{
	"id": "eed8af3e-edfe-4e4e-976c-22de8fb9b25d",
	"created_at": "2026-04-06T00:07:31.063269Z",
	"updated_at": "2026-04-10T03:26:56.261559Z",
	"deleted_at": null,
	"sha1_hash": "60da99c01f4eb8362ada300dfff61612f5973dd4",
	"title": "Phishing Emails Used to Deploy KONNI Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96460,
	"plain_text": "Phishing Emails Used to Deploy KONNI Malware | CISA\r\nPublished: 2020-10-24 · Archived: 2026-04-05 15:15:14 UTC\r\nSummary\r\nThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework.\r\nSee the ATT\u0026CK for Enterprise framework for all referenced threat actor techniques.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a\r\nMicrosoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI\r\nmalware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture\r\nkeystrokes, take screenshots, and execute arbitrary code on infected hosts.\r\nTechnical Details\r\nKONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA\r\nmacro code (Phishing: Spearphising Attachment [T1566.001 ]). The malicious code can change the font color\r\nfrom light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or\r\n64-bit version, and construct and execute the command line to download additional files (Command and Scripting\r\nInterpreter: Windows Command Shell [T1059.003 ]).\r\nOnce the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download\r\nremote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-\r\nencoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade\r\ndetection.\r\nThe cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is\r\ndecoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp\r\ndirectory and executes the .BAT file.\r\nMITRE ATT\u0026CK Techniques\r\nAccording to MITRE, KONNI uses the ATT\u0026CK techniques listed in table 1.\r\nTable 1: KONNI ATT\u0026CK techniques\r\nTechnique Use\r\nSystem Network Configuration Discovery\r\n[T1016 ]\r\nKONNI can collect the Internet Protocol address from the\r\nvictim’s machine.\r\nSystem Owner/User Discovery [T1033 ] KONNI can collect the username from the victim’s machine.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-227a\r\nPage 1 of 5\n\nTechnique Use\r\nMasquerading: Match Legitimate Name or\r\nLocation [T1036.005 ]\r\nKONNI creates a shortcut called Anti virus service.lnk in\r\nan apparent attempt to masquerade as a legitimate file.\r\nExfiltration Over Alternative Protocol:\r\nExfiltration Over Unencrypted/Obfuscated\r\nNon-C2 Protocol [T1048.003 ]\r\nKONNI has used File Transfer Protocol to exfiltrate\r\nreconnaissance data out.\r\nInput Capture: Keylogging  [T1056.001\r\n]\r\nKONNI has the capability to perform keylogging.\r\nProcess Discovery [T1057 ]\r\nKONNI has used tasklist.exe to get a snapshot of the\r\ncurrent processes’ state of the target machine.\r\nCommand and Scripting Interpreter:\r\nPowerShell [T1059.001 ]\r\nKONNI used PowerShell to download and execute a specific\r\n64-bit version of the malware.\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell  [T1059.003 ]\r\nKONNI has used cmd.exe to execute arbitrary commands on\r\nthe infected host across different stages of the infection change.\r\nIndicator Removal on Host: File Deletion\r\n[T1070.004 ]\r\nKONNI can delete files.\r\nApplication Layer Protocol: Web\r\nProtocols [T1071.001 ]\r\nKONNI has used Hypertext Transfer Protocol for command\r\nand control.\r\nSystem Information Discovery [T1082 ]\r\nKONNI can gather the operating system version, architecture\r\ninformation, connected drives, hostname, and computer name\r\nfrom the victim’s machine and has used systeminfo.exe to\r\nget a snapshot of the current system state of the target machine.\r\nFile and Directory Discovery [T1083 ]\r\nA version of KONNI searches for filenames created with a\r\nprevious version of the malware, suggesting different versions\r\ntargeted the same victims and the versions may work together.\r\nIngress Tool Transfer [T1105 ]\r\nKONNI can download files and execute them on the victim’s\r\nmachine.\r\nModify Registry [T1112 ]\r\nKONNI has modified registry keys of ComSysApp service and\r\nSvchost on the machine to gain persistence.\r\nScreen Capture [T1113 ] KONNI can take screenshots of the victim’s machine.\r\nClipboard Data [T1115 ] KONNI had a feature to steal data from the clipboard.\r\nData Encoding: Standard Encoding\r\n[T1132.001 ]\r\nKONNI has used a custom base64 key to encode stolen data\r\nbefore exfiltration.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-227a\r\nPage 2 of 5\n\nTechnique Use\r\nAccess Token Manipulation: Create\r\nProcess with Token [T1134.002 ]\r\nKONNI has duplicated the token of a high integrity process to\r\nspawn an instance of cmd.exe under an impersonated user.