This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South Korea. This RAT spreads mainly through phishing emails. Specifically, the attacker first tries to have a powershell script executed via an .scr file, and then downloads the malware of an appropriate version according to system information. After obtaining the RAT sample, NSFOCUS immediately conducted an analysis. By technical means, we found that the RAT was mainly used to steal data and remotely execute commands.
Related information can be found at the following link:
http://www.securityweek.com/cyberspies-use-konni-malware-target-north-korea
Detection Result of NSFOCUS TAC
Sample Analysis
Major Functions
The sample is a trojan program that is capable of obtaining system information, logging keystrokes, browsing users’ file directories, remotely downloading files, stealing or deleting specified files, capturing screenshots, and remotely executing commands.
The trojan DLL shows a trace of web behaviors, which are disguised as interactions with normal web pages, only when injected into a browser. Therefore, it can evade checks of some detection devices that generate alerts based on the analysis of suspicious web traffic.
Behavior Analysis
File Manipulation
- The original sample drops its own functional module errorevent.dll to the user’s temporary directory.
- The functional module creates the Packages/microsoft/ directory in the user’s Local Settings folder, and generates temporary files for different subfunctions.
For example:
- The keystroke logging file is tmp.
- Commands received are temporarily dumped in the repaired
- Screenshots are saved in the samed
Except debug.tmp, other files are deleted once used.
Process Control
The sample injects its own DLL to various processes. If the host process has the same name as one of the following browser processes, the C&C module will be called together with the keystroke logging module; otherwise, only the latter is called and the keystroke logging file debug.tmp is generated.
(iexplore.exe|firefox.exe|chrome.exe|psiphon3.exe)
Registry Control
- The original sample sets the functional module to a startup item so that it will be launched upon system startup, thus taking permanent control of the user.
- The functional module reads the system installation date and uses it as a unique identifier of the host that is infected and will receive specific commands.
Network Connection
The sample communicates with the hard-coded C&C server member-daumchk.netai.net, receiving the server’s commands and uploading the result file to the server.
Function Analysis
Preparatory Stage
The sample sets the software to autostart mode:
It then drops the main functional module from its resources:
Remote Control Code Analysis
Keystroke Logging
The sample sets a keyboard hook for recording keystroke messages:
The keystroke logging data is saved in
Local Settings\Packages\microsoft\debug.tmp:
Remote Communication Module
Every 900 seconds, the sample reads specified pages via HTTP GET to receive commands from the C&C server. The GET method uses the system installation date of the host as the unique identifier.
The command from the C&C server to the trojan is saved as a temporary file repaired. The trojan reads the command from the file and then deletes the file after executing the command.
Continuing the analysis by following the 10074d0 function, we get the following list of commands:
| Command Character | Description |
| ‘0’ | Uploads the specified file. |
| ‘1’ | Obtains users’ operating system information. |
| ‘2’ | Captures screenshots. |
| ‘3’ | Traverses the specified directory and all subdirectories. |
| ‘4’ | Traverses only the specified directory. |
| ‘5’ | Deletes the specified file. |
| ‘6’ | Executes a command. |
| ‘7’ | Downloads the specified file. |
However, as the C&C server cannot be reached, we have to change the method of obtaining commands and then analyze the format of commands obtained, which is as follows:
| typedef struct konni_command{
BYTE[] parameter; BYTE cmdcode; BYTE[6] random; BYTE[7] id=”xzxzxz\x00″ } |
Modify the sample code to bypass network calls and disable the Sleep function so that the sample keeps attempting to read commands from the local file repaired.
Write commands of the preceding format into the local file (random numbers are replaced with spaces).
Save the file. We can see that the calculator is turned on. Repeat the save operation for demonstration purpose (as the local file is deleted as soon as the command is executed, a new save operation will create a file of the specified content in the original directory).
Command execution results are all saved as temporary files in the Package/microsoft directory. The sample compresses and encrypts these files and then submits the Base64-encoded data to the server via POST.
The sample encrypts the compressed files by using the RC4 cipher.
The RC4 encryption key is as follows:
After encryption, the sample uses the Base64 encoder to encode the files.
After the preceding operations, the sample puts all the information into a POST request. If the file is small, this POST request will look like a normal login request.
The following is an example of using a command to obtain system information.
Solutions
Detection and Protection on the User Side
Like traditional RATs, KONNI spreads via phishing emails. Therefore, users are advised to do as follows to protect against it:
- Block malicious domain names to avoid being controlled by a C&C server.
member-daumchk.netai.net
- Raise the awareness of phishing emails and do not open attachments in emails from unidentifiable sources.
- Enable the system firewall or install endpoint protection software such as antivirus software.
NSFOCUS’s Solution
- Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC) to ensure that risk points are immediately eliminated from the network and the event impact is minimized. After the handling, an event analysis report is provided.
- Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to detect this malicious sample in an ongoing manner, thereby securing customers’ systems.
- Long-term service: NSFOCUS provides industry-specific risk mitigation solutions (threat intelligence + attack traceback + professional security service).
Conclusion
KONNI is a RAT targeting North Korea, mainly used for stealing data. It could cause quite a great damage owing to its capability of disclosing information. The trojan spreads in a conventional manner, but is hard to detect because it compresses and encrypts data during communication with the C&C server. Currently, it is only present in specific regions and presumably will not be propagated extensively.
