KONNI

KONNI is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. KONNI has been linked to several campaigns involving North Korean themes.[1] KONNI has significant code overlap with the NOKKI malware family. There is some evidence potentially linking KONNI to APT37.[2][3]

ID: S0356
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1115Clipboard DataKONNI had a feature to steal data from the clipboard.[1]
EnterpriseT1059Command-Line InterfaceKONNI can execute arbitrary commands on the infected host using cmd.exe.[1]
EnterpriseT1003Credential DumpingKONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[1]
EnterpriseT1081Credentials in FilesKONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[1]
EnterpriseT1083File and Directory DiscoveryA version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[1]
EnterpriseT1107File DeletionKONNI can delete files.[1]
EnterpriseT1056Input CaptureKONNI has the capability to perform keylogging.[1]
EnterpriseT1036MasqueradingKONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[1]
EnterpriseT1086PowerShellKONNI used PowerShell to download and execute a specific 64-bit version of the malware.[1]
EnterpriseT1060Registry Run Keys / Startup FolderA version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.[1]
EnterpriseT1105Remote File CopyKONNI can download files and execute them on the victim’s machine.[1]
EnterpriseT1113Screen CaptureKONNI can take screenshots of the victim’s machine.[1]
EnterpriseT1023Shortcut ModificationA version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[1]
EnterpriseT1071Standard Application Layer ProtocolKONNI has used HTTP for C2.[1]
EnterpriseT1082System Information DiscoveryKONNI can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim’s machine.[1]
EnterpriseT1016System Network Configuration DiscoveryKONNI can collect the IP address from the victim’s machine.[1]
EnterpriseT1033System Owner/User DiscoveryKONNI can collect the username from the victim’s machine.[1]

References