{"id":6280,"date":"2017-08-18T15:42:47","date_gmt":"2017-08-18T15:42:47","guid":{"rendered":"http:\/\/blog.nsfocusglobal.com\/?p=738"},"modified":"2017-08-18T15:42:47","modified_gmt":"2017-08-18T15:42:47","slug":"remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/","title":{"rendered":"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution"},"content":{"rendered":"<p>This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South Korea. This RAT spreads mainly through phishing emails. Specifically, the attacker first tries to have a powershell script executed via an .scr file, and then downloads the malware of an appropriate version according to system information. After obtaining the RAT sample, NSFOCUS immediately conducted an analysis. By technical means, we found that the RAT was mainly used to steal data and remotely execute commands.<\/p>\n<p>Related information can be found at the following link:<\/p>\n<blockquote><p><strong>http:\/\/www.securityweek.com\/cyberspies-use-konni-malware-target-north-korea<\/strong><\/p><\/blockquote>\n<h2>Detection Result of NSFOCUS TAC<\/h2>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-742\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160.png\" alt=\"\" width=\"300\" height=\"160\" \/><\/a><\/p>\n<h2>Sample Analysis<\/h2>\n<h3>Major Functions<\/h3>\n<p>The sample is a trojan program that is capable of obtaining system information, logging keystrokes, browsing users&#8217; file directories, remotely downloading files, stealing or deleting specified files, capturing screenshots, and remotely executing commands.<\/p>\n<p>The trojan DLL shows a trace of web behaviors, which are disguised as interactions with normal web pages, only when injected into a browser. Therefore, it can evade checks of some detection devices that generate alerts based on the analysis of suspicious web traffic.<\/p>\n<h3>Behavior Analysis<\/h3>\n<h4>File Manipulation<\/h4>\n<ol>\n<li>The original sample drops its own functional module errorevent.dll to the user&#8217;s temporary directory.\n<ul>\n<li style=\"text-align: left;\"><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic1.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-medium wp-image-743\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic1-300x257.png\" alt=\"\" width=\"300\" height=\"257\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>The functional module creates the <strong>Packages\/microsoft\/<\/strong> directory in the user&#8217;s <strong>Local Settings<\/strong> folder, and generates temporary files for different subfunctions.\n<ul>\n<li><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic2.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-744\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic2-300x222.png\" alt=\"\" width=\"300\" height=\"222\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>For example:<\/p>\n<ul>\n<li>The keystroke logging file is <strong>tmp<\/strong>.<\/li>\n<li>Commands received are temporarily dumped in the <strong>repaired<\/strong><\/li>\n<li>Screenshots are saved in the <strong>samed<\/strong><\/li>\n<\/ul>\n<p>Except <strong>debug.tmp<\/strong>, other files are deleted once used.<\/p>\n<h4>Process Control<\/h4>\n<p>The sample injects its own DLL to various processes. If the host process has the same name as one of the following browser processes, the C&amp;C module will be called together with the keystroke logging module; otherwise, only the latter is called and the keystroke logging file <strong>debug.tmp<\/strong> is generated.<\/p>\n<p>(iexplore.exe|firefox.exe|chrome.exe|psiphon3.exe)<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-745\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic3-300x166.png\" alt=\"\" width=\"300\" height=\"166\" \/><\/a><\/p>\n<h4>Registry Control<\/h4>\n<ol>\n<li>The original sample sets the functional module to a startup item so that it will be launched upon system startup, thus taking permanent control of the user.\n<ul>\n<li><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-746\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic4-300x202.png\" alt=\"\" width=\"300\" height=\"202\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>The functional module reads the system installation date and uses it as a unique identifier of the host that is infected and will receive specific commands.\n<ul>\n<li><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-747\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic5-300x37.png\" alt=\"\" width=\"300\" height=\"37\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h4>Network Connection<\/h4>\n<p>The sample communicates with the hard-coded C&amp;C server member-daumchk.netai.net, receiving the server&#8217;s commands and uploading the result file to the server.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-748\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic6-300x37.png\" alt=\"\" width=\"300\" height=\"37\" \/><\/a><\/p>\n<h3>Function Analysis<\/h3>\n<h4>Preparatory Stage<\/h4>\n<p>The sample sets the software to autostart mode:<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-749\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic7-300x55.png\" alt=\"\" width=\"300\" height=\"55\" \/><\/a><\/p>\n<p>It then drops the main functional module from its resources:<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-750\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic8-300x300.png\" alt=\"\" width=\"300\" height=\"300\" \/><\/a><\/p>\n<h4>Remote Control Code Analysis<\/h4>\n<h5>Keystroke Logging<\/h5>\n<p>The sample sets a keyboard hook for recording keystroke messages:<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-752\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic9-300x47.png\" alt=\"\" width=\"300\" height=\"47\" \/><\/a><\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-751\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic10-250x300.png\" alt=\"\" width=\"250\" height=\"300\" \/><\/a><\/p>\n<p>The keystroke logging data is saved in<\/p>\n<blockquote><p><strong>Local Settings\\Packages\\microsoft\\debug.tmp<\/strong>:<\/p><\/blockquote>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-753\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic11-300x142.png\" alt=\"\" width=\"300\" height=\"142\" srcset=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic11-300x142.png 300w, https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic11-768x363.png 768w, https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic11.png 889w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Remote Communication Module<\/strong><\/p>\n<p>Every 900 seconds, the sample reads specified pages via HTTP GET to receive commands from the C&amp;C server. The GET method uses the system installation date of the host as the unique identifier.