\r\nDeobfuscate/Decode Files or Information\r\n[T1140 ]\r\nKONNI has used CertUtil to download and decode base64\r\nencoded strings.\r\nSigned Binary Proxy Execution: Rundll32\r\n[T1218.011 ]\r\nKONNI has used Rundll32 to execute its loader for privilege\r\nescalation purposes.\r\nEvent Triggered Execution: Component\r\nObject Model Hijacking [T1546.015 ]\r\nKONNI has modified ComSysApp service to load the\r\nmalicious DLL payload.\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\n[T1547.001 ]\r\nA version of KONNI drops a Windows shortcut into the Startup\r\nfolder to establish persistence.\r\nBoot or Logon Autostart Execution:\r\nShortcut Modification [T1547.009 ]\r\nA version of KONNI drops a Windows shortcut on the victim’s\r\nmachine to establish persistence.\r\nAbuse Elevation Control Mechanism:\r\nBypass User Access Control [T1548.002\r\n]\r\nKONNI bypassed User Account Control with the\r\n\"AlwaysNotify\" settings.\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\n[T1555.003 ]\r\nKONNI can steal profiles (containing credential information)\r\nfrom Firefox, Chrome, and Opera.\r\nDetection\r\nSignatures\r\nCISA developed the following Snort signatures for use in detecting KONNI malware exploits.\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"HTTP URI contains '/weget/*.php' (KONNI)\"; sid:1; rev:1;\r\nflow:established,to_server; content:\"/weget/\"; http_uri; depth:7; offset:0; fast_pattern;\r\ncontent:\".php\"; http_uri; distance:0; within:12; content:!\"Referrer|3a 20|\"; http_header;\r\nclasstype:http-uri; priority:2; metadata:service http;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"KONNI:HTTP header contains 'User-Agent|3a 20|HTTP|0d\r\n0a|'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|HTTP|0d 0a|\"; http_header;\r\nfast_pattern:only; content:\"POST\"; nocase; http_method; classtype:http-header; priority:2;\r\nmetadata:service http;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"KONNI:HTTP URI contains\r\n'/weget/(upload|uploadtm|download)'\"; sid:1; rev:1; flow:established,to_server; content:\"/weget/\";\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-227a\r\nPage 3 of 5\n\nhttp_uri; fast_pattern:only; pcre:\"/^\\/weget\\x2f(?:upload|uploadtm|download)\\.php/iU\"; content:\"POST\";\r\nhttp_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)\r\nMitigations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the\r\nsecurity posture of their organization's systems. Any configuration changes should be reviewed by system owners\r\nand administrators prior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.\r\nKeep operating system patches up to date. See Understanding Patches and Software Updates.\r\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to\r\nthe local administrators’ group unless required.\r\nEnforce a strong password policy. See Choosing and Protecting Passwords.\r\nExercise caution when opening email attachments, even if the attachment is expected and the sender\r\nappears to be known. See Using Caution with Email Attachments.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\"\r\n(i.e., the extension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\r\nScan all software downloaded from the internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate access control lists.\r\nVisit the MITRE ATT\u0026CK Techniques pages (linked in table 1 above) for additional mitigation and\r\ndetection strategies.\r\nFor additional information on malware incident prevention and handling, see the National Institute of Standards\r\nand Technology Special Publication 800-83, \"Guide to Malware Incident Prevention and Handling for Desktops\r\nand Laptops.\"\r\nResources\r\nd-hunter – A Look Into KONNI 2019 Campaign\r\nMITRE ATT\u0026CK – KONNI\r\nMITRE ATT\u0026CK for Enterprise\r\nRevisions\r\nAugust 14, 2020: Initial Version\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-227a\r\nPage 4 of 5\n\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-227a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-227a\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-227a"
	],
	"report_names": [
		"aa20-227a"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775791616,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60da99c01f4eb8362ada300dfff61612f5973dd4.pdf",
		"text": "https://archive.orkl.eu/60da99c01f4eb8362ada300dfff61612f5973dd4.txt",
		"img": "https://archive.orkl.eu/60da99c01f4eb8362ada300dfff61612f5973dd4.jpg"
	}
}