Threat Spotlight: KONNI – A Stealthy Remote Access Trojan

Overview

In early July, TALOS blogged about a new variant of the KONNI remote access trojan (RAT), a malware family they discovered and wrote about in another blog post in early May. As an active threat under development, we decided to take a closer look at this RAT to understand some of its inner workings and capabilities. Our analysis confirms the excellent investigative work done by TALOS and expands on what they found.

Threat Background

On July 3rd, 2017, North Korea completed a successful intercontinental ballistic missile (ICBM) launch test, dubbed “Hwasong-14”. The launch, according to North’s state-run Korean Central News Agency, successfully tested the functions of the missile’s two propulsive stages and the warhead’s ability to endure the intense heat and vibrations as it entered the earth’s atmosphere. 

As a result of this, another KONNI campaign was launched.

According to TALOS, previous KONNI campaigns targeting North Korea included:

  • 2014 CAMPAIGN: FATAL BEAUTY
  • 2016 CAMPAIGN: “HOW CAN NORTH KOREAN HYDROGEN BOMB WIPE OUT MANHATTAN.SCR”
  • PYONGYANG DIRECTORY GROUP EMAIL APRIL 2017 RC_OFFICE_COORDINATION_ASSOCIATE.SCR
  • INTER AGENCY LIST AND PHONEBOOK – APRIL 2017 RC_OFFICE_COORDINATION_ASSOCIATE.SC

The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs. 

In addition to TALOS investigation on KONNI, on July 18 2017, BitDefender released a whitepaper on a DarkHotel campaign titled ‘Bitdefender-Whitepaper-Inexsmar-A4-en-EN.’ What’s interesting about this whitepaper is that it included a SHA 1 hash (a6c7a7bcaabc3584b1fb4d6aeb66ec158b65d444) of a malicious dropper called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_OFFICE_Coordination_Associatewxcod.scr.’

On execution, the dropper launches a word document that is similar to the one used in campaign, ‘Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr.’

We have included two screenshots, Figure 1 and Figure 2, to show the (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog