BOOK THIS SPACE FOR AD
ARTICLE ADSo far, Konni RAT has managed to evade detection as only 3 security solutions on VirusTotal were able to detect the malware.
Researchers from Malwarebytes Labs spotted an ongoing malware campaign that is targeing Russia with the Konni RAT.
Security researchers at Malwarebytes Labs have uncovered an ongoing malware campaign that is mainly targeting Russia with the Konni RAT.
The KONNI RAT was first spotted by Cisco Talos researchers in 2017, it has been undetected since 2014 and was employed in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it is able of executing arbitrary code on the target systems and stealing data.
The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.
Malwarebytes experts discovered two weaponized documents written in the Russian language, one using the trade and economic issues between Russia and the Korean Peninsula as a lure. The second document used a meeting of the intergovernmental Russian-Mongolian commission as a lure.
Upon enabling macro it executes the infection chain will start deploying a new variant of Konni RAT that is heavily obfuscated.
Malware researchers noticed multiple differences between this campaign and previous ones orchestrated by the North Korea-linked APT group, including:
The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.In the new campaign JavaScript files have been used to execute batch and PowerShell files.The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file.The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.Experts observed infections also in other countries, including Japan, Nepal, Mongolia, and Vietnam.
Additional details, including Indicators of Compromise (IoC), are reported in the analysis published by Malwarebytes.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Konni RAT)