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-755\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic12-300x36.png\" alt=\"\" width=\"300\" height=\"36\" \/><\/a><\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-754\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic13-300x50.png\" alt=\"\" width=\"300\" height=\"50\" \/><\/a><\/p>\n<p>The command from the C&amp;C server to the trojan is saved as a temporary file <strong>repaired<\/strong>. The trojan reads the command from the file and then deletes the file after executing the command.<\/p>\n<p>Continuing the analysis by following the 10074d0 function, we get the following list of commands:<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-756\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic14-282x300.png\" alt=\"\" width=\"282\" height=\"300\" \/><\/a><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"92\"><strong>Command Character<\/strong><\/td>\n<td width=\"476\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;0&#8217;<\/td>\n<td width=\"476\">Uploads the specified file.<\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;1&#8217;<\/td>\n<td width=\"476\">Obtains users&#8217; operating system information.<\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;2&#8217;<\/td>\n<td width=\"476\">Captures screenshots.<\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;3&#8217;<\/td>\n<td width=\"476\">Traverses the specified directory and all subdirectories.<\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;4&#8217;<\/td>\n<td width=\"476\">Traverses only the specified directory.<\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;5&#8217;<\/td>\n<td width=\"476\">Deletes the specified file.<\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;6&#8217;<\/td>\n<td width=\"476\">Executes a command.<\/td>\n<\/tr>\n<tr>\n<td width=\"92\">&#8216;7&#8217;<\/td>\n<td width=\"476\">Downloads the specified file.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>However, as the C&amp;C server cannot be reached, we have to change the method of obtaining commands and then analyze the format of commands obtained, which is as follows:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"553\">typedef struct konni_command{<\/p>\n<p>BYTE[]\u00a0 \u00a0\u00a0parameter;<\/p>\n<p>BYTE\u00a0\u00a0\u00a0\u00a0 cmdcode;<\/p>\n<p>BYTE[6]\u00a0\u00a0 random;<\/p>\n<p>BYTE[7]\u00a0\u00a0 id=&#8221;xzxzxz\\x00&#8243;<\/p>\n<p>}<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Modify the sample code to bypass network calls and disable the <strong>Sleep<\/strong> function so that the sample keeps attempting to read commands from the local file <strong>repaired<\/strong>.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-757\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic15-300x183.png\" alt=\"\" width=\"300\" height=\"183\" \/><\/a><\/p>\n<p>Write commands of the preceding format into the local file (random numbers are replaced with spaces).<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-758\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic16-300x74.png\" alt=\"\" width=\"300\" height=\"74\" \/><\/a><\/p>\n<p>Save the file. We can see that the calculator is turned on. Repeat the save operation for demonstration purpose (as the local file is deleted as soon as the command is executed, a new save operation will create a file of the specified content in the original directory).<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-759\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic17-300x229.png\" alt=\"\" width=\"300\" height=\"229\" \/><\/a><\/p>\n<p>Command execution results are all saved as temporary files in the <strong>Package\/microsoft <\/strong>directory. The sample compresses and encrypts these files and then submits the Base64-encoded data to the server via POST.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-760\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic18-284x300.png\" alt=\"\" width=\"284\" height=\"300\" \/><\/a><\/p>\n<p>The sample encrypts the compressed files by using the RC4 cipher.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic19.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-761\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic19-300x274.png\" alt=\"\" width=\"300\" height=\"274\" \/><\/a><\/p>\n<p>The RC4 encryption key is as follows:<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-762\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic20-300x50.png\" alt=\"\" width=\"300\" height=\"50\" \/><\/a><\/p>\n<p>After encryption, the sample uses the Base64 encoder to encode the files.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-763\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic21-300x297.png\" alt=\"\" width=\"300\" height=\"297\" \/><\/a><\/p>\n<p>After the preceding operations, the sample puts all the information into a POST request. If the file is small, this POST request will look like a normal login request.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-764\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic22-300x107.png\" alt=\"\" width=\"300\" height=\"107\" \/><\/a><\/p>\n<p>The following is an example of using a command to obtain system information.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic23.