Threat Research

KONNI evolves into stealthier RAT

Securonix

KONNI RAT has evolved into a stealthier Remote Administration Tool under the Kimsuky umbrella, with ongoing development and updates to evade detection. The post highlights major changes (AES-protected strings and files, a move away from rundll, and enhanced obfuscation) and explains why security teams should monitor KONNI’s moves. #KONNI #Kimsuky #KonniRAT #Russia #SouthKorea

Keypoints

  • KONNI RAT is an active, continuously developed RAT associated with the North Korean threat actor network Kimsuky and used against political targets in Russia and South Korea.
  • The attack chain commonly begins with a malicious Office document, triggering a multistage workflow to achieve privilege elevation, evade detection, and deploy KONNI components.
  • Rundll execution is no longer supported in new KONNI samples; attackers now rely on Windows services for execution, making rundll-based analysis ineffective.
  • Strings are now protected with AES encryption, making static/string-based detection harder and tying keys to the service name.
  • Support files (.ini, .dat, and others) are AES-protected, with keys derived from filenames and memory layout designed to complicate memory analysis.
  • Obfuscation and packing techniques (including correlation with VMPROTECT v3) hinder static analysis, with contiguously obfuscated instruction flows and heavy junk instruction insertion.
  • Despite improvements, KONNI remains active; defenders should watch for new variants and updated evasion techniques, while Malwarebytes users are protected.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – The attack usually starts leveraging a malicious Office document. [ ‘The attack usually starts leveraging a malicious Office document.’ ]
  • [T1204.002] User Execution – Malicious File – The victim opens the document, initiating a multistage attack. [ ‘When this document is opened by the victim, a multistage attack is started.’ ]
  • [T1569.002] Create or Modify System Process: Windows Service – New KONNI samples execute via a registered Windows service, replacing older rundll-based approaches. [ ‘the attackers launched KONNI Rat in recent campaigns involves registering a Windows service.’ ]
  • [T1218.011] Rundll32 – Signed Binary Proxy Execution (Rundll32) – Rundll-based execution is no longer valid; prior branches used rundll32. [ ‘rundll is no longer a valid way to execute the sample’ ]
  • [T1027] Obfuscated/Compressed Files and Information – Strings and files are AES-protected to hinder analysis and detection. [ ‘Strings are now protected using AES’ ]

Indicators of Compromise

  • [Hash] IOCs – A3CD08AFD7317D1619FBA83C109F268B4B60429B4EB7C97FC274F92FF4FE17A2, F702DFDDBC5B4F1D5A5A9DB0A2C013900D30515E69A09420A7C3F6EAAC901B12

Read more: https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/