SYMBOLCOMMON_NAMEaka. SYNONYMS
win.konni (Back to overview)

Konni


Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References
2021-08-20MalwarebytesHossein Jazi
@online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } New variant of Konni malware used in campaign targetting Russia
Konni
2020-08-14Department of Homeland SecurityUS-CERT
@online{uscert:20200814:alert:d3dbb71, author = {US-CERT}, title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}}, date = {2020-08-14}, organization = {Department of Homeland Security}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a}, language = {English}, urldate = {2020-08-14} } Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni
2020-01-04Medium d-hunterDoron Karmi
@online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } A Look Into Konni 2019 Campaign
Konni
2019-08-19EST SecurityEast Security Response Center
@online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } Konni APT organization emerges as an attack disguised as Russian document
Konni
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2017-08-15FortinetJasper Manuel
@online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } A Quick Look at a New KONNI RAT Variant
Konni
2017-07-06Cisco TalosPaul Rascagnères
@online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } New KONNI Campaign References North Korean Missile Capabilities
Konni
2017-07vallejo.ccvallejocc
@online{vallejocc:201707:analysis:b16e1c3, author = {vallejocc}, title = {{Analysis of new variant of Konni RAT}}, date = {2017-07}, organization = {vallejo.cc}, url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/}, language = {English}, urldate = {2019-07-31} } Analysis of new variant of Konni RAT
Konni
2017-05-03Cisco TalosPaul Rascagnères
@online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } KONNI: A Malware Under The Radar For Years
Konni
Yara Rules
[TLP:WHITE] win_konni_auto (20211008 | Detects win.konni.)
rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 83ec24 a1???????? 33c5 8945fc 8b0d???????? }
            // n = 6, score = 800
            //   8bec                 | mov                 ebp, esp
            //   83ec24               | sub                 esp, 0x24
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b0d????????         |                     

        $sequence_1 = { 83e601 8970ec d0f9 0fbef1 d0f9 }
            // n = 5, score = 800
            //   83e601               | and                 esi, 1
            //   8970ec               | mov                 dword ptr [eax - 0x14], esi
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl
            //   d0f9                 | sar                 cl, 1

        $sequence_2 = { 8945fc 8b450c 53 56 57 8b7d10 8985f4feffff }
            // n = 7, score = 800
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8985f4feffff         | mov                 dword ptr [ebp - 0x10c], eax

        $sequence_3 = { 03d6 8d3402 81e6ff000080 7908 4e }
            // n = 5, score = 800
            //   03d6                 | add                 edx, esi
            //   8d3402               | lea                 esi, dword ptr [edx + eax]
            //   81e6ff000080         | and                 esi, 0x800000ff
            //   7908                 | jns                 0xa
            //   4e                   | dec                 esi

        $sequence_4 = { 0f84f1000000 0f88eb000000 83f801 7508 66c745f50000 eb09 83f802 }
            // n = 7, score = 800
            //   0f84f1000000         | je                  0xf7
            //   0f88eb000000         | js                  0xf1
            //   83f801               | cmp                 eax, 1
            //   7508                 | jne                 0xa
            //   66c745f50000         | mov                 word ptr [ebp - 0xb], 0
            //   eb09                 | jmp                 0xb
            //   83f802               | cmp                 eax, 2

        $sequence_5 = { 81ce00ffffff 46 8a9435f8feffff 88940df8feffff 41 }
            // n = 5, score = 800
            //   81ce00ffffff         | or                  esi, 0xffffff00
            //   46                   | inc                 esi
            //   8a9435f8feffff       | mov                 dl, byte ptr [ebp + esi - 0x108]
            //   88940df8feffff       | mov                 byte ptr [ebp + ecx - 0x108], dl
            //   41                   | inc                 ecx

        $sequence_6 = { 8a940df8feffff 8d8c0df8feffff 0fb6da 03f3 81e6ff000080 }
            // n = 5, score = 800
            //   8a940df8feffff       | mov                 dl, byte ptr [ebp + ecx - 0x108]
            //   8d8c0df8feffff       | lea                 ecx, dword ptr [ebp + ecx - 0x108]
            //   0fb6da               | movzx               ebx, dl
            //   03f3                 | add                 esi, ebx
            //   81e6ff000080         | and                 esi, 0x800000ff

        $sequence_7 = { 6a3d 68???????? 53 e8???????? 53 }
            // n = 5, score = 800
            //   6a3d                 | push                0x3d
            //   68????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_8 = { 8b4dfc 33cd b801000000 5e e8???????? 8be5 5d }
            // n = 7, score = 600
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_9 = { 6a01 ff15???????? 50 a3???????? }
            // n = 4, score = 500
            //   6a01                 | xor                 edx, edx
            //   ff15????????         |                     
            //   50                   | dec                 eax
            //   a3????????           |                     

