New Wave of Phishing Attacks Dropshipping the Konni RAT

Active since at least 2014 but remaining unnoticed for over three years, the Konni remote access trojan (RAT) is now back in action, as per the recent warning from the US Cybersecurity and Infrastructure Security Agency (CISA).

What happened?

A new wave of phishing attacks was found delivering the Konni RAT in August 2020.
  • The malware can now log keystrokes, steal files, capture screenshots, collect information about the infected system, and steal credentials from major browsers.
  • The phishing messages use weaponized Microsoft Word documents containing malicious Visual Basic Application (VBA) macro code to deploy KONNI malware.
  • The malicious code can change the font color from light grey to black (to trick the victim into enabling content), check whether the Windows OS is a 32-bit or 64-bit version, and run commands to download additional files.

The CISA warning

The CISA has published an alert related to attacks delivering the Konni Trojan.
  • They also published a list of MITRE ATT&CK techniques associated with Konni RAT and Snort signatures for use in detecting Konni malware exploits.
  • It has recommended users and administrators to follow best practices to strengthen the security posture of their organization's systems.

The backstory

From the observation of the past attacks, the Konni malware authors seem to have an inclination towards North Korea. 
  • In January 2020, Konni malware and other associated malware were found targeting a U.S. government agency regarding its ongoing geopolitical relations issues surrounding North Korea.
  • In 2017, Konni launched campaigns to target United Nations, UNICEF, and embassies, all linked to North Korea. They also used Inexsmar malware and lures based on several North Korean affairs to target organizations in North Korea.
  • Researchers had found links between KONNI malware and NOKKI malware in October 2018. They also found a link between KONNI attacks and the DarkHotel campaigns against North Korea in August 2017.

In essence

Besides US-based organizations, the Konni malware appears to be geared towards espionage against targets who would be interested in North Korean affairs. In the coming future, researchers expect that there may be new tie-ups with other malware families, or even new variants of KONNI popping up with additional capabilities, as well as better ways of evading detection.