Threat Background
Remote access trojans (RATs) have been around for a long time and are one of the most common ways attackers can gain repeated access into your computer network. RATs commonly allow the malware author to run software, steal documents and data, take screenshots, and even capture every keystroke typed on your keyboard.
KONNI has been around for a few years but keeps rearing its head as it is currently under development, making it more capable of getting repeated access into networks.
Watch Cylance go head-to-head with KONNI here:
VIDEO: Cylance vs. KONNI RAT
Why Should I Be Concerned About RATS Like KONNI?
Every organization needs to have a proactive security plan to guard their networks against RATs such as KONNI. If a system in your network has been compromised by a RAT, chances are that the attacker has already gathered private information from your network that could be leveraged against your company - whether that data is used to hold you for ransom until you pay up, or used for other nefarious purposes, such as accessing passwords to gain even further access to critical data on your systems.
KONNI has been seen to be distributed through traditional email and web phishing campaigns. While KONNI uses social engineering techniques to dupe the user into running the malware, its intelligence gathering features are running in the background to gather information about the victimized computer, logging and saving your data along the way.
While running, KONNI gathers screenshots of what the user is doing and logs keystrokes – potentially capturing usernames/passwords or other vital information that can be used in future attacks. Attacks that leverage social engineering and then gather intelligence about the victim can be devastating for companies, as they can lead to a total account take over.
Often, these sorts of attacks are the low-hanging fruit of the security world. They’re used by the attacker(s) to gain a foothold into your systems and to get valuable data such as login credentials, which can then be used to go straight for the keys of your corporate kingdom.
KONNI is relatively new and still under development, but it is growing smarter by the day. While not a complicated piece of malware, its features are readily visible and there has been little attempt to mask the malware’s true purpose.
However, given the recent attention the malware has garnered, we expect to see new variants surface in the coming months with additional capabilities, as well as better ways of hiding.
Read our Threat Guidance team's 'Deep Dive' on KONNI here.
How Can Cylance Protect Me?
Every new capability added to KONNI means that traditional antivirus solutions have to create and deploy brand new signatures; due to the time that takes, the solution may miss KONNI in the meantime. Any new variant of a known malware often gets through the gates with signature-based antivirus, which is why machine learning abilities that can tell the ‘good’ from the ‘bad’ without the use of signatures are so critical for modern antivirus solutions.
Once artificially intelligent antivirus products like CylancePROTECT® recognize the ‘bad’ features of malware like KONNI, they learn to notice similar features in other malware and in any future variations of KONNI, blocking them before they have a chance to attack your corporate networks.
Whether KONNI is executed by another program, service or even by an unsuspecting user, CylancePROTECT’s patented pre-execution engine prevents the infection of your computer by not allowing the KONNI executable to run. Even when physically executed by a user duped by social engineering techniques, Cylance reacts in real-time and prevents the malicious file from executing.
Check out CylancePROTECT with Optics, which gives unprecedented visibility into attacks and provides simply focused root cause analysis. Contact us here for more information.