Konni RAT Evolves to be Stealthier

by certadmin

Konni RAT has been active since at least 2014 and is constantly evolving and expanding its attack surface. This North Korean threat group operates under Kimsuky APT. Konni has been busy targeting political institutions in South Korea and Russia. Malwarebytes analyzed newly developed Konni RAT samples and found some harrowing results.
 

What’s new?

The attack chain starts with leveraging a malicious Office document and a multistage attack follows.
  • Previous Konni RAT samples contained two branches. One for the malware being launched via a Windows service and the other for dealing with execution with rundll. The new samples do not support rundll.
  • While old samples used base64 for obfuscation, the new ones use AES encryption. Even the files used by the operators are dropped and encrypted with AES.
  • Some samples were found using an unidentified packer, along with AES encryption. The packer obfuscates the original flow of the program through various stages. However, this packer has not been identified in real-world scenarios.
 

Why this matters

  • The removal of the rundll branch ensures that sandboxes will fail in dynamic analysis of the sample.
  • The files sent to the C2 server are AES encrypted and the IV is created using a QueryPerformanceCounter API Call. Filenames are produced by chaining two letters representing the data with the current timestamp, which is followed by the extension. Moreover, the operators use the generated name as the AES key and send the request to the C2 server. This ensures that the identical files generate varying requests and network signatures would fail to identify the malicious activity.
 

Latest Konni activity

  • Not long ago, the group was found targeting major ICS vendors and other firms related to renewable energy in a cyberespionage campaign. The campaign has been ongoing since 2019.
  • The group targeted Russian embassy diplomats over the New Year holidays with phishing emails containing New Year greetings. The emails did not include any attachments, rather ZIP files with Windows screensaver files. When opened, the file installed a screensaver with Russian holiday greetings, along with deploying Konni RAT.
 

The bottom line

Konni’s developers have no plans of slowing down as they are constantly upgrading the malware with code adjustments. Researchers surmise that the threat group aims to evade analysis by using sandboxes and evade detection through various obfuscation techniques. Hence, the security community is urged to keep a close eye on this threat and tighten cyber defenses.
 
To read the original article:
Top