Background
Konni initially surfaced as a type of remote access Trojan (RAT) disclosed by the Cisco Talos team in 2017. Its activities trace back to 2014, targeting regions such as Russia and South Korea. In 2018, Palo Alto identified connections between this malware and the APT37 (also known as Reaper, Group123, Scarcruft) Trojan NOKKI. Starting in 2019, South Korean security firm ESTsecurity reported and disclosed Konni as a suspected APT group with East Asian ties, finding some associations with Kimsuky.
Event Overview
Recently, QiAnXin Threat Intelligence Center uncovered malicious LNK files targeting the South Korean region. These LNK files, upon execution, release bait files and VBS scripts. One sample employs a bait HWP document titled "Guidelines for Email Security Inspection."
The initial assessment suggested APT37's involvement based on LNK file size and code execution characteristics. However, further analysis of the released VBS script's behavior and C2 communication revealed a closer association with the Konni group. This indicates that Konni has recently adjusted its tactics for LNK-type file attacks. Notably, Konni, APT37, and Kimsuky—three APT groups believed to have connections—share some similarities in the LNK files they use.
Detailed Analysis
(1)Sample One
Basic information of the sample is as follows:
| - | - |
|---|---|
| MD5 | 41c17b6b527540d49db81976ef5576e9 |
| Filename | tl6VewKBBU.lnk |
| File Size | 24.35 MB (25532825 bytes) |
The sample execution process is as follows, the VBS script released from the LNK file retrieves and executes subsequent commands from a C&C server.
The LNK file calls cmd.exe to concatenate characters from a string named "K" into "powershell -windowstyle hidden."
The executed PowerShell code, after cleaning up, reveals the release of bait documents and VBS, followed by the deletion of the LNK file itself.
The bait document is named "[Attachment] - How to Check Business Email Security (Naver-Daum-Gmail).hwp." The VBS script is released to "C:\Users\Public\Libraries\vc98ee3f0.vbs."
The VBS script restores hidden strings through byte-by-byte XOR operations.
Its main function is to retrieve and execute subsequent scripts through GET requests from the C&C server.
The requested URL is "hxxps://shaira1885.com/wp-admin/includes/class-wp-release-data.php?class=<computer_name>." The domain shaira1885[.]com likely hosts the C&C service, possibly compromised by attackers.
The subsequent payload requested from the C&C URL is another VBS script, with key strings similarly concealed.
The first C&C request's subsequent script is used for persistence, executing commands to ensure vc98ee3f0.vbs can repeatedly run, continuously downloading and executing subsequent payloads from the C&C server.
schtasks /create /sc minute /mo 10 /tn "WeChatVersionAutoUpdate" /tr "C:\Users\Public\Libraries\vc98ee3f0.vbs" /f
Upon its second run, vc98ee3f0.vbs, obtained from the C&C URL, is responsible for collecting information, executing commands as follows:
dir C:\\Users\\\downloads\\ /s /a /od > usrdown
dir C:\\Users\\\\documents\\ /s /a /od > usrdocu
dir C:\\Users\\\\desktop\\ /s /a /od > usrdesk
dir "C:\\Program Files\\" > program
dir "C:\\Program Files (x86)\\" > program32
nslookup myip.opendns.com resolver1.opendns.com > ipdetail
tasklist > tsklist
systeminfo > systemI
schinfos /query /fo csv > schinfo
reg query "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /s > reInfo
collecting information such as user download directory, document directory, desktop file information; file information from Program Files and Program Files (x86) directories; public IP information; process list information; system information; and Run key value information from the registry.
The collected information is transmitted back to the C&C server using a POST request. The transmission URL is "hxxps://shaira1885.com/wp-admin/includes/class-wp-release-data.php." The POST request carries data in the format, After data transmission, the corresponding files are deleted.
alias=<computer_name>&name=<file_name>&data=<file_data>
(2) Sample Two
Basic information of the sample is as follows:
| - | - |
|---|---|
| MD5 | 015ba89bce15c66baebc5fd94d03d19e |
| Filename | 2000215005_20231107_20231127_rvim.html.lnk |
| File Size | 41.26 MB (43260547 bytes) |
This sample employs techniques similar to Sample One. The command executed by cmd.exe from the LNK file is as follows:
The released bait file is an HTML file that, when opened, sends a request to hxxp://ebpp.airport.kr/mail.do.
It prompts for a password to view the document.
The VBS script requests a C&C URL at hxxps://messengerin.com/layout/images/profile.php?color_style=<computer_name>. Similarly, this website is likely compromised and used as a C&C server.
Attribution and Association
(1) Attribution
LNK samples belonging to the Konni group uploaded to VirusTotal in September are relatively small, not exceeding 200KB.
| - | - |
|---|---|
| MD5 | Filename |
| 6f5e4b45ca0d8c1128d27a15421eea38 | 국세청 종합소득세 해명자료 제출 안내.hwp.lnk |
| d2ed41719424bb024535afa1b2d17f3a | 국세청 종합소득세 해명자료 제출 안내.hwp.lnk |
For example, the execution process of the sample d2ed41719424bb024535afa1b2d17f3a is outlined below. The released ZIP archive from the LNK contains multiple files; only the main files are listed in the diagram.
