KONNI

KONNI is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. KONNI has been linked to several campaigns involving North Korean themes.[1] KONNI has significant code overlap with the NOKKI malware family. There is some evidence potentially linking KONNI to APT37.[2][3]

ID: S0356
Type: MALWARE
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data

KONNI had a feature to steal data from the clipboard.[1]

Enterprise T1059 Command-Line Interface

KONNI can execute arbitrary commands on the infected host using cmd.exe.[1]

Enterprise T1003 Credential Dumping

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[1]

Enterprise T1503 Credentials from Web Browsers

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[1]

Enterprise T1083 File and Directory Discovery

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[1]

Enterprise T1107 File Deletion

KONNI can delete files.[1]

Enterprise T1056 Input Capture

KONNI has the capability to perform keylogging.[1]

Enterprise T1036 Masquerading

KONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[1]

Enterprise T1086 PowerShell

KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.[1]

Enterprise T1105 Remote File Copy

KONNI can download files and execute them on the victim’s machine.[1]

Enterprise T1113 Screen Capture

KONNI can take screenshots of the victim’s machine.[1]

Enterprise T1023 Shortcut Modification

A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[1]

Enterprise T1071 Standard Application Layer Protocol

KONNI has used HTTP for C2.[1]

Enterprise T1082 System Information Discovery

KONNI can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim’s machine.[1]

Enterprise T1016 System Network Configuration Discovery

KONNI can collect the IP address from the victim’s machine.[1]

Enterprise T1033 System Owner/User Discovery

KONNI can collect the username from the victim’s machine.[1]

References