# A Quick Look at a New KONNI RAT Variant **[blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant](https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant)** Threat Research August 15, 2017 By [Jasper Manuel | August 15, 2017](https://blog.fortinet.com/blog/search?author=Jasper+Manuel) KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look. KONNI is known to be distributed via campaigns that are believed to be targeting North Korea. This new variant isn’t different from previous variants, as it is dropped by a DOC file containing text that was drawn from a CNN article entitled 12 things Trump should know _about North Korea. The article was published on August 9, 2017, which indicates that this_ might be the latest campaign. Although KONNI campaigns use decoy documents containing articles about North Korea, it is hard to tell if the targets have something to do with matters involving North Korea. ----- _Decoy document used to trick the user into thinking that the file is benign_ The malicious DOC file contains a VB macro code that drops and executes the KONNI installer in the %temp% folder as stify.exe: _VB Macro Document_Open() Sub_ The dropped file was packed with a known packer Aspack 2.12, as seen below: _PEID: Packed with ASPack 2.12_ ----- According to its compilation time stamp in the IMAGE_FILE_HEADER of the file, this variant was compiled on August 8, 2017 (if that file was not modified.) _Compilation time (Installer)_ The installer contains 2 KONNI DLL files in the resource section. One is for the 32-bit version and the other is for the 64-bit version of Windows OS. According to their compilation time stamp, these DLL files were compiled on July 11, 2017. _Compilation time (KONNI DLLs)_ The KONNI DLL is dropped in the %LocalAppData%\MFAData\event folder as errorevent.dll. The installer creates auto-start registry entries to run the DLL on the next system reboot using rundll32.exe. _Installation routine_ Doing a bit diffing allows us to see that this hasn’t changed from the variants reported on August 8, 2017. It still has the same capabilities based on the following command and control server commands: ‘0’ : Upload a specific file to the C&C. ‘1’ : Get system information such as computer IP address, computer name, username, drive information, product name, system type (32 or 64 bit), start menu programs, and installed products and upload to the C&C. ‘2’ : Take screen shot and upload to the C&C. ----- 3 : Find files in specific directory and subdirectories. ‘4’ : Find files in specific directory but not in subdirectories. ‘5’ : Delete a specific file. ‘6’ : Execute a specific file. ‘7’ : Download a file. _Commands from C&C Server_ It also has keylogging and clipboard grabbing capabilities. The log file is saved as %LocalAppdata%\Packages\microsoft\debug.tmp. However, contrary to the previous report, it doesn’t look like this variant uses the simple XOR using a two-byte key for encryption when communicating to its command and control server. Though the server did not respond with commands when we did the analysis, we confirmed ----- that the initial response from the C&C is not encrypted or encoded. It is just delimited with the string “xzxzxz”. _“xzxzx” as the delimiter_ When sending data to its C&C server, this variant uses the following HTTP query string format: _Query string_ In this version, id is the generated machine ID computed from OS InstallDate, _title is the name of the file with extension where the raw data is saved, and passwd is_ actually the encoded exfiltrated data. ----- _Example of actual query string_ Before sending its data to the C&C server, it is first compressed using ZIP format, encrypted with RC4 using the key “123qweasd/*-+p[;’p”, and encoded using Base64. _Data is zipped, rc4 encrypted, and base64 encoded before sending to the C&C server_ Conclusion: KONNI is not a complicated malware. It doesn’t employ much obfuscation. By simply performing a quick diffing we can see the changes made to new variants. For now, it seems that the only change is how the dropper installs the KONNI DLL, but based on what we have seen over the previous months we expect that it will continue to evolve. Fortinet covers detection of this threat as W32/Noki.A!tr and the MSOffice VB Macro dropper as WM/MacroDropper.A!tr. [C&C and download URLs were also blocked by Fortinet’s Web Filter.](https://fortiguard.com/iprep?data=109.228.49.213) -= FortiGuard Lion Team = ----- **IOCs:** Sample Hashes: 834d3b0ce76b3f62ff87b7d6f2f9cc9b (DOC) 0914ef43125114162082a11722c4cfc3 (EXE) 38ead1e8ffd5b357e879d7cb8f467508 (DLL) **URLs:** donkeydancehome[.]freeiz.com/weget/upload[.]php (C&C) seesionerrorwebmailattach[.]uphero[.]com/attach/download.php? file=12%20things%20Trump%20should%20know%20about%20North%20Korea.doc (DOC download URL) _[Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the](http://ftnt.net/2iT7Mcp%C2%A0)_ _newest emerging threats._ ## Related Posts Copyright © 2022 Fortinet, Inc. All Rights Reserved [Terms of ServicesPrivacy Policy](https://www.fortinet.com/corporate/about-us/legal.html) | Cookie Settings -----