{"id":1323,"date":"2022-01-31T23:30:00","date_gmt":"2022-02-01T06:30:00","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=1323"},"modified":"2022-02-02T07:00:34","modified_gmt":"2022-02-02T14:00:34","slug":"malware-evolves","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/01\/31\/malware-evolves\/","title":{"rendered":"Security is an Evolutionary Arms Race"},"content":{"rendered":"\n

Anyone who keeps up to date with technology is likely very familiar with software updates. Generally speaking, updates are considered good things, delivering new features, fixing glitches, optimizing how a program runs, or closing security exploits. It follows of course that malicious software also receives updates, although coverage of those is more sparse, partially due to disinterest, but mostly due to the fact that those who maintain malware don’t try to publicize their changes. This blog post will cover recently discovered updates to KONNI.<\/p>\n\n\n\n

\"\"
The seemingly innocuous screensaver used as a trojan in a recent KONNI attack<\/figcaption><\/figure>\n\n\n\n

What is KONNI?<\/h3>\n\n\n\n

KONNI is a remote administration tool (RAT) that has been linked to North Korean hackers and has been used for at least 8 years. RATs are often used to grant a technician access to a device remotely to facilitate troubleshooting, as they allow for remote control of another device. Unfortunately, they are also commonly exploited and used as ransom or spyware. Analysis of KONNI attacks over the years has led to the belief that KONNI is intended as spyware, specifically targeting government agencies. KONNI is a trojan, meaning it is generally disguised as a legitimate file, with known examples being screensavers and office documents. When the file is opened, multiple steps are executed to grant privileges, evade detection, and initialize needed files. The goal of the attack is to install Konni RAT, a .dll file supported by a .ini file.<\/p>\n\n\n\n

\"\"
Malwarebytes’ diagram of KONNI’s attack chain<\/figcaption><\/figure>\n\n\n\n

Why is KONNI still relevant?<\/h3>\n\n\n\n

As mentioned, KONNI has been around for over 8 years, more than enough time for the exploits it uses to be patched, and for security software to learn to detect it. In spite of this, KONNI attacks remain a threat and have been discovered as recently as January 2022<\/a>. Analysis of recent attacks has found that the current iteration of KONNI being used in attacks has significant differences from previous ones. This is not the first time updates to KONNI have been discovered, in August 2021<\/a>, it was discovered that an attack that had taken place a month prior used a newer variant of KONNI. KONNI is clearly an actively supported piece of software that has to be monitored. Each update it receives seeks to make it more efficient at infiltrating, and harder to detect. <\/p>\n\n\n\n

Improved Encryption<\/h3>\n\n\n\n

For the most part, KONNI’s functionality remains unchanged. One major change is how strings in KONNI’s files are encrypted. Previous iterations featured custom alphabets (frequently changed) encoded in Base64 to protect strings. The strings are now AES encrypted, and the service names they hold are the keys for decryption, so analyzing the code is complicated by the need for the service name as well. Files have also been AES encrypted.<\/p>\n\n\n\n

As filenames are also generated according to timestamp, the keys are different with every request, as are the contents of the requests. This may allow malicious activity to fly under the radar. <\/p>\n\n\n\n

Removal of RunDLL functionality<\/h3>\n\n\n\n

Prior versions of KONNI allowed for execution through the windows RunDLL file. This functionality has been completely removed, and attempting to use RunDLL to run KONNI will cause an exception to be thrown. In all recent attacks, KONNI Rat was launched by creating a windows service. The removal is thus partially to eliminate redundancy, but also has the benefit of potentially throwing off sandbox analysis of code samples. <\/p>\n\n\n\n

Ramifications of Changes<\/h3>\n\n\n\n

These changes were not arbitrary choices, all of them were made to mitigate the chances of detection. Execution varying from what is produced in sandbox environments, stronger encryption that also covers crucial parts of the program, and dynamic requests all present a risk. Security software that may have previously detected KONNI may fail to detect the newest iteration, and if not, they must be wary of the next, as KONNI shows no signs of being abandoned.<\/p>\n\n\n\n

\"\"
Malwarebytes is still able to detect the most recently identified iteration of KONNI Rat<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"

Anyone who keeps up to date with technology is likely very familiar with software updates. Generally speaking, updates are considered good things, delivering new features, fixing glitches, optimizing how a program runs, or closing security exploits. It follows of course that malicious software also receives updates, although coverage of those is more sparse, partially due … <\/p>\n

Continue reading “Security is an Evolutionary Arms Race”<\/span><\/a><\/p>\n","protected":false},"author":370,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-1323","post","type-post","status-publish","format-standard","hentry","category-cpsc-329-602-w22","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Ammar Zaghloul","author_link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/author\/ammar-zaghloul\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/1323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/users\/370"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/comments?post=1323"}],"version-history":[{"count":12,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/1323\/revisions"}],"predecessor-version":[{"id":1400,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/1323\/revisions\/1400"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/media?parent=1323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/categories?post=1323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/tags?post=1323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}