Konni RAT Evolves to be Stealthier

What’s new?

• Previous Konni RAT samples contained two branches. One for the malware being launched via a Windows service and the other for dealing with execution with rundll. The new samples do not support rundll.
• While old samples used base64 for obfuscation, the new ones use AES encryption. Even the files used by the operators are dropped and encrypted with AES.
• Some samples were found using an unidentified packer, along with AES encryption. The packer obfuscates the original flow of the program through various stages. However, this packer has not been identified in real-world scenarios.

Why this matters

• The removal of the rundll branch ensures that sandboxes will fail in dynamic analysis of the sample.
• The files sent to the C2 server are AES encrypted and the IV is created using a QueryPerformanceCounter API Call. Filenames are produced by chaining two letters representing the data with the current timestamp, which is followed by the extension. Moreover, the operators use the generated name as the AES key and send the request to the C2 server. This ensures that the identical files generate varying requests and network signatures would fail to identify the malicious activity.

Latest Konni activity

• Not long ago, the group was found targeting major ICS vendors and other firms related to renewable energy in a cyberespionage campaign. The campaign has been ongoing since 2019.
• The group targeted Russian embassy diplomats over the New Year holidays with phishing emails containing New Year greetings. The emails did not include any attachments, rather ZIP files with Windows screensaver files. When opened, the file installed a screensaver with Russian holiday greetings, along with deploying Konni RAT.

The bottom line