KONNI
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify".(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
| Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
| .004 | Access Token Manipulation: Parent PID Spoofing |
KONNI has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`.(Citation: Malwarebytes Konni Aug 2021) |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
KONNI has used HTTP POST for C2.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.(Citation: Talos Konni May 2017) |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.(Citation: Talos Konni May 2017) |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
KONNI used PowerShell to download and execute a specific 64-bit version of the malware.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
||
| .007 | Command and Scripting Interpreter: JavaScript |
KONNI has executed malicious JavaScript code.(Citation: Malwarebytes Konni Aug 2021) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
KONNI has registered itself as a service using its export function.(Citation: Malwarebytes Konni Aug 2021) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.(Citation: Talos Konni May 2017) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
KONNI has used a custom base64 key to encode stolen data before exfiltration.(Citation: Medium KONNI Jan 2020) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
KONNI has used AES to encrypt C2 traffic.(Citation: Malwarebytes KONNI Evolves Jan 2022) |
| Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
KONNI has modified ComSysApp service to load the malicious DLL payload.(Citation: Medium KONNI Jan 2020) |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
KONNI has used FTP to exfiltrate reconnaissance data out.(Citation: Medium KONNI Jan 2020) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
KONNI can delete files.(Citation: Talos Konni May 2017) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
KONNI has the capability to perform keylogging.(Citation: Talos Konni May 2017) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
KONNI has pretended to be the xmlProv Network Provisioning service.(Citation: Malwarebytes Konni Aug 2021) |
| .005 | Masquerading: Match Legitimate Name or Location |
KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.(Citation: Talos Konni May 2017) |
||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
KONNI has been packed for obfuscation.(Citation: Malwarebytes KONNI Evolves Jan 2022) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
KONNI has been delivered via spearphishing campaigns through a malicious Word document.(Citation: Malwarebytes Konni Aug 2021) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
KONNI has used Rundll32 to execute its loader for privilege escalation purposes.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
KONNI has relied on a victim to enable malicious macros within an attachment delivered via email.(Citation: Malwarebytes Konni Aug 2021) |
References
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.