        $sequence_10 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | mov                 dword ptr [ecx + 0xf80], ecx
            //   6a0d                 | dec                 eax
            //   50                   | lea                 eax, dword ptr [ecx + 0x9e8]
            //   ff15????????         |                     

        $sequence_11 = { 50 038594040000 59 0bc9 89851a040000 61 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   038594040000         | add                 eax, dword ptr [ebp + 0x494]
            //   59                   | pop                 ecx
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               

        $sequence_12 = { 899d94040000 0f85d7030000 8d85a0040000 50 ff95b50f0000 }
            // n = 5, score = 200
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd
            //   8d85a0040000         | lea                 eax, dword ptr [ebp + 0x4a0]
            //   50                   | push                eax
            //   ff95b50f0000         | call                dword ptr [ebp + 0xfb5]

        $sequence_13 = { 03dd 81eb00200200 83bd9404000000 899d94040000 0f85d7030000 }
            // n = 5, score = 200
            //   03dd                 | add                 ebx, ebp
            //   81eb00200200         | sub                 ebx, 0x22000
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd

        $sequence_14 = { 52 8d85f8feffff 50 ffd6 }
            // n = 4, score = 200
            //   52                   | push                edx
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   50                   | push                eax
            //   ffd6                 | call                esi

        $sequence_15 = { c745e030614000 817de034614000 7311 8b45e0 8b00 }
            // n = 5, score = 200
            //   c745e030614000       | mov                 dword ptr [ebp - 0x20], 0x406130
            //   817de034614000       | cmp                 dword ptr [ebp - 0x20], 0x406134
            //   7311                 | jae                 0x13
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_16 = { e8???????? 8b4e08 33db 56 e8???????? 8a9c30c2c44600 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]

        $sequence_17 = { 0bc9 89851a040000 61 7508 b801000000 c20c00 }
            // n = 6, score = 200
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               
            //   7508                 | jne                 0xa
            //   b801000000           | mov                 eax, 1
            //   c20c00               | ret                 0xc

        $sequence_18 = { 6a00 6a00 ff15???????? 68d0070000 ff15???????? 8b4dfc }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   68d0070000           | push                0x7d0
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_19 = { 56 e8???????? 8a9435dec44600 5e }
            // n = 4, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]
            //   5e                   | pop                 esi

        $sequence_20 = { ffd6 68???????? 8d8df0faffff 51 }
            // n = 4, score = 200
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d8df0faffff         | lea                 ecx, dword ptr [ebp - 0x510]
            //   51                   | push                ecx

        $sequence_21 = { 8b5dd0 ebab c745e428614000 817de42c614000 7311 8b45e4 }
            // n = 6, score = 200
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   ebab                 | jmp                 0xffffffad
            //   c745e428614000       | mov                 dword ptr [ebp - 0x1c], 0x406128
            //   817de42c614000       | cmp                 dword ptr [ebp - 0x1c], 0x40612c
            //   7311                 | jae                 0x13
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_22 = { a3???????? a1???????? c705????????58214000 8935???????? a3???????? ff15???????? }
            // n = 6, score = 200
            //   a3????????           |                     
            //   a1????????           |                     
            //   c705????????58214000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     

        $sequence_23 = { e8???????? 8a9c30c2c44600 5e 83f908 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]
            //   5e                   | pop                 esi
            //   83f908               | cmp                 ecx, 8

        $sequence_24 = { 8a8c30dec44600 5e bb01000000 83c604 }
            // n = 4, score = 200
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   bb01000000           | mov                 ebx, 1
            //   83c604               | add                 esi, 4

        $sequence_25 = { ffd6 8b35???????? 8d95f0faffff 52 }
            // n = 4, score = 200
            //   ffd6                 | call                esi
            //   8b35????????         |                     
            //   8d95f0faffff         | lea                 edx, dword ptr [ebp - 0x510]
            //   52                   | push                edx

        $sequence_26 = { 8b0cf59c840010 5e 8908 c3 81f9bc000000 }
            // n = 5, score = 100
            //   8b0cf59c840010       | dec                 eax
            //   5e                   | mov                 dword ptr [ecx + 0xf88], eax
            //   8908                 | dec                 ecx
            //   c3                   | mov                 ecx, edi
            //   81f9bc000000         | dec                 eax

        $sequence_27 = { 737d 488bdf 488bf7 48c1fe05 4c8d2572f50000 83e31f }
            // n = 6, score = 100
            //   737d                 | lea                 ecx, dword ptr [ecx + 2]
            //   488bdf               | dec                 esp
            //   488bf7               | lea                 eax, dword ptr [0x1f26f]
            //   48c1fe05             | xor                 edx, edx
            //   4c8d2572f50000       | dec                 eax
            //   83e31f               | lea                 ecx, dword ptr [esp + 0x28]

