{
	"id": "69959858-7666-4bd7-8a50-27b2e5809b22",
	"created_at": "2026-04-06T00:19:30.56395Z",
	"updated_at": "2026-04-10T03:26:56.150962Z",
	"deleted_at": null,
	"sha1_hash": "447c80b4d885e78b706deb10fa2b983fbdfbc124",
	"title": "A Quick Look at a New KONNI RAT Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1641305,
	"plain_text": "A Quick Look at a New KONNI RAT Variant\r\nBy Jasper Manuel\r\nPublished: 2017-08-15 · Archived: 2026-04-05 13:28:06 UTC\r\nKONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in\r\nuse for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the\r\nKONNI RAT and decided to take a deeper look.\r\nKONNI is known to be distributed via campaigns that are believed to be targeting North Korea. This new variant\r\nisn’t different from previous variants, as it is dropped by a DOC file containing text that was drawn from a CNN\r\narticle entitled 12 things Trump should know about North Korea. The article was published on August 9, 2017,\r\nwhich indicates that this might be the latest campaign. Although KONNI campaigns use decoy documents\r\ncontaining articles about North Korea, it is hard to tell if the targets have something to do with matters involving\r\nNorth Korea.\r\nDecoy document used to trick the user into thinking that the file is benign\r\nThe malicious DOC file contains a VB macro code that drops and executes the KONNI installer in the %temp%\r\nfolder as stify.exe:\r\nhttps://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nPage 1 of 7\n\nVB Macro Document_Open() Sub\r\nThe dropped file was packed with a known packer Aspack 2.12, as seen below:\r\nPEID: Packed with ASPack 2.12\r\nAccording to its compilation time stamp in the IMAGE_FILE_HEADER of the file, this variant was compiled on\r\nAugust 8, 2017 (if that file was not modified.)\r\nCompilation time (Installer)\r\nThe installer contains 2 KONNI DLL files in the resource section. One is for the 32-bit version and the other is for\r\nthe 64-bit version of Windows OS. According to their compilation time stamp, these DLL files were compiled on\r\nJuly 11, 2017.\r\nCompilation time (KONNI DLLs)\r\nhttps://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nPage 2 of 7\n\nThe KONNI DLL is dropped in the %LocalAppData%\\MFAData\\event folder as errorevent.dll. The installer\r\ncreates auto-start registry entries to run the DLL on the next system reboot using rundll32.exe.\r\nInstallation routine\r\nDoing a bit diffing allows us to see that this hasn’t changed from the variants reported on August 8, 2017. It still\r\nhas the same capabilities based on the following command and control server commands:\r\n‘0’ : Upload a specific file to the C\u0026C.\r\n‘1’ : Get system information such as computer IP address, computer name, username, drive information, product\r\nname, system type (32 or 64 bit), start menu programs, and installed products and upload to the C\u0026C.\r\n‘2’ : Take screen shot and upload to the C\u0026C.\r\n‘3’ : Find files in specific directory and subdirectories.\r\n‘4’ : Find files in specific directory but not in subdirectories.\r\n‘5’ : Delete a specific file.\r\n‘6’ : Execute a specific file.\r\n‘7’ : Download a file.\r\nhttps://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nPage 3 of 7\n\nCommands from C\u0026C Server\r\nIt also has keylogging and clipboard grabbing capabilities. The log file is saved as\r\n%LocalAppdata%\\Packages\\microsoft\\debug.tmp.\r\nHowever, contrary to the previous report, it doesn’t look like this variant uses the simple XOR using a two-byte\r\nkey for encryption when communicating to its command and control server. Though the server did not respond\r\nwith commands when we did the analysis, we confirmed that the initial response from the C\u0026C is not encrypted\r\nor encoded. It is just delimited with the string “xzxzxz”.\r\nhttps://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nPage 4 of 7\n\n“xzxzx” as the delimiter\r\nWhen sending data to its C\u0026C server, this variant uses the following HTTP query string format:\r\nQuery string\r\nIn this version, id is the generated machine ID computed from OS InstallDate,\r\ntitle is the name of the file with extension where the raw data is saved, and passwd is actually the encoded\r\nexfiltrated data.\r\nExample of actual query string\r\nhttps://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nPage 5 of 7\n\nBefore sending its data to the C\u0026C server, it is first compressed using ZIP format, encrypted with RC4 using the\r\nkey “123qweasd/*-+p[;’p”, and encoded using Base64.\r\nData is zipped, rc4 encrypted, and base64 encoded before sending to the C\u0026C server\r\nConclusion:\r\nKONNI is not a complicated malware. It doesn’t employ much obfuscation. By simply performing a quick diffing\r\nwe can see the changes made to new variants. For now, it seems that the only change is how the dropper installs\r\nthe KONNI DLL, but based on what we have seen over the previous months we expect that it will continue to\r\nevolve.\r\nFortinet covers detection of this threat as W32/Noki.A!tr and the MSOffice VB Macro dropper as\r\nWM/MacroDropper.A!tr.\r\nC\u0026C and download URLs were also blocked by Fortinet’s Web Filter.\r\n-= FortiGuard Lion Team =-\r\nIOCs:\r\nSample Hashes:\r\n834d3b0ce76b3f62ff87b7d6f2f9cc9b (DOC)\r\n0914ef43125114162082a11722c4cfc3 (EXE)\r\n38ead1e8ffd5b357e879d7cb8f467508 (DLL)\r\nURLs:\r\nhttps://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nPage 6 of 7\n\ndonkeydancehome[.]freeiz.com/weget/upload[.]php (C\u0026C)\r\nseesionerrorwebmailattach[.]uphero[.]com/attach/download.php?\r\nfile=12%20things%20Trump%20should%20know%20about%20North%20Korea.doc (DOC download URL)\r\nSign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging\r\nthreats.\r\nSource: https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nhttps://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant"
	],
	"report_names": [
		"a-quick-look-at-a-new-konni-rat-variant"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434770,
	"ts_updated_at": 1775791616,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/447c80b4d885e78b706deb10fa2b983fbdfbc124.pdf",
		"text": "https://archive.orkl.eu/447c80b4d885e78b706deb10fa2b983fbdfbc124.txt",
		"img": "https://archive.orkl.eu/447c80b4d885e78b706deb10fa2b983fbdfbc124.jpg"
	}
}