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-765\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/pic23-300x201.png\" alt=\"\" width=\"300\" height=\"201\" \/><\/a><\/p>\n<h2>Solutions<\/h2>\n<h3>Detection and Protection on the User Side<\/h3>\n<p>Like traditional RATs, KONNI spreads via phishing emails. Therefore, users are advised to do as follows to protect against it:<\/p>\n<ul>\n<li>Block malicious domain names to avoid being controlled by a C&amp;C server.<\/li>\n<\/ul>\n<p><strong>member-daumchk.netai.net<\/strong><\/p>\n<ul>\n<li>Raise the awareness of phishing emails and do not open attachments in emails from unidentifiable sources.<\/li>\n<li>Enable the system firewall or install endpoint protection software such as antivirus software.<\/li>\n<\/ul>\n<h3>NSFOCUS&#8217;s Solution<\/h3>\n<ul>\n<li>Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC) to ensure that risk points are immediately eliminated from the network and the event impact is minimized. After the handling, an event analysis report is provided.<\/li>\n<li>Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to detect this malicious sample in an ongoing manner, thereby securing customers&#8217; systems.<\/li>\n<li>Long-term service: NSFOCUS provides industry-specific risk mitigation solutions (threat intelligence + attack traceback + professional security service).<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>KONNI is a RAT targeting North Korea, mainly used for stealing data. It could cause quite a great damage owing to its capability of disclosing information. The trojan spreads in a conventional manner, but is hard to detect because it compresses and encrypts data during communication with the C&amp;C server. Currently, it is only present in specific regions and presumably will not be propagated extensively.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South Korea. This RAT spreads mainly through phishing emails. Specifically, the attacker first tries to have a powershell script executed via an .scr file, and then downloads the malware of an [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":35819,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[6,15],"tags":[],"class_list":["post-6280","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emergency-response","category-research-reports"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2017-08-18T15:42:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png\" \/>\n<meta name=\"author\" content=\"NSFOCUS\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"NSFOCUS\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/\"},\"author\":{\"name\":\"NSFOCUS\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution\",\"datePublished\":\"2017-08-18T15:42:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/\"},\"wordCount\":1069,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2017\\\/08\\\/Detection-result-of-NSFOCUS-TAC-300x160-1.png\",\"articleSection\":[\"Emergency Response\",\"Research &amp; Reports\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/\",\"name\":\"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2017\\\/08\\\/Detection-result-of-NSFOCUS-TAC-300x160-1.png\",\"datePublished\":\"2017-08-18T15:42:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2017\\\/08\\\/Detection-result-of-NSFOCUS-TAC-300x160-1.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2017\\\/08\\\/Detection-result-of-NSFOCUS-TAC-300x160-1.png\",\"width\":300,\"height\":160,\"caption\":\"File analysis report with threat level.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"NSFOCUS\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"NSFOCUS\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/","og_locale":"pt_BR","og_type":"article","og_title":"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS","og_description":"This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South","og_url":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/","og_site_name":"NSFOCUS","article_published_time":"2017-08-18T15:42:47+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png","type":"","width":"","height":""}],"author":"NSFOCUS","twitter_card":"summary_large_image","twitter_title":"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS","twitter_description":"This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png","twitter_misc":{"Escrito por":"NSFOCUS","Est. tempo de leitura":"5 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/"},"author":{"name":"NSFOCUS","@id":"https:\/\/nsfocusglobal.com\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution","datePublished":"2017-08-18T15:42:47+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/"},"wordCount":1069,"commentCount":0,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png","articleSection":["Emergency Response","Research &amp; Reports"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/","url":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/","name":"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png","datePublished":"2017-08-18T15:42:47+00:00","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2017\/08\/Detection-result-of-NSFOCUS-TAC-300x160-1.png","width":300,"height":160,"caption":"File analysis report with threat level."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/remote-access-trojan-konni-targeting-north-korea-technical-analysis-and-solution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/#website","url":"https:\/\/nsfocusglobal.com\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"NSFOCUS","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"NSFOCUS"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/6280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=6280"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/6280\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/35819"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=6280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=6280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=6280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}