Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

KONNI

KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)
ID: S0356
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 Jan 2019
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify".(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

.004 Access Token Manipulation: Parent PID Spoofing

KONNI has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`.(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

KONNI has used HTTP POST for C2.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.(Citation: Talos Konni May 2017)

.009 Boot or Logon Autostart Execution: Shortcut Modification

A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.(Citation: Talos Konni May 2017)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

KONNI used PowerShell to download and execute a specific 64-bit version of the malware.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

.007 Command and Scripting Interpreter: JavaScript

KONNI has executed malicious JavaScript code.(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

KONNI has registered itself as a service using its export function.(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.(Citation: Talos Konni May 2017)

Enterprise T1132 .001 Data Encoding: Standard Encoding

KONNI has used a custom base64 key to encode stolen data before exfiltration.(Citation: Medium KONNI Jan 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

KONNI has used AES to encrypt C2 traffic.(Citation: Malwarebytes KONNI Evolves Jan 2022)

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

KONNI has modified ComSysApp service to load the malicious DLL payload.(Citation: Medium KONNI Jan 2020)

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

KONNI has used FTP to exfiltrate reconnaissance data out.(Citation: Medium KONNI Jan 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

KONNI can delete files.(Citation: Talos Konni May 2017)

Enterprise T1056 .001 Input Capture: Keylogging

KONNI has the capability to perform keylogging.(Citation: Talos Konni May 2017)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

KONNI has pretended to be the xmlProv Network Provisioning service.(Citation: Malwarebytes Konni Aug 2021)

.005 Masquerading: Match Legitimate Name or Location

KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.(Citation: Talos Konni May 2017)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

KONNI has been packed for obfuscation.(Citation: Malwarebytes KONNI Evolves Jan 2022)

.013 Obfuscated Files or Information: Encrypted/Encoded File

KONNI is heavily obfuscated and includes encrypted configuration files.(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

KONNI has been delivered via spearphishing campaigns through a malicious Word document.(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

KONNI has used Rundll32 to execute its loader for privilege escalation purposes.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

Enterprise T1204 .002 User Execution: Malicious File

KONNI has relied on a victim to enable malicious macros within an attachment delivered via email.(Citation: Malwarebytes Konni Aug 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.