A Quick Look at a New KONNI RAT Variant

KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.

KONNI is known to be distributed via campaigns that are believed to be targeting North Korea. This new variant isn’t different from previous variants, as it is dropped by a DOC file containing text that was drawn from a CNN article entitled 12 things Trump should know about North Korea. The article was published on August 9, 2017, which indicates that this might be the latest campaign. Although KONNI campaigns use decoy documents containing articles about North Korea, it is hard to tell if the targets have something to do with matters involving North Korea.

Decoy document used to trick the user into thinking that the file is benign

The malicious DOC file contains a VB macro code that drops and executes the KONNI installer in the %temp% folder as stify.exe:

VB Macro Document_Open() Sub

The dropped file was packed with a known packer Aspack 2.12, as seen below:

PEID: Packed with ASPack 2.12

According to its compilation time stamp in the IMAGE_FILE_HEADER of the file, this variant was compiled on August 8, 2017 (if that file was not modified.)

Compilation time (Installer)

The installer contains 2 KONNI DLL files in the resource section. One is for the 32-bit version and the other is for the 64-bit version of Windows OS. According to their compilation time stamp, these DLL files were compiled on July 11, 2017.

Compilation time (KONNI DLLs)

The KONNI DLL is dropped in the %LocalAppData%MFADataevent folder as errorevent.dll. The installer creates auto-start registry entries to run the DLL on the next system reboot using rundll32.exe.

Installation routine

Doing a bit diffing allows us to see that this hasn’t changed from the variants reported on August 8, 2017. It still has the same capabilities based on the following command and control server commands:

‘0’ : Upload a specific file to the C&C.

‘1’ : Get system information such as computer IP address, computer name, username, drive information, product name, system type (32 or 64 bit), start menu programs, and installed products and upload to the C&C.

‘2’ : Take screen shot and upload to the C&C.

‘3’ : Find files in specific directory and subdirectories.

‘4’ : Find files in specific directory but not in subdirectories.

‘5’ : Delete a specific file.

‘6’ : Execute a specific file.

‘7’ : Download a file.

Commands from C&C Server

It also has keylogging and clipboard grabbing capabilities. The log file is saved as %LocalAppdata%Packagesmicrosoftdebug.tmp.

However, contrary to the previous report, it doesn’t look like this variant uses the simple XOR using a two-byte key for encryption when communicating to its command and control server. Though the server did not respond with commands when we did the analysis, we confirmed that the initial response from the C&C is not encrypted or encoded. It is just delimited with the string “xzxzxz”.

“xzxzx” as the delimiter

When sending data to its C&C server, this variant uses the following HTTP query string format:

Query string

In this version, id is the generated machine ID computed from OS InstallDate,

title is the name of the file with extension where the raw data is saved, and passwd is actually the encoded exfiltrated data.

Example of actual query string

Before sending its data to the C&C server, it is first compressed using ZIP format, encrypted with RC4 using the key “123qweasd/*-+p[;’p”, and encoded using Base64.

Data is zipped, rc4 encrypted, and base64 encoded before sending to the C&C server

Conclusion:

KONNI is not a complicated malware. It doesn’t employ much obfuscation. By simply performing a quick diffing we can see the changes made to new variants. For now, it seems that the only change is how the dropper installs the KONNI DLL, but based on what we have seen over the previous months we expect that it will continue to evolve.

Fortinet covers detection of this threat as W32/Noki.A!tr and the MSOffice VB Macro dropper as WM/MacroDropper.A!tr.

C&C and download URLs were also blocked by Fortinet’s Web Filter.

-= FortiGuard Lion Team =-

IOCs:

Sample Hashes:

834d3b0ce76b3f62ff87b7d6f2f9cc9b (DOC)

0914ef43125114162082a11722c4cfc3 (EXE)

38ead1e8ffd5b357e879d7cb8f467508 (DLL)

URLs:

donkeydancehome[.]freeiz.com/weget/upload[.]php (C&C)

seesionerrorwebmailattach[.]uphero[.]com/attach/download.php?file=12%20things%20Trump%20should%20know%20about%20North%20Korea.doc (DOC download URL)