Security experts revealed that the North Korea-based threat group Konni RAT has upgraded its techniques and expanded its attack surface to target several political institutions in neighbouring countries like South Korea and Russia.
The researchers managed to identify the new tricks of Konni after analysing the newly developed Konni RAT samples. Based on the analysis, the attack method of Konni initiates by leveraging a malicious MS Office document and a multistage attack chain.
The past Konni RAT samples consisted of two branches. One branch is the malware being deployed through a Windows service and the other one for dealing with the initiation with ‘run[.]dll.’ However, the present sample of this new Konni RAT does not support the run[.]dll function.
Old samples of the Konni RAT used Base64 to avoid detection, but the new ones utilise AES encryption. Also, the files used by the Konni operators are dropped and encrypted by them with AES, which researchers from their past operations never observed.
Konni RAT is now stealthier since they removed the run[.]dll branch.
Konni RAT’s removal of the rundll branch is a surefire way that sandboxes will not be successful in dynamic analysis conducted by the sample researchers. The files sent by threat actors to the command-and-control server are encrypted with AES, and the IV is developed utilising a QueryPerformanceCounter API Call.
Additionally, file names are created by chaining two letters representing the data with the ongoing timestamp, followed by the earlier extension.
The malicious actors also use the generated name as the AES key and distribute the request to the command-and-control server. The proposal ensures that similar files generate varying demands, and network signatures would be unsuccessful in identifying malicious activity.
The Konni RAT operators have no sign of slowing down as they are continuously updating and upgrading the malware with code adjustments and techniques.
Experts believe that the threat group’s objective is to avoid analysis from researchers by exploiting sandboxes and several obfuscating mechanisms. It is strongly advised for cybersecurity firms to watch this group and increase their defences.