Konni RAT variant targeting Russia in ongoing attack campaign

So far, Konni RAT has managed to evade detection as only 3 security solutions on VirusTotal were able to detect the malware.

So far, Konni RAT has managed to evade detection as only 3 security solutions on VirusTotal were able to detect the malware.

The IT security researchers at Malwarebytes Labs have reported a new and ongoing malware campaign in which the prime target is Russia. The payload dropped by threat actors in this attack is the Konni RAT that was first spotted in 2014 being used by the North Korean Black Hat group of hackers known as Thallium and APT37.

On the other hand, on July 6th, 2017, days after its missile test, North Korea was also hit by Konni RAT. At that time, Kaspersky Lab claimed that the hackers behind Konni malware campaigns might be of Korean origin, and the attacks were probably originating from South Korea.

The campaign’s modus operandi involves social engineering techniques such as luring the victim into downloading a document file weaponized with a malicious macro. Once the victim enables macro it executes a chain of activities including deployment of a new variant of Konni RAT that is heavily obfuscated.

Overall Process

Among other functions, Konni Rat is equipped with screen capturing and keylogging capabilities due to which it manages to steal data from targeted computers. However, in the ongoing campaign, the malware uses cmd /c systeminfo command to collect device information including:

  • Security information
  • Operating system configurations
  • Hardware data such as disk space, RAM size, and network cards info, etc.)

As of now, researchers have only identified two documents that are being used in the campaign. One of the documents addresses trade and economic issues between the Korean Peninsula and Russia while the other document claims to address minutes of a meeting between the intergovernmental Russian-Mongolian commission.

It is worth noting that both documents are written in the Russian language as shown in the screenshot below:

In a blog post, Hossein Jazi of Threat Intelligence Team emphasized that Konni RAT is potentially motivated used by APT37 to target political organizations in Russia and South Korea. However, Jazi warned that Konni’s is not limited to these countries as its infection has also been observed in countries like:

  • Japan
  • Nepal
  • Mongolia
  • Vietnam

Nevertheless, Jazi noted that the threat actors behind the new variant of Konni RAT have so far managed to evade detection against most of the used anti-virus products as, at the time of publishing this article, only 3 security solutions on VirusTotal were able to detect the malware.

Even though this sample is heavily obfuscated its functionality has not changed much and it is similar to its previous version. It seems the actor just used a heavy obfuscation process to hinder all the security mechanisms. VirusTotal detection of this sample at the time of analysis was 3 which indicates that the actor was successful in using obfuscation and bypass most of the AV products, the researcher concluded.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts