KONNI is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. KONNI has been linked to several campaigns involving North Korean themes.[1] KONNI has significant code overlap with the NOKKI malware family. There is some evidence potentially linking KONNI to APT37.[2][3][4]

ID: S0356
Platforms: Windows
Contributors: Doron Karmi, @DoronKarmi
Version: 1.4
Created: 31 January 2019
Last Modified: 03 August 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

KONNI bypassed UAC with the "AlwaysNotify" settings.[4]

Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.[4]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

KONNI has used HTTP for C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.[1]

Enterprise T1115 Clipboard Data

KONNI had a feature to steal data from the clipboard.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

KONNI has used cmd.exe execute arbitrary commands on the infected host across different stages of the infection change.[1][4]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

KONNI has used a custom base64 key to encode stolen data before exfiltration.[4]

Enterprise T1140 Deobfuscate/Decode Files or Information

KONNI has used certutil to download and decode base64 encoded strings.[4]

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

KONNI has modified ComSysApp service to load the malicious DLL payload.[4]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

KONNI has used FTP to exfiltrate reconnaissance data out.[4]

Enterprise T1083 File and Directory Discovery

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

KONNI can delete files.[1]

Enterprise T1105 Ingress Tool Transfer

KONNI can download files and execute them on the victim’s machine.[1]

Enterprise T1056 .001 Input Capture: Keylogging

KONNI has the capability to perform keylogging.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

KONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[1]

Enterprise T1112 Modify Registry

KONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence.[4]

Enterprise T1057 Process Discovery

KONNI has used tasklist.exe to get a snapshot of the current processes’ state of the target machine.[4]

Enterprise T1113 Screen Capture

KONNI can take screenshots of the victim’s machine.[1]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

KONNI has used Rundll32 to execute its loader for privilege escalation purposes.[4]

Enterprise T1082 System Information Discovery

KONNI can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used systeminfo.exe to get a snapshot of the current system state of the target machine.[1][4]

Enterprise T1016 System Network Configuration Discovery

KONNI can collect the IP address from the victim’s machine.[1]

Enterprise T1033 System Owner/User Discovery

KONNI can collect the username from the victim’s machine.[1]