Contents:
The tracking of Konni RAT has begun in July 2021. At that time, researchers came upon a spear-phishing campaign that made use of Konni malware and engaged in compromising 2 documents in the Russian language using the same malicious macro. However, the name of Konni RAT was not heard for the first time. It was initially identified back in 2014 and was attributed to a threat actor group by its name APT37.
The 2 lure documents observed in the July campaign were related to two matters: the first followed the issues between Russia and the Korean Peninsula regarding economic and trade topics and the second document was based upon a Russian-Mongolian commission intergovernmental meeting, as MalwareBytes’ specialists report.
These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the “^var” string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls Wscript Shell function to executes the Java Script file (y.js). The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.
What’s Different in the New Campaign Featuring a New Version of Konni RAT?
Now, a new Konni Rat variant is used in the recent campaigns. The same researchers who have been traced the spear-phishing campaign since July discovered some differences between the new version of Konni RAT and the general variant of the malware:
- PowerShell and Batch files are executed by means of JavaScript Files in the new campaign;
- The cab file downloading was performed differently: the old campaign made use of certutil for this action, the new one makes use of Powershell and URLMON API calls;
- The new campaign features two UAC bypass methods that are not similar and base upon the targeted user’s operating system. In the past, cybercriminals were using only the Token Impersonation approach.
- The new campaign is based upon the new version of the Konni RAT malware. This new variant has no base64 encoding and comes with encrypted configuration capabilities. It is massively obfuscated and if in the past the data exfiltration process was made via FTP, now it’s not.
While differences were identified, the leitmotivs of the old-and-new process thread focus on compromised documents with a malicious macro, cab file downloading, and also Konni RAT as a service deployment.
According to Cyware, the main focus of Konni RAT is South Korea and Russia, but not only that. Mongolia, Japan, Nepal, and Vietnam were also on the targets’ list. It has been also used in cyberattacks related to UN and UNICEF and it is said that it might have connections with DarkHotel Malware.
CISA addressed the mitigation measures topic last year when they published an alert related to Konni RAT. Updating OS and engines and limiting the software installation are among the methods they recommended.