Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

The report details Konni RAT, a sophisticated remote access Trojan that targets Windows systems for espionage and data exfiltration. It utilizes a multi-stage attack process leveraging batch files, PowerShell scripts, and VBScript to covertly collect sensitive data and maintain persistence, all while avoiding detection through complex evasion tactics. Affected: Windows systems, organizations, individuals

Keypoints :

Konni RAT employs a multi-stage attack strategy targeting Windows OS.
Utilizes batch files, PowerShell scripts, and VBScript for malicious activities.
Exploits Windows Explorer limitations and obfuscates file paths to avoid detection.
Employs dynamic URL encoding and generates timestamps for stealthy data exfiltration.
Maintains persistence through registry modifications and VBScript execution.
Efficiently gathers and exfiltrates sensitive system and user information.
Leaves minimal traces of its activity by deleting command files during execution.
Effective against traditional security measures, necessitating advanced threat detection strategies.

MITRE Techniques :

Initial Access (TA0001): T1566 – Phishing, used to deliver malicious payloads.
Execution (TA0002): T1059 – Command and Scripting Interpreter, executing commands via batch files and scripts.
Persistence (TA0003): T1547.001 – Registry Run Keys / Startup Folder for ensuring execution on startup.
Defense Evasion (TA0005): T1027 – Obfuscated Files or Information, employing obfuscation techniques to hide malicious commands.
Credential Access (TA0006): T1003 – Credential Dumping, potentially gathering sensitive information.
Discovery (TA0007): T1082 – System Information Discovery, gathering critical system data.
Collection (TA0009): T1005 – Data from Local System, collecting sensitive files for exfiltration.
Exfiltration (TA0010): T1041 – Exfiltration Over C2 Channel, stealthy data transfer to command servers.
Impact (TA0040): T1485 – Data Destruction, may delete files to cover tracks.

Indicator of Compromise :

[File] 61ce43ea1c2ddafb23ee8ee083417fd375bbefce200f9bb48166af7c67df4d3c
[File] b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
[File] 76ee4da0af1921b820cc0913b4011bb5382edac958eb2592ee1c3a00a41c2041
[File] f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24
[Domain] acschoolcatering[.]com

Full Story: https://www.cyfirma.com/research/analysis-of-konni-rat-stealth-persistence-and-anti-analysis-techniques/

Tags: FIREWALL, RECONNAISSANCE, WINDOWS, IMPACT, COLLECTION, PAYLOAD, DEFENSE EVASION, RUSSIA