# Phishing Emails Used to Deploy KONNI Malware

**us-cert.cisa.gov/ncas/alerts/aa20-227a**

## Summary

_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge_
_(ATT&CK®) framework. See the_ _[ATT&CK for Enterprise framework for all referenced threat](https://attack.mitre.org/versions/v7/matrices/enterprise/)_
_actor techniques._

The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors
using emails containing a Microsoft Word document with a malicious Visual Basic Application
(VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT)
used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and
execute arbitrary code on infected hosts.

## Technical Details

KONNI malware is often delivered via phishing emails as a Microsoft Word document with a
malicious VBA macro code (Phishing: Spearphising Attachment [[T1566.001]). The malicious](https://attack.mitre.org/versions/v7/techniques/T1566/001/)
code can change the font color from light grey to black (to fool the user to enable content),
check if the Windows operating system is a 32-bit or 64-bit version, and construct and
execute the command line to download additional files (Command and Scripting Interpreter:
_Windows Command Shell_ [[T1059.003]).](https://attack.mitre.org/versions/v7/techniques/T1059/003/)

Once the VBA macro constructs the command line, it uses the certificate database tool
CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates
a built-in function to decode base64-encoded files. The Command Prompt silently copies
```
certutil.exe into a temp directory and renames it to evade detection.

```
The cyber actor then downloads a text file from a remote resource containing a base64encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber
actor deletes the text file from the temp directory and executes the .BAT file.

## MITRE ATT&CK Techniques

According to MITRE, [KONNI uses the ATT&CK techniques listed in table 1.](https://attack.mitre.org/versions/v7/software/S0356/)

_Table 1: KONNI ATT&CK techniques_

**Technique** **Use**


-----

**Technique** **Use**


_System Network_
_Configuration Discovery_

[[T1016]](https://attack.mitre.org/versions/v7/techniques/T1016)

_System Owner/User_
_Discovery_ [[T1033]](https://attack.mitre.org/versions/v7/techniques/T1033)

_Masquerading: Match_
_Legitimate Name or_
_[Location [T1036.005]](https://attack.mitre.org/versions/v7/techniques/T1036/005)_

_Exfiltration Over_
_Alternative Protocol:_
_Exfiltration Over_
_Unencrypted/Obfuscated_
_Non-C2 Protocol_

[[T1048.003]](https://attack.mitre.org/versions/v7/techniques/T1048/003)

_Input Capture:_
_[Keylogging [T1056.001]](https://attack.mitre.org/versions/v7/techniques/T1056/001)_

_Process Discovery_

[[T1057]](https://attack.mitre.org/versions/v7/techniques/T1057)

_Command and Scripting_
_Interpreter: PowerShell_

[[T1059.001]](https://attack.mitre.org/versions/v7/techniques/T1059/001)

_Command and Scripting_
_Interpreter: Windows_
_Command Shell_

[[T1059.003]](https://attack.mitre.org/versions/v7/techniques/T1059/003)

_Indicator Removal on_
_Host: File Deletion_

[[T1070.004]](https://attack.mitre.org/versions/v7/techniques/T1070/004)

_Application Layer_
_Protocol: Web Protocols_

[[T1071.001]](https://attack.mitre.org/versions/v7/techniques/T1071/001)


KONNI can collect the Internet Protocol address from the
victim’s machine.

KONNI can collect the username from the victim’s machine.

KONNI creates a shortcut called `Anti virus service.lnk`
in an apparent attempt to masquerade as a legitimate file.

KONNI has used File Transfer Protocol to exfiltrate
reconnaissance data out.

KONNI has the capability to perform keylogging.

KONNI has used `tasklist.exe to get a snapshot of the`
current processes’ state of the target machine.

KONNI used PowerShell to download and execute a specific
64-bit version of the malware.

KONNI has used `cmd.exe to execute arbitrary commands`
on the infected host across different stages of the infection
change.

KONNI can delete files.

KONNI has used Hypertext Transfer Protocol for command
and control.


-----

**Technique** **Use**


_System Information_
_[Discovery [T1082]](https://attack.mitre.org/versions/v7/techniques/T1082)_

_File and Directory_
_Discovery_ [[T1083]](https://attack.mitre.org/versions/v7/techniques/T1083)

_Ingress Tool Transfer_

[[T1105]](https://attack.mitre.org/versions/v7/techniques/T1105)


KONNI can gather the operating system version, architecture
information, connected drives, hostname, and computer name
from the victim’s machine and has used `systeminfo.exe to`
get a snapshot of the current system state of the target
machine.

A version of KONNI searches for filenames created with a
previous version of the malware, suggesting different versions
targeted the same victims and the versions may work
together.

KONNI can download files and execute them on the victim’s
machine.


_[Modify Registry [T1112]](https://attack.mitre.org/versions/v7/techniques/T1112)_ KONNI has modified registry keys of ComSysApp service and
Svchost on the machine to gain persistence.

_[Screen Capture [T1113]](https://attack.mitre.org/versions/v7/techniques/T1113)_ KONNI can take screenshots of the victim’s machine.

