeted system: a decoy document (a picture) and a fake svchost.exe binary. Both files were stored in "C:\Windows". The picture is a Myanmar temple:
The fake svchost binary is the KONNI malware. The first task of the malware is to generate an ID to identify the infected system. This ID is generated based on the installation date of the system, as found in the registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallDate). The second task of malware is to ping the CC and get orders. The malware includes 2 URLs:
The developer used the Microsoft Winsocks API to handle the network connection. Surprisingly, this isn’t the easiest or the most efficient technical choice for HTTP connection. The malware samples we analysed connected to only one URI: <c2-domain>/login.php.
This version of KONNI is not designed to execute code on the infected system. The purpose is to be executed and steal data on the infected system, here are the main features:
- Clipboard stealer
- Firefox profiles and cookies stealer
- Chrome profiles and cookies stealer
- Opera profiles and cookies stealer
The malware internally uses several temporary files:
- screentmp.tmp (log file of the keylogger)
2016 Campaign: "How can North Korean hydrogen bomb wipe out Manhattan.src"
The name of the .src file was directly linked to tension between North Korea and USA in March 2016: more information. Based on the compilation dates of the binaries, the campaign took place in the same period. An interesting fact: the dropped library was compiled in 2014 and appears in our telemetry in August 2015. Indicating thatthis library was probably used in another campaign.
The .src file contains 2 Office documents. The first document was in English and a second in Russian. In the sample only the English version can be displayed to the user (that is hardcoded in the sample):
The Russian document is not used by the sample, we assume that the author of the malware forgot to remove the resource containing the Russia decoy document:
The malware author changed the malware architecture, this version is divided in two binaries:
Another difference is the directory where the files are dropped, it’s no longer C:\Windows but rather the local setting of the current user (%USERPROFILE%\Local Settings\winnit\winnit.exe). Thanks to this modification, the malware can be executed with a non-administrator account. The .dll file is executed by the .exe file. In this version, a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\Start Menu\Programs\Startup\Anti virus service.lnk. As you can see the attacker has went to lengths to disguise his service as a legitimate Antivirus Service by using the name ‘Anti virus service.lnk’. This is of course simple but often it can be enough for a user to miss something malicious by name.
As in the previous version, the ID of the infected system is generated with exactly the same method. The CC is different and the analysed version this time only contains a single URL:
In this version, the developer used a different API, the Wininet API which make more sense for Web requests. Moreover the CC infrastructure evolved too, more .php files are available through the web hosting:
- <c2-domain>/login.php (for infected machine registration)
- <c2-domain>/upload.php (for uploading files on the CC)
- <c2-domain>/download.php (for downloading file from the CC)
This version includes the stealer features mentioned in the previous version but additionally Remote Administration Tool features such as file uploading/download and arbitrary command execution. The library is only used to perform keylogging and clipboard stealing. Indeed, the malware author moved this part of the code from the core of the malware to a library. An interesting element is that the malware looks for filenames created with the previous version of KONNI. This implies that the malware targeted the same people as the previous version they are designed to live together.
The malware internally uses the following files:
- screentmp.tmp (log file of the keylogger)
Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.src
In this campaign, the malware author uses the following name: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.src. The decoy document shown after infection is an Office document containing email addresses, phone numbers and contacts of members of official organizations such as the United Nations, UNICEF, Embassies linked to North Korea.
The .src files drops two files: an executable and a library. As in the previous version, the persistence is achieved by a Windows shortcut (in this case adobe distillist.lnk). Contrary to the previous version, the developers moved the core of malware to the library. The executable performs the following tasks:
- If the system is a 64 bit version of Windows, it downloads and executes a specific 64 bits version of the malware thanks to a powershell script:
- Loading the dropped library
The library contains the same features as the previous version as well as new ones. This version of KONNI is themost advanced with better coding. The malware configuration contains one Command and Control:
A new URI is available:
This URI is used with a new feature implemented in this version: the malware is able to perform screenshot (thank to the GDI API) and uploads it thank to this URL. The malware checks if a file used on a previous version of KONNI is available on the system. Here is the complete list of files internally used by the RAT:
- error.tmp (the log file of the keylogger)
The handling of instructions has improved too. Here are the 7 actions that the infected machinecan be instructed to perform:
- Delete a specific file;
- Upload a specific file based on a filename;
- Upload a specific file based on the full path name;
- Create a screenshot and uploads it on the CC;
- Get system information;
- Download a file from the Internet;
- Execute a command;
This graph shows the decision tree:
When the attacker wants to gather information on the infected system (action 5), it retrieves the following information:
- IP address
- Computer name
- Username name
- Connected drive
- OS version
- Start menu programs
- Installed software
Inter Agency List and Phonebook – April 2017 RC_Office_Coordination_Associate.src
The last identified campaign where KONNI was used was named Inter Agency List and Phonebook – April 2017 RC_Office_Coordination_Associate.src. This file drops exactly the same files than the previous campaign but the decoy document is different:
This document contains the name, phone number and email address of members of agencies, embassies and organizations linked to North Korea.
The analysis shows us the evolution of KONNI over the last 3 years. The last campaign was started a few days ago and is still active. The infrastructure remains up and running at the time of this post. The RAT has remained under the radar for multiple years. An explanation could be the fact that the campaign was very limited nature, which does notarouse suspicion.
This investigation shows that the author hasevolved technically (by implementing new features) and in the quality of the decoy documents. The campaign of April 2017 used pertinent documents containing potential sensitive data. Moreover the metadata of the Office document contains the names of people who seems to work for a public organization. We don’t know if the document is a legitimate compromised document or a fake that the attacker hascreated in an effort to be credible.
Clearly the author has a real interest in North Korea, with 3 of the 4 campaigns are linked to North Korea.
The following graph show the evolution of KONNI during 3 years:
Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
Email Security can block malicious emails sent by threat actors as part of their campaign.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network
2014 Campaign: Fatal Beauty
File type: JPEG image data, JFIF standard 1.02
File type: PE32 executable (GUI) Intel 80386, for MS Windows
2016 Campaign: How can North Korean hydrogen bomb wipe out Manhattan
Filename: How can North Korean hydrogen bomb wipe out Manhattan.src
Filename: Anti virus service.lnk
2017 Campaign A:
Filename: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.src
Filename: adobe distillist.lnk
2017 Campaign B:
Filename: Inter Agency List and Phonebook – April 2017 RC_Office_Coordination_Associate.src
Filename: adobe distillist.lnk
Source: Cisco’s Talos Intelligence Group Blog @ May 3, 2017 at 11:59AM