The script 75330987.bat, responsible for information collection, shares similarities with the discovered sample. It uses similar cmd commands to collect information, saving it in a file before transmitting. The file names for storing information are also similar.
The script 16169400.bat, responsible for transmitting collected information to the C&C, shows similarities with the discovered sample. It uses the file name and file data as POST request data, deleting the corresponding files after transmission.
Additionally, including the infected device's hostname in the C&C communication URL is a common practice of the Konni group.
Based on these observations, it is believed that the discovered LNK sample is more likely from Konni. These samples indicate that the Konni group has adopted the method commonly used by APT37 to construct LNK files, inflating the file size and releasing only bait documents and a single script file. This also suggests that the Konni group is adjusting its attack methods within LNK samples, aiming to minimize the landing of malicious code.
(2) Association with Other Organizations
Other suspected APT groups with East Asian backgrounds, such as APT37 and Kimsuky, now frequently use LNK samples in their attack activities. The core functionality of PowerShell code within LNK files, extracting bait files and subsequent script data, remains consistent. However, these attack groups employ different code obfuscation techniques, have distinct characteristics in script code, and use different formats for C&C communication.
APT37
Many LNK samples from APT37 do not obfuscate the PowerShell code. The released script code is used to download the Rokrat Trojan hosted on cloud services or load the Chinotto backdoor [2].
Kimsuky
Kimsuky uses various obfuscation techniques for PowerShell code within LNK samples. For example, adding characters that do not affect command execution to bypass static detection or using formatted strings to recover key strings.(MD5: 433a2a49a84545f23a038f3584f28b4a)。
Alternatively, by using the formatted string method to recover key strings (MD5: fb5aec165279015f17b29f9f2c730976) [3].
The final scripts released by Kimsuky and Konni initiate requests to the C&C, executing the obtained response data.
Additionally, both Kimsuky and Konni LNK samples use a single-byte XOR key of 0x77 to decrypt file data within the LNK. The PowerShell code for Kimsuky and Konni samples (MD5: 433a2a49a84545f23a038f3584f28b4a and MD5: d2ed41719424bb024535afa1b2d17f3a, respectively) is shown in the figures below.
Summary
LNK files have become a common means for multiple APT groups to deliver malware due to their ability to convincingly mimic various bait files, making them well-suited for phishing. The discovered Konni samples diverge from previous attack activities by delivering only a single script file instead of multiple script files. Attackers can decide whether to proceed based on the collected information from infected hosts. The use of a likely compromised website for C&C server hosting reflects the efforts of this attack group to enhance operational stealth. Furthermore, the characteristics of these LNK samples suggest a potential connection between the Konni group and APT37 and Kimsuky, indicating a possible borrowing of attack methods.
Protection Recommendations
QiAnXin Threat Intelligence Center advises users to be cautious of phishing attacks. Do not open links of unknown origin shared on social media, refrain from executing email attachments from unknown sources, avoid running unknown files with exaggerated titles, and avoid installing apps from unofficial sources. Ensure timely backup of important files and keep software up-to-date with patches.
If there is a need to run an application of unknown origin, it is advisable to use the QiAnXin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for identification. Currently, various file formats, including Windows and Android platforms, are supported for in-depth analysis.
QiAnXin's full line of products based on Threat Intelligence Center data, including QiAnXin Threat Intelligence Platform (TIP), TianQing, TianYan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situation Awareness, already support precise detection of such attacks.
IOC
MD5
41c17b6b527540d49db81976ef5576e9
015ba89bce15c66baebc5fd94d03d19e
6f5e4b45ca0d8c1128d27a15421eea38
d2ed41719424bb024535afa1b2d17f3a
6452b948928f2d799fd9b5d7aa721d10
C&C
ttzcloud.com
bgfile.com
serviceset.net
downwarding.com
cldservice.net
file.drives001.com
URL
hxxps://shaira1885.com/wp-admin/includes/class-wp-release-data.php?class=<computer_name>
hxxps://messengerin.com/layout/images/profile.php?color_style=<computer_name>
hxxp://ttzcloud.com/list.php?f=<computer_name>.txt
hxxp://ttzcloud.com/upload.php
hxxps://bgfile.com/v2/read/get.php?vw=ln3&nv=xu6502&r=
hxxp://serviceset.net/list.php?f=<computer_name>.txt
hxxp://serviceset.net/upload.php
hxxps://downwarding.com/v2/read/get.php?vw=ln3&nv=xu6502&r=
hxxp://cldservice.net/list.php?f=<computer_name>.txt
hxxp://cldservice.net/upload.php
hxxps://file.drives001.com/read/get.php?ra=ln3&zw=xu6502&r=
Reference Links
[1]. https://ti.qianxin.com/blog/articles/Cloud-Spy-Analysis-of-Recent-Attack-Activities-by-Group123-CN/
[2]. https://paper.seebug.org/3030/
[3]. https://asec.ahnlab.com/en/59042/