        $sequence_28 = { e8???????? 817e0401010000 7516 668325????????00 837e0811 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   817e0401010000       | arpl                ax, ax
            //   7516                 | dec                 esp
            //   668325????????00     |                     
            //   837e0811             | lea                 ecx, dword ptr [0xffff3e50]

        $sequence_29 = { 48837b1011 7507 66892d???????? 817b0804020000 488b6c2450 7532 }
            // n = 6, score = 100
            //   48837b1011           | nop                 
            //   7507                 | dec                 eax
            //   66892d????????       |                     
            //   817b0804020000       | mov                 dword ptr [esp + 0x28], edi
            //   488b6c2450           | jae                 0x7f
            //   7532                 | dec                 eax

        $sequence_30 = { 4c89642458 4c8d2576f20100 448d4902 4c8d056ff20100 33d2 }
            // n = 5, score = 100
            //   4c89642458           | xor                 eax, esp
            //   4c8d2576f20100       | dec                 eax
            //   448d4902             | mov                 dword ptr [esp + 0x680], eax
            //   4c8d056ff20100       | dec                 esp
            //   33d2                 | mov                 dword ptr [esp + 0x58], esp

        $sequence_31 = { 750f e8???????? e8???????? eb03 8b7510 }
            // n = 5, score = 100
            //   750f                 | cmp                 eax, -2
            //   e8????????           |                     
            //   e8????????           |                     
            //   eb03                 | je                  0x28
            //   8b7510               | dec                 esp

        $sequence_32 = { 57 4881ec90060000 488b05???????? 4833c4 4889842480060000 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   4881ec90060000       | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | sub                 esp, 0x690
            //   4889842480060000     | dec                 eax

        $sequence_33 = { 488d4c2428 e8???????? 90 48897c2428 488b05???????? }
            // n = 5, score = 100
            //   488d4c2428           | dec                 esp
            //   e8????????           |                     
            //   90                   | lea                 esp, dword ptr [0x1f276]
            //   48897c2428           | inc                 esp
            //   488b05????????       |                     

        $sequence_34 = { 4533d2 488989800f0000 488d81e8090000 4c8d05e66f0100 4c8d0d5f700100 488981880f0000 }
            // n = 6, score = 100
            //   4533d2               | lea                 esp, dword ptr [0xf572]
            //   488989800f0000       | and                 ebx, 0x1f
            //   488d81e8090000       | dec                 eax
            //   4c8d05e66f0100       | cmp                 dword ptr [ebx + 0x10], 0x11
            //   4c8d0d5f700100       | jne                 0xe
            //   488981880f0000       | cmp                 dword ptr [ebx + 8], 0x204

        $sequence_35 = { 498bcf 488bfb 66f2af 48f7d1 48ffc9 7411 488d4c2460 }
            // n = 7, score = 100
            //   498bcf               | dec                 eax
            //   488bfb               | mov                 ebp, dword ptr [esp + 0x50]
            //   66f2af               | jne                 0x40
            //   48f7d1               | js                  0x11d
            //   48ffc9               | inc                 ecx
            //   7411                 | cmp                 ebx, 1
            //   488d4c2460           | jne                 0xd

        $sequence_36 = { 0f8817010000 4183fb01 750b 664489a424a1000000 eb17 0fb68424a2000000 }
            // n = 6, score = 100
            //   0f8817010000         | mov                 ebx, edi
            //   4183fb01             | dec                 eax
            //   750b                 | mov                 esi, edi
            //   664489a424a1000000     | dec    eax
            //   eb17                 | sar                 esi, 5
            //   0fb68424a2000000     | dec                 esp

        $sequence_37 = { 8b7510 817e0400010000 5b 7532 66c705????????0100 837e0811 }
            // n = 6, score = 100
            //   8b7510               | dec                 eax
            //   817e0400010000       | dec                 ecx
            //   5b                   | je                  0x1f
            //   7532                 | dec                 eax
            //   66c705????????0100     |     
            //   837e0811             | lea                 ecx, dword ptr [esp + 0x60]

        $sequence_38 = { c705????????01000000 50 a3???????? e8???????? 8db6c4880010 bf???????? }
            // n = 6, score = 100
            //   c705????????01000000     |     
            //   50                   | dec                 esp
            //   a3????????           |                     
            //   e8????????           |                     
            //   8db6c4880010         | lea                 ecx, dword ptr [0x1705f]
            //   bf????????           |                     

        $sequence_39 = { 8d0500a00010 83780800 753b b0ff }
            // n = 4, score = 100
            //   8d0500a00010         | mov                 edi, ebx
            //   83780800             | repne scasd         eax, dword ptr es:[edi]
            //   753b                 | dec                 eax
            //   b0ff                 | not                 ecx

    condition:
        7 of them and filesize < 330752
}
Download all Yara Rules