**W** **E** **D** **N** **E** **S** **D** **A** **Y** **,** **M** **A** **Y** **3** **,** # KONNI: A Malware Under The Radar For Years **[This blog was authored by Paul Rascagneres](https://www.blogger.com/profile/10073079939160046441)** ## Executive Summary **Talos has discovered an unknown Remote Administration Tool that we believe has been in** **use for over 3 years. During this time it has managed to avoid scrutiny by the security** **community. The current version of the malware allows the operator to steal files,�** **keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos** **has named this malware KONNI.** **Throughout the multiple campaigns observed over the last 3 years, the actor has used an** **email attachment as the initial infection vector. They then use additional social engineering** **to prompt the target to open a .src file, display a decoy document to the users, and finally�** **execute the malware on the victim's machine. The malware infrastructure of the analysed** **samples was hosted by a free web hosting provider: 000webhost. The malware has** **evolved over time. In this article, we will analyse this evolution:** **at the beginning the malware was only an information stealer without remote** **administration** **it moved from a single file malware to a dual file malware (an executable and a�** **dynamic library)** **the malware has supported more and more features over the time** **the decoy documents have become more and more advanced** **The different versions contain copy/pasted code from previous versions.** **Moreover the new version searches for files generated by previous versions.�** **(This implies that the malware has been used several times against the same** **targets)** **This evolution is illustrated across 4 campaigns: one in 2014, one in 2016 and finally two in�** **2017. The decoy document of the 2 last campaigns suggests that the targets are public** **organisations. Both documents contained email addresses, phone numbers and contacts** **of members of official organizations such as United Nations, UNICEF, and Embassies�** **linked to North Korea** ----- **2014 CAMPAIGN: FATAL BEAUTY** **In this campaign, the dropper filename was beauty.src. Based on the compilation date of�** **the two binaries, this campaign took place in September 2014. Once executed, two files�** **were dropped on the targeted system: a decoy document (a picture) and a fake** **svchost.exe binary. Both files were stored in "C:\Windows". The picture is a Myanmar�** **temple:** **The fake svchost binary is the KONNI malware. The first task of the malware is to�** **generate an ID to identify the infected system. This ID is generated based on the** **installation date of the system, as found in the registry** **(HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallDate). The second task of** **malware is to ping the CC and get orders. The malware includes 2 domains:** **phpschboy[.]prohosts[.]org** **jams481[.]site[.]bz** **The developer used the Microsoft Winsocks API to handle the network connection.** **Surprisingly, this isn't the easiest or the most efficient technical choice for HTTP�** **connection. The malware samples we analysed connected to only one URI: /login php** ----- **This version of KONNI is not designed to execute code on the infected system. The** **purpose is to be executed only once and steal data on the infected system, here are the** **main features:** **Keyloggers** **Clipboard stealer** **Firefox profiles and cookies stealer�** **Chrome profiles and cookies stealer�** **Opera profiles and cookies stealer�** **The malware internally uses several temporary files:�** **spadmgr.ocx** **screentmp.tmp (log file of the keylogger)�** ----- **2016 CAMPAIGN: "HOW CAN NORTH KOREAN HYDROGEN BOMB WIPE OUT** **MANHATTAN.SRC"** **The name of the .src file was directly linked to tension between North Korea and USA in�** **March 2016:** **[more information. Based on the compilation dates of the binaries, the](https://www.washingtonpost.com/world/asia_pacific/north-korea-claims-it-could-wipe-out-manhattan-with-a-hydrogen-bomb/2016/03/13/3834cd54-e919-11e5-b0fd-073d5930a7b7_story.html)** **campaign took place in the same period. An interesting fact: the dropped library was** **compiled in 2014 and appears in our telemetry in August 2015. Indicating that this library** **was probably used in another campaign.