Analysis of new variant of Konni RAT


These days TalosIntelligence commented about a new variant of Konni RAT. It is not a complicated malware, but it implements some interesting tricks and functionality typical of RATs. I wanted to take a look at something different (there is more life after the ransomware ūüôā ) and in this post you can find a brief analysis of this RAT. I hope you enjoy it.

Before startintg with the post, i would like to refer to you to the TalosIntelligence analysis of a previous variant of Konni. New variant is similar to the variant analyzed in Talos post. However there are some different things. In addition i reversed different parts of the code, and i give other details. For this reason i recommend reading both posts if you are interesting in having a good knowledge about this RAT.

Modules

We have the sample f4abe28f3c35fa75481ae056d8637574. It is a dropper that is able to drop different PE files depending on the architecture (32 / 64). If we unpack the dropper we can find it has two PE files and two DOCX files into resources:

temp.jpg

Docx file1: 63a43fe8874fbbf3adb1b9aeb03adb6bfaa2935a40bb1893e90e3ab762dd44bd

Docx file2: a12db66cb7b7b991ac2ba736fb48e04566ffd2defdcb08fb9a8ab3781253f73c

temp.jpg

PE file1: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a

PE file2: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad

PE files are packed with ASPack v2.12.

We will analyze the 32 bit version.

 

RAT module

The 32 bits rat module is installed into this folder:

C:\Users\<user>\AppData\Local\MFAData\event\errorevent.dll

And the Run registry key is modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“RTHDVCP”=”rundll32.exe C:\\Users\\javi\\AppData\\Local\\MFAData\\event\\errorevent.dll check”

After removing the ASPack v2.12 layer, we take a look into the malware with IDA.

The malware installs a windows hook and because of this, the errorevent.dll is loaded into machine’s running processes:

temp

In the SetWindowsHookEx callback, it logs and queues keyboard events together with the window where they happened. Another thread analyzes the keyboard events, and it keeps to a file events happened in browser processes:

temp.jpg

It checks these processes names:

temp

Interesting keyboard events are logged to the file:

C:\Users\<user>\AppData\Local\Packages\microsoft\debug.tmp

Other files are used by the RAT in the process of managing commands:

a.jpg

Malware dll is injected into multiple processes. To monitor what malware files are created and written we can use this breakpoint with instructions (it is splitted in multiple lines for better reading):

  • ¬†¬† bp NtWriteFile¬† -> when NtWriteFile hit, execute the next script
  • ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† “.foreach (tok { !handle (poi (esp+4)) }) -> search “Packages” in the path
  • ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† {
  • ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† .if ($spat(\”${tok}\”, \”*Packages*\”) != 0)
  • ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† {
  • ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† da (poi (esp+18));.break; -> if found, print the data written
  • ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† }
  • ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† };g;”

 

bp NtWriteFile “.foreach (tok { !handle (poi (esp+4)) }) { .if ($spat(\”${tok}\”, \”*Packages*\”) != 0) { da (poi (esp+18));.break;}};g;”

The other RAT functionality is executed under demand, as we will see it in the next section about communications.

 

Communications

The malware executes a thread for communications with the CnC. It asks for commands each 15 minutes. A file with commands is downloaded and parsed, and the commands are executed (and the results uploaded to the CnC):

a.jpgThe RAT calculates a value based on the installation time and infected computer info, and that value is used as bot_id to identify the current infected machine. In my case it generated CB5D234D.

To download the commands it connects by http GET to:

http://member-daumchk.netai.net/weget/download.php?file=CB5D234D_dropcom

a

It is:

http://<domain>/weget/download.php?file=<bodid>_dropcom

This new variant uses wininet api to connect CnC (Talos analysis about the previous variant says the RAT was using winsock api connect, send, recv,… instead of http specified api):

a.jpg

After downloading the commands¬† they are decrypted (key “xzxzxz”) and parsed:

a.jpg

The decryption function:

a.jpg

Seeing the communications code, it seems it would be not difficult to create a fake CnC to control a bot (not RSA keys or something like that are used to certify the command comes from the author).

Once decrypted it starts to parse commands:

a.jpg

a

 

Command for collecting computer info

With this command the malware collects different information about the machine:

a.jpg

 

Command for screen capturing

Capture of the screen it is done here:

a.jpg

 

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s