We covered an introduction to logging where we discussed the logic of creating logs and we analyzed Konni RAT Malware which was developed by advanced persisten group APT37 according to MITRE ATT&CK. We performed dynamic malware analysis using Any.run cloud malware analysis sandbox. Konni malware masqureades as word document file which when opened downloads a spyware executable designed to exfitlrate and send machine OS and credentials data to the main C2 server. The malware uses powershell to execute system commands to achieve the aformentioned objectives.
Highlights
Since early 2014, Konni, a remote administration tool, has been seen in the wild. Potential ties exist between the Konni malware family and APT37, a North Korean cyber espionage group that has been operational since 2012. Political groups in South Korea, as well as those in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other regions of the Middle East, are the group’s main victims.
What’s possibly more intriguing is that the sample was included in an installer for software that was backdoored into the Russian language. We have already seen this KONNI delivery method, where a sample from 2023 is sent through a backdoored installation for the publicly accessible Russian state-mandated tax filing program “Spravki BK.”
When the document is opened, a yellow prompt bar with the words “Enable Content” and some unclear Russian content appears . Pressing the button starts a VBA script that shows an article titled “Western Assessments of the Progress of the Special Military Operation” in Russian.
Information is retrieved from “OLEFormat.IconLabel” by the VBA script and saved in a temporary folder with the filename “temp.zip.” Following the file’s extraction, the “check.bat” script is executed with the “vbHide” option, ensuring that the batch script runs without displaying a command prompt window to the user. When a threat actor wants to covertly execute a script in the background without causing any visible windows or user interaction, this technique might be quite helpful.
Video Walkthrough | Full Analysis with Any.Run