** **The .src file contains 2 Office documents. The first document was in English and a second�** **in Russian. In the sample only the English version can be displayed to the user (that is** **hardcoded in the sample):** **The Russian document is not used by the sample, we assume that the author of the** **malware forgot to remove the resource containing the Russia decoy document:** ----- **The malware author changed the malware architecture, this version is divided in two** **binaries:** **conhote.dll** **winnit.exe** **Another difference is the directory where the files are dropped, it's no longer C:\Windows�** **but rather the local setting of the current user (%USERPROFILE%\Local** **Settings\winnit\winnit.exe). Thanks to this modification, the malware can be executed with�** **a non-administrator account. The .dll file is executed by the .exe file. In this version, a�** **shortcut is created in order to launch winnit.exe in the following path** **%USERPROFILE%\Start Menu\Programs\Startup\Anti virus service.lnk. As you can see** **the attacker has went to great lengths to disguise his service as a legitimate Antivirus** **Service by using the name 'Anti virus service.lnk'. This is of course simple but often it can** **be enough for a user to miss something malicious by name.** **As in the previous version, the ID of the infected system is generated with exactly the** **same method. The C2 is different and the analysed version this time only contains a single** **domain:** **dowhelsitjs[.]netau[.]net** **In this version, the developer used a different API, the Wininet API which make more** **sense for Web requests. Moreover the C2 infrastructure evolved too, more .php files are�** **available through the web hosting:** **/login.php (for infected machine registration)** **/upload.php (for uploading files on the C2)�** **/download.php (for downloading file from the C2)�** ----- **This version includes the stealer features mentioned in the previous version and** **additionally Remote Administration Tool features such as file uploading/download and�** **arbitrary command execution. The library is only used to perform keylogging and clipboard** **stealing. Indeed, the malware author moved this part of the code from the core of the** **malware to a library. An interesting element is that the malware looks for filenames created�** **with the previous version of KONNI. This implies that the malware targeted the same** **people as the previous version and they are designed to work together.** **The malware internally uses the following files:�** **solhelp.ocx** **sultry.ocx** **helpsol.ocx** **psltre.ocx** **screentmp.tmp (log file of the keylogger)�** **spadmgr.ocx** **apsmgrd.ocx** **wpg.db** **2017 CAMPAIGNS** **P** **Y** **O** **N** **G** **Y** **A** **N** **G** **D** **I** **R** **E** **C** **T** **O** **R** **C** **_** **O** **F** **F** **I** **C** **E** **_** **C** **O** **O** **R** **D** **I** **N** **In this campaign, the malware author uses the following name: Pyongyang Directory** **Group email April 2017 RC_Office_Coordination_Associate.src. The decoy document�** **shown after infection is an Office document containing email addresses, phone numbers�** **and contacts of members of official organizations such as the United Nations, UNICEF,�** **Embassies linked to North Korea.** ----- **The .src files drops two files: an executable and a library. As in the previous version, the�** **persistence is achieved by a Windows shortcut (in this case adobe distillist.lnk). Contrary** **to the previous version, the developers moved the core of malware to the library. The** **executable performs the following tasks:** **If the system is a 64-bit version of Windows, it downloads and executes a** **specific 64-bit version of the malware thanks to a powershell script:�** **Loading the dropped library** **The library contains the same features as the previous version as well as new ones. This** **version of KONNI is the most advanced with better coding. The malware configuration�** ----- **A new URI is available:** **/uploadtm.php** **This URI is used with a new feature implemented in this version: the malware is able to** **perform screenshot (thanks to the GDI API) and uploads it thank to this URL. The malware** **checks if a file used on a previous version of KONNI is available on the system. Here is�** **the complete list of files internally used by the RAT:�** **error.tmp (the log file of the keylogger)�** **tedsul.ocx** **helpsol.ocx** **trepsl.ocx** **psltred.ocx** **solhelp.ocx** **sulted.ocx** **The handling of instructions has improved too. Here are the 7 actions that the infected** **machine can be instructed to perform:** **Delete a specific file;�** **Upload a specific file based on a filename;�** **Upload a specific file based on the full path name;�** **Create a screenshot and uploads it on the C2;** **Get system information;** **Download a file from the Internet;�** **Execute a command;** **This graph shows the decision tree:** **When the attacker wants to gather information on the infected system (action 5), it** **retrieves the