_[Clipboard Data [T1115]](https://attack.mitre.org/versions/v7/techniques/T1115)_ KONNI had a feature to steal data from the clipboard.


_Data Encoding: Standard_
_[Encoding [T1132.001]](https://attack.mitre.org/versions/v7/techniques/T1132/001)_

_Access Token_
_Manipulation: Create_
_Process with Token_

[[T1134.002]](https://attack.mitre.org/versions/v7/techniques/T1134/002)

_Deobfuscate/Decode_
_Files or Information_

[[T1140]](https://attack.mitre.org/versions/v7/techniques/T1140)

_Signed Binary Proxy_
_Execution: Rundll32_

[[T1218.011]](https://attack.mitre.org/versions/v7/techniques/T1218/011)


KONNI has used a custom base64 key to encode stolen data
before exfiltration.

KONNI has duplicated the token of a high integrity process to
spawn an instance of cmd.exe under an impersonated user.

KONNI has used CertUtil to download and decode base64
encoded strings.

KONNI has used Rundll32 to execute its loader for privilege
escalation purposes.


-----

**Technique** **Use**


_Event Triggered_
_Execution: Component_
_Object Model Hijacking_

[[T1546.015]](https://attack.mitre.org/versions/v7/techniques/T1546/015)

_Boot or Logon Autostart_
_Execution: Registry Run_
_Keys / Startup Folder_

[[T1547.001]](https://attack.mitre.org/versions/v7/techniques/T1547/001)

_Boot or Logon Autostart_
_Execution: Shortcut_
_Modification_ [[T1547.009]](https://attack.mitre.org/versions/v7/techniques/T1547/009)

_Abuse Elevation Control_
_Mechanism: Bypass User_
_Access Control_

[[T1548.002]](https://attack.mitre.org/versions/v7/techniques/T1548/002)

_Credentials from_
_Password Stores:_
_Credentials from Web_
_[Browsers [T1555.003]](https://attack.mitre.org/versions/v7/techniques/T1555/003)_

## Detection

**Signatures**


KONNI has modified ComSysApp service to load the
malicious DLL payload.

A version of KONNI drops a Windows shortcut into the
Startup folder to establish persistence.

A version of KONNI drops a Windows shortcut on the victim’s
machine to establish persistence.

KONNI bypassed User Account Control with the
"AlwaysNotify" settings.

KONNI can steal profiles (containing credential information)
from Firefox, Chrome, and Opera.


CISA developed the following Snort signatures for use in detecting KONNI malware exploits.
```
alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI contains '/weget/*.php'
(KONNI)"; sid:1; rev:1; flow:established,to_server; content:"/weget/";
http_uri; depth:7; offset:0; fast_pattern; content:".php"; http_uri;
distance:0; within:12; content:!"Referrer|3a 20|"; http_header;
classtype:http-uri; priority:2; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP header contains
'User-Agent|3a 20|HTTP|0d 0a|'"; sid:1; rev:1; flow:established,to_server;
content:"User-Agent|3a 20|HTTP|0d 0a|"; http_header; fast_pattern:only;
content:"POST"; nocase; http_method; classtype:http-header; priority:2;
metadata:service http;)

```

-----

```
alert tcp any any -> any $HTTP_PORTS (msg: KONNI:HTTP URI contains
'/weget/(upload|uploadtm|download)'"; sid:1; rev:1;
flow:established,to_server; content:"/weget/"; http_uri; fast_pattern:only;
pcre:"/^\/weget\x2f(?:upload|uploadtm|download)\.php/iU"; content:"POST";
http_method; classtype:http-uri; priority:2;
reference:url,blog.talosintelligence.com/2017/07/konni-references-northkorean-missile-capabilities.html; metadata:service http;)

## Mitigations

```
CISA recommends that users and administrators consider using the following best practices
to strengthen the security posture of their organization's systems. Any configuration changes
should be reviewed by system owners and administrators prior to implementation to avoid
unwanted impacts.

Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious
Code.
Keep operating system patches up to date. See Understanding Patches and Software
Updates.
Disable file and printer sharing services. If these services are required, use strong
passwords or Active Directory authentication.
Restrict users' ability (permissions) to install and run unwanted software applications.
Do not add users to the local administrators’ group unless required.
Enforce a strong password policy. See [Choosing and Protecting Passwords.](https://us-cert.cisa.gov/ncas/tips/ST04-002)
Exercise caution when opening email attachments, even if the attachment is expected
[and the sender appears to be known. See Using Caution with Email Attachments.](https://us-cert.cisa.gov/ncas/tips/ST04-010)
Enable a personal firewall on agency workstations, configured to deny unsolicited
connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is
its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external
drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access
control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional
mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National
Institute of Standards and Technology Special Publication 800-83, "Guide to Malware
Incident Prevention and Handling for Desktops and Laptops."


-----

## Resources

 Revisions

August 14, 2020: Initial Version

[This product is provided subject to this Notification and this](https://us-cert.cisa.gov/privacy/notification) [Privacy & Use policy.](https://www.dhs.gov/privacy-policy)

**Please share your thoughts.**

[We recently updated our anonymous product survey; we'd welcome your feedback.](https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/alerts/aa20-227a)


-----