Regístrese ahora para una mejor cotización personalizada!

Konni remote access Trojan receives 'significant' upgrades

Ene, 27, 2022 Hi-network.com

The Konni Remote Access Trojan (RAT) has recently received "significant" updates, researchers say, who also urge the community to keep a close eye on the malware.  

Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Read now

On Wednesday, cybersecurity firm Malwarebytes published an advisory on the malware's latest developments, noting that the Trojan is under active development resulting in "major" changes. 

Konni has been detected in the wild for roughly eight years. A report on the malware published by BlackBerry in 2017 said that the malware made use of "basic" anti-analysis techniques and was employed for surveillance purposes, rather than the typical financial attacks often linked to RATs. 

Past campaigns have hinted strongly at a link with North Korea. Phishing documents used to spread the Trojan tend to have themes connected to the Hermit Kingdom, including content relating to missile capabilities, hydrogen bombs, and articles copied from the Yonhap news agency that talked about the country.

The attached documents contained the payload, and once executed on a vulnerable Windows machine, Konni would gather data through file grabs, keystroke logs, and screen capturing. 

Konni is believed to be the work of the Kimsuky threat group, which has attacked South Korean think tanks, political groups in Russia, and entities in both Japan and the United States. 

According to Malwarebytes, the old Trojan has now evolved into a "stealthier" version of itself. New samples show that the phishing attack vector has primarily stayed the same -with the payload deployed through malicious Office documents -- but the Trojan, a .DLL file linked to a .ini file, now contains revised functionality.

Older versions of the RAT relied on two branches to execute using a Windows service: svchost.exe and rundll32.exe strings. 

Malwarebytes explained: "New samples will not show these strings. In fact, rundll is no longer a valid way to execute the sample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages."

The malware has also transitioned from base64 encoding to AES encryption to protect its strings and for obfuscation purposes. In addition, Konni now utilizes AES when configuration and support files are dropped -- such as the .ini file that contains the command-and-control (C2) server address -- as well as when files are sent to the C2.

Some recent Konni samples also used a previously-unknown packer, but threat data collected by the cybersecurity firm suggests it may have been left out of real-world scenarios. 

"As we have seen, Konni is far from being abandoned," Malwarebytes commented. "The authors are constantly making code improvements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted."

Earlier this month, Cisco Talos documented a recent campaign in which vendors' cloud infrastructure, including Microsoft Azure and Amazon Web Services (AWS), was being abused to spread commercial RATs. 

Strains including Nanocore, Netwire, and AsyncRAT were being deployed by the operators, who also abused DuckDNS to facilitate the download of malicious packages. 

Previous and related coverage

  • This dangerous mobile Trojan has stolen a fortune from over 10 million victims.
  • New banking Trojan SharkBot makes waves across Europe, the US.
  • Remote Access Trojans spread through Microsoft Azure, AWS cloud service abuse.

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Etiquetas calientes: tecnología seguridad

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.