KONNI is a Remote Access Trojan (RAT) that is strongly associated with North Korean intelligences agencies. Cybersecurity researchers were able to make the connection because following the 2017 successful test of an intercontinental ballistic missile by North Korea, there was a spike in spear phishing campaigns referencing North Korea’s acquired capabilities. Similar KONNI campaigns happened in 2014 and they too led to the conclusion that KONNI is an espionage weapon created for anyone who’s interested in North Korean affairs, especially its nuclear and ballistic missile programs. While it is not clear what the goal of the malware is, one can conclude that it is mostly about profiling the computers of infected victims so as to identify a target for more sustained attacks. Most targets of KONNI are based in the Asia Pacific region.
What Does the KONNI Trojan Do?
The KONNI malware mainly infects the computer through a contaminated Word document that reaches most of its victims as an email attachment.
While the victims are downloading the file, the malware is loaded in the background where it executes its payload. KONNI then begins its main goal of reconnaissance and information gathering. It profiles an organization’s network of computers, captures screenshots, steals passwords, web browsing history, and generally forages for any information it can get its hands on. The information is then sent to a command and control center.
The malware is able to do this by creating a Windows directory under the current user’s local settings folder with the path MFAData\\event. It also extracts two malicious DLL files, one for 64-bit OS and another for 32-bit OS. Following this, it creates a key value called RTHDVCP or RTHDVCPE on the following registry path: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.
This registry path is used for auto-persistence, given that it will autostart a process after successful login. The DLL files that are thus created have several core capabilities which include keylogging, host enumeration, intelligence gathering, data exfiltration, and host profiling.
The collected information is then used to craft attacks that fit the victim’s profile. If KONNI were to infect computers of high-profile targets such as South Korea military computers or a financial institution, the people behind it may tailor specific attacks including espionage or ransomware attacks.
How to Remove the KONNI Trojan
Supposing your computer has been infected, do you know what to do about the KONNI Trojan?
The simplest way to remove the KONNI Trojan is to use a reliable anti-malware solution such as Outbyte Antivirus. To use the anti-malware, you’ve got to run your PC on Safe Mode because as earlier noted, KONNI uses some auto-persistence techniques, including manipulating the autostart items to include itself.
For Windows 10 and 7 users, the following are the steps to take to get into Safe Mode with Networking.
- Open the Run utility by pressing the Windows + R keys on your keyboard.
- Type msconfig and run the command.
- Go to the Boot tab and select Safe boot and Network options.
- Restart your device.
Once your device restarts, launch the anti-malware and give it enough time to delete the virus.
If you don’t have an anti-malware, there is always the option to manually track down the files and folders that play host to the virus. The way to do this is to open the Task Manager by pressing the Ctrl, Alt and Delete keys on your keyboard. On the Task Manager app, go to the Startup tab and look for any suspicious Startup items. Right-click on them and select Open file location. Now, go to the file location and delete the files and folders by moving them to the Recycle Bin. You should be looking for the MFAData\\event folder.
The other thing that you will need to do is to repair broken registry entries and delete the ones that are associated with the KONNI malware. The easiest way to do this is to deploy a PC Cleaner as one of the main goals of PC repair tool is to repair broken registry entries.
Another purpose that the PC repair tool will play is to delete any junk files, cookies, browsing histories, downloads and most of the data that Trojans such as KONNI send to cybercriminals. In other words, using a PC cleaner will not only reduce the risk of re-infection but will also make certain that even if another malware did find its way into your device, it would not have much to steal.
If you followed the instructions above, there is a high chance that you squarely dealt with the malware threat and the only thing that now remains is to protect against future infections.
You’ve got to know that malware entities such as KONNI only infect computers if the victims are careless with how they handle attachments from unknown sources. If you could take extra precaution and not download any file that comes your way, then you will greatly reduce the risk of infection.
Lastly, you need to keep your computer updated as often as possible. Malware entities such as KONNI use exploits that are constantly been patched by software vendors including Microsoft.