following information:** **Hostname** **IP address** **Computer name** **Username name** **Connected drive** **OS version** **Architecture** **Start menu programs** ----- **I** **N** **T** **E** **R** **A** **G** **E** **N** **C** **Y** **L** **I** **S** **T** **R** **C** **_** **O** **F** **F** **I** **C** **E** **_** **C** **O** **O** **R** **D** **I** **N** **The last identified campaign where KONNI was used was named Inter Agency List and�** **Phonebook - April 2017 RC_Office_Coordination_Associate.src. This file drops exactly the�** **same files than the previous campaign but the decoy document is different:�** ----- **This document contains the name, phone number and email address of members of** **agencies, embassies and organizations linked to North Korea.** ## Conclusion **The analysis shows us the evolution of KONNI over the last 3 years. The last campaign** **was started a few days ago and is still active. The infrastructure remains up and running at** **the time of this post. The RAT has remained under the radar for multiple years. An** **explanation could be the fact that the campaign was very limited nature, which does not** **arouse suspicion.** **This investigation shows that the author has evolved technically (by implementing new** **features) and in the quality of the decoy documents. The campaign of April 2017 used** **pertinent documents containing potentially sensitive data. Moreover the metadata of the** **Office document contains the names of people who seems to work for a public�** **organization. We don't know if the document is a legitimate compromised document or a** **fake that the attacker has created in an effort to be credible.** **Clearly the author has a real interest in North Korea, with 3 of the 4 campaigns are linked** **to North Korea.** **The following graph show the evolution of KONNI over the last 3 years:** ----- ## Coverage **Additional ways our customers can detect and block this threat are listed below.** **[Advanced Malware Protection (AMP) is](http://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html)** **ideally suited to prevent the execution** **of the malware used by these threat** **actors.** **[CWS or](http://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html)** **[WSA web scanning prevents](http://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html)** **access to malicious websites and** **detects malware used in these attacks.** **[Email Security can block malicious](http://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html)** **emails sent by threat actors as part of** **their campaign.** **The Network Security protection of** **[IPS](http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html)** **and** **[NGFW have up-to-date signatures to detect malicious network activity by threat](http://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html)** **actors.** **[AMP Threat Grid helps identify malicious binaries and build protection into all Cisco](http://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html)** **Security products.** **[Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious](https://umbrella.cisco.com/)** **domains, IPs, and URLs, whether users are on or off the corporate network** ## IOCs ----- **SHA256: 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f** **Filename: beauty.scr** **D** **R** **O** **P** **P** **E** **D** **F** **I** **L** **E** **S** **#1** **SHA256: eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435** **Filename: C:\Windows\beauty.jpg** **File type: JPEG image data, JFIF standard 1.02** **#2** **SHA256: 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9** **Hilename: C:\Windows\svchost.exe** **File type: PE32 executable (GUI) Intel 80386, for MS Windows** **C** **C** **phpschboy[.]prohosts[.]org** **jams481[.]site[.]bz** **2016 CAMPAIGN: HOW CAN NORTH KOREAN HYDROGEN BOMB WIPE OUT** **MANHATTAN** **D** **R** **O** **P** **P** **E** **R** **SHA256: 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5** **Filename: How can North Korean hydrogen bomb wipe out Manhattan.src** **D** **R** **O** **P** **P** **E** **D** **#1** **SHA256: 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634** **Filename: conhote.dll** **#2** **SHA256: 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc** **Filename: winnit.exe** **#3** **SHA256: 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f** **Filename: Anti virus service.lnk** **C** **C** **dowhelsitjs[.]netau[.]net** **2017 CAMPAIGN A:** **D** **R** **O** **P** **P** **E** **R** **SHA256: 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0** **Filename: Pyongyang Directory Group email April 2017** **RC Office Coordination Associate src�** ----- **D** **R** **O** **P** **P** **E** **D** **#1** **SHA256: 