North Korean APT 37, aka Reaper, enhances evasiveness of Konni RAT
Konni RAT is a malicious remote administration tool (RAT), believed to be developed by the North Korean APT group, APT37
Konni RAT authors have added significant detection evasion and anti-analysis techniques, particularly aimed at evading detection by automated sandboxes and manual analysis. However, these techniques have no effect on BluVector’s detection efficacy. BluVector’s patented Machine Learning Engine (MLE), would have detected the samples an average of 84 months prior to their release. To learn more about how BluVector can protect your network, Schedule a Demo.
What Is It?
First seen in the wild in the early part of 2014, Konni RAT is believed to be developed by the North Korean advanced persistent threat APT37. This group, also known as Reaper, has been active since approximately 2012 and was initially observed attacking South Korean public and private organizations. Beginning in 2017, APT37 began to target entities in Japan and Vietnam then China, India, Nepal, Russia and the Middle East.
Konni RAT campaigns have been ongoing, garnering the attention of cyber security researchers with research on the malware published every year since 2017. In early January of 2022, Cluster25 researchers described a campaign against Russian diplomats with a New Year’s Eve social engineering component. The infection chain begins with a malicious zip file attached to a spear phishing email and ends with the installation and execution of a Konni RAT variant.
In late January, researchers from Malwarebytes Labs described the latest variant of Konni RAT, which has greatly increased the sophistication of its detection evasion and anti-analysis techniques.
The first technique relates to the method by which the Konni RAT sample needs to be executed. Konni RAT is a Windows DLL (Dynamic Link Library) file. A DLL file contains executable code and data which can be called by multiple programs. There’s no way to directly run a DLL, as an executable file would be (files such as those ending in .exe). The most common way to load a DLL file into memory and execute its code is to use the built-in rundll32 program. This method would also be used by automated sandboxes, which are extensively used by signature-based anti-virus vendors to triage the millions of samples they receive daily. This latest Konni RAT variant will crash if it is executed via rundll32, thus rendering analysis via sandbox impossible. The sample needs to be executed via a Windows Service to successfully run.
Next, strings within the Konni RAT, and configuration files used by it are now encrypted using the AES algorithm. Strings within a sample are often used by signature-based endpoint anti-virus products to detect malware and can be very useful to malware analysts in determining the functionality of a sample. Frequently, samples are submitted without context and without additional files to anti-virus vendors and to malware analysts responding to security incidents. The authors are clearly aware of this situation, as part of the decryption key uses the name of the Windows Service that executed the DLL. Without knowledge of that Service name, there is no way to decrypt the strings within the sample, or the configuration file it uses.
Additionally, the Konni RAT authors have used techniques to make decompilation of the sample considerably more difficult and time consuming. These techniques are designed to, at the very least, slow down the progress of analysts reviewing the sample.
This Konni RAT variant is another example of malware authors expending time and effort in order to attempt to evade detection and slow the pace of manual analysis of their samples. Much of this effort is aimed at evasion of signature-based detection, and especially detection by automated sandboxes. The use of automated sandboxes by signature based anti-virus vendors is essential given the vast volume of samples they receive on a daily basis. The results from VirusTotal scans of these samples show that, initially at least, these evasion techniques were successful. The first scan of one of these Konni RAT samples was only detected by 4 out of 74 products, and even after almost a month, another scan showed it was then only detected by 7 products.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The infection chain begins with a malicious zip file attached to a spear phishing email.
When/How Did BluVector Detect It?
Two publicly available samples of malware from the Konni RAT campaign described above were tested against BluVector’s patented Machine Learning Engine (MLE), and both were detected. Regression testing of these samples shows that despite the increased sophistication of detection evasion and anti-analysis techniques, BluVector would still have detected these samples on average 84 months prior to their release.