We covered an introduction to logging where we discussed the logic of creating logs and we analyzed Konni RAT Malware which was developed by advanced persisten group APT37 according to MITRE ATT&CK. We performed dynamic malware analysis using Any.run cloud malware analysis sandbox. Konni malware masqureades as word document file which when opened downloads a spyware executable designed to exfitlrate and send machine OS and credentials data to the main C2 server. The malware uses powershell to execute system commands to achieve the aformentioned objectives.

Any.Run Free Profile

Highlights

Since early 2014, Konni, a remote administration tool, has been seen in the wild. Potential ties exist between the Konni malware family and APT37, a North Korean cyber espionage group that has been operational since 2012. Political groups in South Korea, as well as those in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other regions of the Middle East, are the group’s main victims.

What’s possibly more intriguing is that the sample was included in an installer for software that was backdoored into the Russian language. We have already seen this KONNI delivery method, where a sample from 2023 is sent through a backdoored installation for the publicly accessible Russian state-mandated tax filing program “Spravki BK.”

When the document is opened, a yellow prompt bar with the words “Enable Content” and some unclear Russian content appears . Pressing the button starts a VBA script that shows an article titled “Western Assessments of the Progress of the Special Military Operation” in Russian.

Information is retrieved from “OLEFormat.IconLabel” by the VBA script and saved in a temporary folder with the filename “temp.zip.” Following the file’s extraction, the “check.bat” script is executed with the “vbHide” option, ensuring that the batch script runs without displaying a command prompt window to the user. When a threat actor wants to covertly execute a script in the background without causing any visible windows or user interaction, this technique might be quite helpful.

Video Walkthrough | Full Analysis with Any.Run

Any.run, Konni RAT APT37 Malware, Malware analysis

Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles

Dynamic Malware Analysis of Konni RAT Malware APT37 With Any.Run

Leave a Reply Cancel reply

The MasterMinds Notes

About the Author

Other stories

Splunk Search Processing Language | TryHackMe Splunk: Exploring SPL

Introduction to Logging & Logs | TryHackMe Intro to Logs

Press ESC to close

Dynamic Malware Analysis of Konni RAT Malware APT37 With Any.Run

Leave a Reply Cancel reply

The MasterMinds Notes

About the Author

Share Article:

You might also like

Lockbit Ransomware Analysis with ANY.RUN

SOC EXPLAINED | TryHackMe SOC Fundamentals

Google Cyber Security or CompTIA Security+? Here’s What Recruiters Are REALLY Looking For

Other stories

Splunk Search Processing Language | TryHackMe Splunk: Exploring SPL

Introduction to Logging & Logs | TryHackMe Intro to Logs