A Look Into Konni 2019 Campaign
Contents
A Look Into Konni 2019 Campaign
Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.
The latest activities leveraging the Konni malware family potentially target political organizations and politically motivated victims in Russia and South-Korea. During my research, I observed 3 distinct campaigns throughout 2019: starting from January to late September.
Konni Infection chain consists of multiple stages and utilizes living-off-the-land binaries in its operation from the use of certutil.exe to download additional files and decode their content to sc.exe and reg.exe for persistence.
These campaigns leverage similar C2 infrastructure for the delivery and a specific free FTP service used for exfiltration the stolen data from the …
Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.
The latest activities leveraging the Konni malware family potentially target political organizations and politically motivated victims in Russia and South-Korea. During my research, I observed 3 distinct campaigns throughout 2019: starting from January to late September.
Konni Infection chain consists of multiple stages and utilizes living-off-the-land binaries in its operation from the use of certutil.exe to download additional files and decode their content to sc.exe and reg.exe for persistence.
These campaigns leverage similar C2 infrastructure for the delivery and a specific free FTP service used for exfiltration the stolen data from the …
IoC
162.253.155.226
185.27.134.11
274e706809a1c0363f78363d0c6a7d256be5be11039de14f617265e01d550a98
290c942da70c68d28a387775fbb7e6cab6749547d278cb755b4999e0fe61a09f
2ab1b28bae24217e8b6dd0cd30bb7258fa34c0d7337ecfea55e4310d08aeb1e6
4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2
6256ba2b89c78877328cc70d45db980310a51545a83d1d922d64048b57d6c057
69.197.143.12
6a22db7df237c085855deb48686217173dc2664f4b927ebe238d4442b68a2fd3
7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c
7f6984fa9d0bbc1bd6ab531f0a8c2f4beb15de30f2b20054d3980395d77665af
8795b2756efa32d5101a8d38ea27fca9c8c7ed1d54da98f0520f72706d1c5105
88.99.13.69
8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd
ceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e
e94fa697d8661d79260edf17c0a519fae4b2a64037aa79b29d6631205995fdad
ed63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a
http://clean.1apps.com
http://eu5.org
http://ftpupload.net
http://handicap.eu5.org
http://handicap.eu5.org/1.txt
http://handicap.eu5.org/4.txt
http://panda2019.eu5.org
185.27.134.11
274e706809a1c0363f78363d0c6a7d256be5be11039de14f617265e01d550a98
290c942da70c68d28a387775fbb7e6cab6749547d278cb755b4999e0fe61a09f
2ab1b28bae24217e8b6dd0cd30bb7258fa34c0d7337ecfea55e4310d08aeb1e6
4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2
6256ba2b89c78877328cc70d45db980310a51545a83d1d922d64048b57d6c057
69.197.143.12
6a22db7df237c085855deb48686217173dc2664f4b927ebe238d4442b68a2fd3
7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c
7f6984fa9d0bbc1bd6ab531f0a8c2f4beb15de30f2b20054d3980395d77665af
8795b2756efa32d5101a8d38ea27fca9c8c7ed1d54da98f0520f72706d1c5105
88.99.13.69
8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd
ceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e
e94fa697d8661d79260edf17c0a519fae4b2a64037aa79b29d6631205995fdad
ed63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a
http://clean.1apps.com
http://eu5.org
http://ftpupload.net
http://handicap.eu5.org
http://handicap.eu5.org/1.txt
http://handicap.eu5.org/4.txt
http://panda2019.eu5.org