1 Overview
Konni APT is a hacking organization suspected of being supported by a specific government, which has long carried out targeted attacks against Russia, South Korea and other regions, and is good at using social hot topics to carry out spear phishing attacks on targets.
The Microbud Intelligence Bureau recently monitored the targeted attacks of KONNI organizations on Russia through the threat hunting system with the help of the "COVID-19 vaccination" theme, and the analysis found the following:
- The attacker sends the bait document related to the "vaccination appointment" to the target, and comes with a Trojan module, according to the content of the relevant bait file, the target of the attack is a relevant group in the direction of Russia;
- The Trojan horse uses dll hijacking methods with the help of relevant installation package programs, PDF readers, and the malicious modules that are subsequently loaded and executed are highly consistent with the samples used in the organization's previous attack activities;
- Different from the organization's previous attacks, in this attack, the attackers did not use macro documents to attack, but packaged Trojan modules with normal programs to carry out dll hijacking attacks;
- Through the traceability analysis of relevant samples, IP addresses and domain names, Microbud Online extracts 8 related IOCs, which can be used for threat intelligence detection. Microbuds online threat awareness platform TDP, local threat intelligence management platform TIP, threat intelligence cloud API, Internet security access service OneDNS, host threat detection and response platform OneEDR, etc. have all supported the detection of this attack and gang.
2 Details
The attacker sends a decoy document package with the theme of "vaccination appointment" to the target, which contains a Trojan module, the relevant documents are edited in Russian, and some of the bait documents are screenshotted below.
Figure[1] Screenshot of part of the decoy document
List of relevant bait files:
| File name | Document description |
| 20_10_2021_01_6101_21____________________________.pdf | Vaccine related instructions pdf document, non-toxic |
| 0001202110250033.pdf | |
| BMP-13.pdf | |
| MR for vaccination.docx | MR vaccination is .pdf and non-toxic |
| disclosure of the processing of personal data.pdf | Consent to the processing of personal data .pdf and non-toxic |
| PROGRAM FOR REGISTERING VACCINATED IN THE FEDERAL REGISTER OF VACCINATED.EXE | Planned .exe (Trojan) to register for vaccination at the Federal Vaccination Registry |
| Urnal about re-vaccinated against COVID abroad.docx | Magazines about vaccination abroad .docx, non-toxic |
| Urnal about COVID vaccinated overseas.docx | |
| MEGAVIEW. EXE | PDF Reader (Trojan) |
An attacker creates an SFX self-extracting executable program, repackages the related program and the Trojan DLL module, and uses the DLL to hijack the Trojan carried by the execution.
Figure[2] The display screen after the installation package is executed
In addition, a similar method was used to package foxit and execute malicious modules.
Figure[3] The display interface after the PDF reader is executed
3 Sample analysis
3.1 Samples of malicious installation packages registered with camouflage vaccination plans
The sample is a self-extracting executable containing the program buchgal.exe and the Trojan module buchgal .dll.
Fig.[4] SFX self-extracting executable disguised as an installation package
Buchgal.exe should be a normal installation package program.
Figure[5] Normal installation package procedure
The buchgal .dll a Trojan file hijacked by a dll, checks the target host architecture after execution, and subsequently downloads it according to the corresponding type.
Figure[6] Examine the target host system architecture
After successful downloading, the malicious payload was downloaded from the server using the WinInet related function, and after successful download, it was saved as a temporary file, and the sample could not be downloaded normally when analyzing.
URL: victory-2020.atwebpages.com/index.php?user_id=45678&type={0 or 1 for x86 or x64}
Figure[7] Downloading a malicious payload from a server
Generate a tamp .bat file in the Temp directory, write the content decoded by Base64, and execute it. The function of this bat is to loop to determine whether the a.log file exists, if it exists, that is, the following expand instruction is successfully executed, then delete the a.log file, and execute the install .bat, and finally delete itself.
| @echo off cd /d %TEMP% :WAITING timeout /t 1 if not exist "a.log" (goto WAITING) of /f /q "a.log" install.bat of /f /q "%~dpnx0" |
Figure[8] The temp .bat is generated and executed
Finally, call the expand directive to extract the downloaded package, delete the package, output echo OK to a.log file, and the compressed file will be executed by the bat file above.
Figure[9] Invoke the extend command to extract the downloaded package
3.2 Samples that disguise PDF readers
Similar to the sample above, the attacker delivers a PDF reader program to the target, which is actually a self-extracting executable file for SFX, which contains the reader program foxit.exe and the Trojan module foxit .dll.
Fig.[10] SFX self-extracting executable disguised as a PDF reader
The same dll hijacking method is used to load the Trojan foxit .dll, exe is a Foxit related module.
Figure[11] Bundled normal PDF reader program
The Trojan module is basically the same as the above sample process, and also downloads and executes the next stage of malicious payload from the server.
URL:online-manual.c1.biz/index.php?user_id=765&type=%d
Figure[12] A malicious payload is downloaded from the server and the expand command is invoked to extract it
4 Correlation analysis
Konni APT organization has long carried out targeted attacks against relevant russian agencies, and in the past attack activities, it has often used decoy macro documents to attack, and in this attack, it can be seen that the organization uses dll hijacking methods to try to deliver decoy documents to the target.
Similar to previous attacks, the Trojan still downloads the compressed package file from the server and decompresses it using the expand command to execute subsequent malicious payloads.
Figure[13] The expand command used in previous attack activities
Figure[14] The expand command used in this attack campaign
And using the same URL directive format, the attacker is suspected of using user_id to label the target number, and usually download the corresponding version of the Trojan according to the target operating system.
Figure[15] Url format used in previous attack campaigns
Figure[16] The URL format used in this attack campaign
5 Conclusion
In the past attack activities, the organization often used bait macro documents for harpoon phishing attacks, and in this attack activity, the attackers no longer use macro documents, but package Trojans with normal programs to carry out dll hijacking attacks, and the Microbud Intelligence Bureau will continue to track related attack activities, timely discover security threats and respond quickly.