How Microsoft Dataverse Helps Your Organization Store and Manage App Data Securely
By |
How Microsoft Dataverse Helps Your Organization Store and Manage App Data Securely Read More »
Original release date: August 14, 2020
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.
KONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (Phishing: Spearphising Attachment [T1566.001]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (Command and Scripting Interpreter: Windows Command Shell [T1059.003]).
Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe
into a temp directory and renames it to evade detection.
The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.
According to MITRE, KONNI uses the ATT&CK techniques listed in table 1.
Table 1: KONNI ATT&CK techniques
Technique | Use |
---|---|
System Network Configuration Discovery [T1016] |
KONNI can collect the Internet Protocol address from the victim’s machine. |
System Owner/User Discovery [T1033] |
KONNI can collect the username from the victim’s machine. |
Masquerading: Match Legitimate Name or Location [T1036.005] |
KONNI creates a shortcut called |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [T1048.003] |
KONNI has used File Transfer Protocol to exfiltrate reconnaissance data out. |
Input Capture: Keylogging [T1056.001] |
KONNI has the capability to perform keylogging. |
Process Discovery [T1057] |
KONNI has used |
Command and Scripting Interpreter: PowerShell [T1059.001] |
KONNI used PowerShell to download and execute a specific 64-bit version of the malware. |
Command and Scripting Interpreter: Windows Command Shell [T1059.003] |
KONNI has used |
Indicator Removal on Host: File Deletion [T1070.004] |
KONNI can delete files. |
Application Layer Protocol: Web Protocols [T1071.001] |
KONNI has used Hypertext Transfer Protocol for command and control. |
System Information Discovery [T1082] |
KONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used |
File and Directory Discovery [T1083] |
A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together. |
Ingress Tool Transfer [T1105] |
KONNI can download files and execute them on the victim’s machine. |
Modify Registry [T1112] |
KONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence. |
Screen Capture [T1113] |
KONNI can take screenshots of the victim’s machine. |
Clipboard Data [T1115] |
KONNI had a feature to steal data from the clipboard. |
Data Encoding: Standard Encoding [T1132.001] |
KONNI has used a custom base64 key to encode stolen data before exfiltration. |
Access Token Manipulation: Create Process with Token [T1134.002] |
KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user. |
Deobfuscate/Decode Files or Information [T1140] |
KONNI has used CertUtil to download and decode base64 encoded strings. |
Signed Binary Proxy Execution: Rundll32 [T1218.011] |
KONNI has used Rundll32 to execute its loader for privilege escalation purposes. |
Event Triggered Execution: Component Object Model Hijacking [T1546.015] |
KONNI has modified ComSysApp service to load the malicious DLL payload. |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001] |
A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence. |
Boot or Logon Autostart Execution: Shortcut Modification [T1547.009] |
A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence. |
Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002] |
KONNI bypassed User Account Control with the “AlwaysNotify” settings. |
Credentials from Password Stores: Credentials from Web Browsers [T1555.003] |
KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera. |
CISA developed the following Snort signatures for use in detecting KONNI malware exploits.
alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI contains '/weget/*.php' (KONNI)"; sid:1; rev:1; flow:established,to_server; content:"/weget/"; http_uri; depth:7; offset:0; fast_pattern; content:".php"; http_uri; distance:0; within:12; content:!"Referrer|3a 20|"; http_header; classtype:http-uri; priority:2; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP header contains 'User-Agent|3a 20|HTTP|0d 0a|'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|HTTP|0d 0a|"; http_header; fast_pattern:only; content:"POST"; nocase; http_method; classtype:http-header; priority:2; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP URI contains '/weget/(upload|uploadtm|download)'"; sid:1; rev:1; flow:established,to_server; content:"/weget/"; http_uri; fast_pattern:only; pcre:"/^/wegetx2f(?:upload|uploadtm|download).php/iU"; content:"POST"; http_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, “Guide to Malware Incident Prevention and Handling for Desktops and Laptops.”
This product is provided subject to this Notification and this Privacy & Use policy.
How Microsoft Dataverse Helps Your Organization Store and Manage App Data Securely Read More »
AA21-055A: Exploitation of Accellion File Transfer Appliance Read More »
AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware Read More »
How IT Consulting Companies Can Help Overcome Technology Challenges Read More »
AA21-042A: Compromise of U.S. Water Treatment Facility Read More »
Pros and Cons Of Outsourcing Your IT Support To A Managed Services Provider Read More »