New variant of Konni RAT used in a campaign that targeted Russia

Researchers from Malwarebytes Labs spotted an ongoing malware campaign that is targeing Russia with the Konni RAT.

Security researchers at Malwarebytes Labs have uncovered an ongoing malware campaign that is mainly targeting Russia with the Konni RAT.

The KONNI RAT was first spotted by Cisco Talos researchers in 2017, it has been undetected since 2014 and was employed in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it is able of executing arbitrary code on the target systems and stealing data.

The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.

Malwarebytes experts discovered two weaponized documents written in the Russian language, one using the trade and economic issues between Russia and the Korean Peninsula as a lure. The second document used a meeting of the intergovernmental Russian-Mongolian commission as a lure.

Upon enabling macro it executes the infection chain will start deploying a new variant of Konni RAT that is heavily obfuscated.

“These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the “^var” string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls Wscript Shell function to executes the Java Script file (y.js).” reads the analysis published by Malwarebytes. “The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.”

Malware researchers noticed multiple differences between this campaign and previous ones orchestrated by the North Korea-linked APT group, including:

• The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.
• In the new campaign JavaScript files have been used to execute batch and PowerShell files.
• The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file.
• The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.
• In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.

Experts observed infections also in other countries, including Japan, Nepal, Mongolia, and Vietnam.

Additional details, including Indicators of Compromise (IoC), are reported in the analysis published by Malwarebytes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Konni RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]