KONNI: A Malware Under The Radar For Years
Contents
This blog was authored by Paul Rascagneres
Executive Summary Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI.
Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this …
Executive Summary Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI.
Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this …
IoC
39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
3de491de3f39c599954bdbf08bba3bab9e4a1d2c64141b03a866c08ef867c9d1
413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f
44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b
553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e
69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f
94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435
http://Pactchfilepacks.net23.net
http://checkmail.phpnet.us
http://dowhelsitjs.netau.net
http://jams481.site.bz
http://pactchfilepacks.net23.net
http://phpschboy.prohosts.org
3de491de3f39c599954bdbf08bba3bab9e4a1d2c64141b03a866c08ef867c9d1
413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f
44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b
553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e
69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f
94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435
http://Pactchfilepacks.net23.net
http://checkmail.phpnet.us
http://dowhelsitjs.netau.net
http://jams481.site.bz
http://pactchfilepacks.net23.net
http://phpschboy.prohosts.org