3de491de3f39c599954bdbf08bba3bab9e4a1d2c64141b03a866c08ef867c9d1** **Filename: adobe distillist.lnk** **#2** **SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635** **Filename: winload.exe** **#3** **SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d** **Filename: winload.dll** **C** **C** **Pactchfilepacks[.]net23[.]net�** **checkmail[.]phpnet[.]us** **2017 CAMPAIGN B:** **D** **R** **O** **P** **P** **E** **R** **SHA256: 640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e** **Filename: Inter Agency List and Phonebook - April 2017** **RC_Office_Coordination_Associate.src�** **D** **R** **O** **P** **P** **E** **D** **#1** **SHA256: 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b** **Filename: adobe distillist.lnk** **#2** **SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635** **Filename: winload.exe** **#3** **SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d** **Filename: winload.dll** **C** **C** **Pactchfilepacks[.]net23[.]net�** **checkmail[.]phpnet[.]us** **RELATED SAMPLES** **413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f** **44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9** **553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc** ----- **f091d210fd214c6f19f45d880cde77781b03c5dc86aa2d62417939e7dce047ff** **0f327d67b601a87e575e726dc67a10c341720267de58f3bd2df3ce705055e757** **234f9d50aadb605d920458cc30a16b90c0ae1443bc7ef3bf452566ce111cece8** **39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635** **581e820637decf37bfd315c6eb71176976a0f2d59708f2836ff969873b86c7db** **640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e** **69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0** **97b1039612eb684eaec5d21f0ac0a2b06b933cc3c078deabea2706cb69045355** **dae9d8f9f7f745385286775f6e99d3dcc55bbbe47268a3ea20deffe5c8fd0f0e** **dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d** **e6a9d9791f763123f9fe1f69e69069340e02248b9b16a88334b6a5a611944ef9** **ead47df090a4de54220a8be27ec6737304c1c3fe9d0946451b2a60b8f11212d1** **P** **O** **S** **P** **T** **A** **E** **U** **D** **L** **A** **1BRT** **2Y** **A** **:** **S** **5** **C** **9** **A** **G** **P** **N** **M** **E** **R** **L** **A** **A** **[B](http://blog.talosintelligence.com/search/label/APT)** **,** **KP** **E** **OT,** **LK** **N** **SO** **,** **MN** **:** **R** **AI** **E** **,** **ML** **A** **WA** **AL** **WR** **,** **REA** **AR** **TE** **A** **S** **H** **A** **R** **E** **T** **H** **I** **S** **P** **O** **S** **T** **NO COMMENTS:** **POST A COMMENT** **Enter your comment...** **PublishPublish** ----- **N** **E** **W** **E** **R** **P** **O** **S** **T** **H** **O** **M** **E** **O** **L** **P** **O** **S** **U** **B** **SP** **CO** **RS** **IT** **B** **EC** **O** **T** **M** **O** **M** **:** **E** **N** **T** **S** **S** **U** **B** **S** **C** **R** **I** **B** **E** **T** **O** **O** **U** **R** **Posts** **Comments** **Subscribe via Email** **B** **L** **O** **G** **A** **R** **C** **H** **I** **V** **E** **[▼ 2](javascript:void(0))** **0(60)** **1** **7** **[▼ M](javascript:void(0))** **(3)A** **Y** **[Vulnerability Spotlight: AntennaHouse DMC Library ...](http://blog.talosintelligence.com/2017/05/antennahouse.html)** **[Gmail Worm Requiring You To Give It A Push And App...](http://blog.talosintelligence.com/2017/05/google-oauth-phish.html)** **KONNI: A Malware Under The Radar For Years** **[► A](javascript:void(0))** **P** **(17)** **R** **I** **L** **[► M](javascript:void(0))** **A** **(17)** **R** **C** **H** **[► F](javascript:void(0))** **[E](http://blog.talosintelligence.com/2017/02/)** **B(12)** **R** **U** **A** **R** **Y** **[► J](javascript:void(0))** **A** **(11)N** **U** **A** **R** **Y** **[► 2](javascript:void(0))** **0(98)** **1** **6** **[► 2](javascript:void(0))** **0(62)** **1** **5** **[► 2](javascript:void(0))** **0(67)** **1** **4** **[► 2](javascript:void(0))** **0(30)** **1** **3** **[► 2](javascript:void(0))** **0(53)** **1** **2** **[► 2](javascript:void(0))** **0(23)** **1** **1** **[► 2](javascript:void(0))** **0(93)** **1** **0** **[► 2](javascript:void(0))** **0(146)** **0** **9** **[► 2](javascript:void(0))** **0(37)** **0** **8** ----- **[Heading to New Orleans for VeeamON 2017 this year? So is Cisco at Expo booth #104!](https://blogs.cisco.com/datacenter/cisco-at-veamon2017)** **S** **N** **O** **R** **T** **B** **L** **O** **G** **[Snort Subscriber Rule Set Update for 05/04/2017](http://feedproxy.google.com/~r/Snort/~3/67VDjvG1Jp8/snort-subscriber-rule-set-update-for_4.html)** **C** **L** **A** **M** **A** **V** **®** **B** **L** **O** **G** **[End-of-life announcement for clamav in stable and oldstable](http://feedproxy.google.com/~r/Clamav/~3/gstqagsn0ag/end-of-life-announcement-for-clamav-in.html)** -----