{ "id": "7ee2c22a-0d9e-4dc2-bde2-38ac92670c89", "created_at": "2026-04-06T00:22:18.07923Z", "updated_at": "2026-04-10T03:26:56.197482Z", "deleted_at": null, "sha1_hash": "6acd8845bfe65242127f3874848ca08a3e96061f", "title": "Analysis of new variant of Konni RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1129865, "plain_text": "Analysis of new variant of Konni RAT\r\nArchived: 2026-04-05 18:58:21 UTC\r\nThese days TalosIntelligence commented about a new variant of Konni RAT. It is not a complicated malware, but\r\nit implements some interesting tricks and functionality typical of RATs. I wanted to take a look at something\r\ndifferent (there is more life after the ransomware  ) and in this post you can find a brief analysis of this RAT. I\r\nhope you enjoy it.\r\nBefore startintg with the post, i would like to refer to you to the TalosIntelligence analysis of a previous variant of\r\nKonni. New variant is similar to the variant analyzed in Talos post. However there are some different things. In\r\naddition i reversed different parts of the code, and i give other details. For this reason i recommend reading both\r\nposts if you are interesting in having a good knowledge about this RAT.\r\nModules\r\nWe have the sample f4abe28f3c35fa75481ae056d8637574. It is a dropper that is able to drop different PE files\r\ndepending on the architecture (32 / 64). If we unpack the dropper we can find it has two PE files and two DOCX\r\nfiles into resources:\r\nDocx file1: 63a43fe8874fbbf3adb1b9aeb03adb6bfaa2935a40bb1893e90e3ab762dd44bd\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 1 of 10\n\nDocx file2: a12db66cb7b7b991ac2ba736fb48e04566ffd2defdcb08fb9a8ab3781253f73c\r\nPE file1: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a\r\nPE file2: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad\r\nPE files are packed with ASPack v2.12.\r\nWe will analyze the 32 bit version.\r\nRAT module\r\nThe 32 bits rat module is installed into this folder:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\MFAData\\event\\errorevent.dll\r\nAnd the Run registry key is modified:\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n“RTHDVCP”=”rundll32.exe C:\\\\Users\\\\javi\\\\AppData\\\\Local\\\\MFAData\\\\event\\\\errorevent.dll check”\r\nAfter removing the ASPack v2.12 layer, we take a look into the malware with IDA.\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 2 of 10\n\nThe malware installs a windows hook and because of this, the errorevent.dll is loaded into machine’s running\r\nprocesses:\r\nIn the SetWindowsHookEx callback, it logs and queues keyboard events together with the window where they\r\nhappened. Another thread analyzes the keyboard events, and it keeps to a file events happened in browser\r\nprocesses:\r\nIt checks these processes names:\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 3 of 10\n\nInteresting keyboard events are logged to the file:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Packages\\microsoft\\debug.tmp\r\nOther files are used by the RAT in the process of managing commands:\r\nMalware dll is injected into multiple processes. To monitor what malware files are created and written we can use\r\nthis breakpoint with instructions (it is splitted in multiple lines for better reading):\r\nbp NtWriteFile -\u003e when NtWriteFile hit, execute the next script\r\n“.foreach (tok { !handle (poi (esp+4)) }) -\u003e search “Packages” in the path\r\n{\r\n.if ($spat(\\”${tok}\\”, \\”*Packages*\\”) != 0)\r\n{\r\nda (poi (esp+18));.break; -\u003e if found, print the data written\r\n}\r\n};g;”\r\nbp NtWriteFile “.foreach (tok { !handle (poi (esp+4)) }) { .if ($spat(\\”${tok}\\”, \\”*Packages*\\”) != 0) { da (poi\r\n(esp+18));.break;}};g;”\r\nThe other RAT functionality is executed under demand, as we will see it in the next section about\r\ncommunications.\r\nCommunications\r\nThe malware executes a thread for communications with the CnC. It asks for commands each 15 minutes. A file\r\nwith commands is downloaded and parsed, and the commands are executed (and the results uploaded to the CnC):\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 4 of 10\n\nThe RAT calculates a value based on the installation time and infected computer info, and that value is used as\r\nbot_id to identify the current infected machine. In my case it generated CB5D234D.\r\nTo download the commands it connects by http GET to:\r\nhttp://member-daumchk.netai.net/weget/download.php?file=CB5D234D_dropcom\r\nIt is:\r\nhttp://\u003cdomain\u003e/weget/download.php?file=\u003cbodid\u003e_dropcom\r\nThis new variant uses wininet api to connect CnC (Talos analysis about the previous variant says the RAT was\r\nusing winsock api connect, send, recv,… instead of http specified api):\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 5 of 10\n\nAfter downloading the commands they are decrypted (key “xzxzxz”) and parsed:\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 6 of 10\n\nThe decryption function:\r\nSeeing the communications code, it seems it would be not difficult to create a fake CnC to control a bot (not RSA\r\nkeys or something like that are used to certify the command comes from the author).\r\nOnce decrypted it starts to parse commands:\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 7 of 10\n\nCommand for collecting computer info\r\nWith this command the malware collects different information about the machine:\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 8 of 10\n\nCommand for screen capturing\r\nCapture of the screen it is done here:\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 9 of 10\n\nReferences\r\nNew KONNI Campaign References North Korean Missile Capabilities\r\nKONNI: A Malware Under The Radar For Years\r\nhttps://otx.alienvault.com/pulse/595f5bdd6a52154a2872219f/\r\nSource: https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nhttps://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/" ], "report_names": [ "analysis-of-new-variant-of-konni-rat" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434938, "ts_updated_at": 1775791616, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6acd8845bfe65242127f3874848ca08a3e96061f.pdf", "text": "https://archive.orkl.eu/6acd8845bfe65242127f3874848ca08a3e96061f.txt", "img": "https://archive.orkl.eu/6acd8845bfe65242127f3874848ca08a3e96061f.jpg" } }