Executive Summary
Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:
- at the beginning the malware was only an information stealer without remote administration
- it moved from a single file malware to a dual file malware (an executable and a dynamic library)
- the malware has supported more and more features over the time
- the decoy documents have become more and more advanced
- The different versions contain copy/pasted code from previous versions. Moreover the new version searches for files generated by previous versions. (This implies that the malware has been used several times against the same targets)
3 Years Of Campaigns
2014 Campaign: Fatal Beauty
The fake svchost binary is the KONNI malware. The first task of the malware is to generate an ID to identify the infected system. This ID is generated based on the installation date of the system, as found in the registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallDate). The second task of malware is to ping the CC and get orders. The malware includes 2 domains:
- phpschboy[.]prohosts[.]org
- jams481[.]site[.]bz
The developer used the Microsoft Winsocks API to handle the network connection. Surprisingly, this isn't the easiest or the most efficient technical choice for HTTP connection. The malware samples we analysed connected to only one URI: <c2-domain>/login.php.
This version of KONNI is not designed to execute code on the infected system. The purpose is to be executed only once and steal data on the infected system, here are the main features:
- Keyloggers
- Clipboard stealer
- Firefox profiles and cookies stealer
- Chrome profiles and cookies stealer
- Opera profiles and cookies stealer
- spadmgr.ocx
- screentmp.tmp (log file of the keylogger)
- solhelp.ocx
- sultry.ocx
2016 Campaign: "How can North Korean hydrogen bomb wipe out Manhattan.scr"
The .scr file contains 2 Office documents. The first document was in English and a second in Russian. In the sample only the English version can be displayed to the user (that is hardcoded in the sample):
The Russian document is not used by the sample, we assume that the author of the malware forgot to remove the resource containing the Russia decoy document:
The malware author changed the malware architecture, this version is divided in two binaries:
- conhote.dll
- winnit.exe
As in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is different and the analysed version this time only contains a single domain:
- dowhelsitjs[.]netau[.]net
- <c2-domain>/login.php (for infected machine registration)
- <c2-domain>/upload.php (for uploading files on the C2)
- <c2-domain>/download.php (for downloading file from the C2)
The malware internally uses the following files:
- solhelp.ocx
- sultry.ocx
- helpsol.ocx
- psltre.ocx
- screentmp.tmp (log file of the keylogger)
- spadmgr.ocx
- apsmgrd.ocx
- wpg.db
2017 Campaigns
Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr
The .scr files drops two files: an executable and a library. As in the previous version, the persistence is achieved by a Windows shortcut (in this case adobe distillist.lnk). Contrary to the previous version, the developers moved the core of malware to the library. The executable performs the following tasks:
- If the system is a 64-bit version of Windows, it downloads and executes a specific 64-bit version of the malware thanks to a powershell script:
- Loading the dropped library
The library contains the same features as the previous version as well as new ones. This version of KONNI is the most advanced with better coding. The malware configuration contains one Command and Control:
- pactchfilepacks[.]net23[.]net
- <c2-domain>/uploadtm.php
- error.tmp (the log file of the keylogger)
- tedsul.ocx
- helpsol.ocx
- trepsl.ocx
- psltred.ocx
- solhelp.ocx
- sulted.ocx
- Delete a specific file;
- Upload a specific file based on a filename;
- Upload a specific file based on the full path name;
- Create a screenshot and uploads it on the C2;
- Get system information;
- Download a file from the Internet;
- Execute a command;
When the attacker wants to gather information on the infected system (action 5), it retrieves the following information:
- Hostname
- IP address
- Computer name
- Username name
- Connected drive
- OS version
- Architecture
- Start menu programs
- Installed software
Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr
This document contains the name, phone number and email address of members of agencies, embassies and organizations linked to North Korea.
Conclusion
This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents. The campaign of April 2017 used pertinent documents containing potentially sensitive data. Moreover the metadata of the Office document contains the names of people who seems to work for a public organization. We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible.
Clearly the author has a real interest in North Korea, with 3 of the 4 campaigns are linked to North Korea.
The following graph show the evolution of KONNI over the last 3 years:
Coverage
Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network
IOCs
2014 Campaign: Fatal Beauty
Dropper
SHA256: 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225fFilename: beauty.scr
Dropped files
#1SHA256: eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435
Filename: C:\Windows\beauty.jpg
File type: JPEG image data, JFIF standard 1.02
#2
SHA256: 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
Hilename: C:\Windows\svchost.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows
CC
phpschboy[.]prohosts[.]orgjams481[.]site[.]bz
2016 Campaign: How can North Korean hydrogen bomb wipe out Manhattan
Dropper
SHA256: 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5Filename: How can North Korean hydrogen bomb wipe out Manhattan.scr
Dropped
#1SHA256: 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
Filename: conhote.dll
#2
SHA256: 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
Filename: winnit.exe
#3
SHA256: 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f
Filename: Anti virus service.lnk
CC
dowhelsitjs[.]netau[.]net2017 Campaign A:
Dropper
SHA256: 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0Filename: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr
Dropped
#1SHA256: 3de491de3f39c599954bdbf08bba3bab9e4a1d2c64141b03a866c08ef867c9d1
Filename: adobe distillist.lnk
#2
SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Filename: winload.exe
#3
SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
Filename: winload.dll
CC
Pactchfilepacks[.]net23[.]netcheckmail[.]phpnet[.]us
2017 Campaign B:
Dropper
SHA256: 640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45eFilename: Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr
Dropped
#1SHA256: 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b
Filename: adobe distillist.lnk
#2
SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Filename: winload.exe
#3
SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
Filename: winload.dll
CC
Pactchfilepacks[.]net23[.]netcheckmail[.]phpnet[.]us
Related samples
413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
f091d210fd214c6f19f45d880cde77781b03c5dc86aa2d62417939e7dce047ff
0f327d67b601a87e575e726dc67a10c341720267de58f3bd2df3ce705055e757
234f9d50aadb605d920458cc30a16b90c0ae1443bc7ef3bf452566ce111cece8
39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
581e820637decf37bfd315c6eb71176976a0f2d59708f2836ff969873b86c7db
640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e
69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
97b1039612eb684eaec5d21f0ac0a2b06b933cc3c078deabea2706cb69045355
dae9d8f9f7f745385286775f6e99d3dcc55bbbe47268a3ea20deffe5c8fd0f0e
dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
e6a9d9791f763123f9fe1f69e69069340e02248b9b16a88334b6a5a611944ef9
ead47df090a4de54220a8be27ec6737304c1c3fe9d0946451b2a60b8f11212d1
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.