KONNI
KONNI is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. KONNI has been linked to several campaigns involving North Korean themes.[1] KONNI has significant code overlap with the NOKKI malware family. There is some evidence potentially linking KONNI to APT37.[2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control | |
| Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.[4] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.[1] |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[1] |
||
| Enterprise | T1115 | Clipboard Data | ||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
KONNI has used cmd.exe execute arbitrary commands on the infected host across different stages of the infection change.[1][4] |
||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[1] |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
KONNI has used a custom base64 key to encode stolen data before exfiltration.[4] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
KONNI has used certutil to download and decode base64 encoded strings.[4] |
|
| Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
KONNI has modified ComSysApp service to load the malicious DLL payload.[4] |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
KONNI has used FTP to exfiltrate reconnaissance data out.[4] |
| Enterprise | T1083 | File and Directory Discovery |
A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
| Enterprise | T1105 | Ingress Tool Transfer |
KONNI can download files and execute them on the victim’s machine.[1] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
KONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[1] |
| Enterprise | T1112 | Modify Registry |
KONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence.[4] |
|
| Enterprise | T1057 | Process Discovery |
KONNI has used tasklist.exe to get a snapshot of the current processes’ state of the target machine.[4] |
|
| Enterprise | T1113 | Screen Capture | ||
| Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
KONNI has used Rundll32 to execute its loader for privilege escalation purposes.[4] |
| Enterprise | T1082 | System Information Discovery |
KONNI can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used systeminfo.exe to get a snapshot of the current system state of the target machine.[1][4] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
KONNI can collect the IP address from the victim’s machine.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
KONNI can collect the username from the victim’s machine.[1] |
|