Menace analysts have uncovered a brand new marketing campaign attributed to APT37, a North Korean group of hackers, concentrating on high-value organizations within the Czech Republic, Poland, and different European nations.
On this marketing campaign, the hackers use malware referred to as Konni, a distant entry trojan (RAT) able to establishing persistence and performing privilege escalation on the host.
Konni has been related to North Korean cyberattacks since 2014, and most lately, it was seen in a spear-phishing marketing campaign concentrating on the Russian Ministry of Overseas Affairs.
The most recent and nonetheless ongoing marketing campaign was noticed and analyzed by researchers at Securonix, who name it STIFF#BIZON, and resembles techniques and strategies that match the operational sophistication of an APT (superior persistent menace).
The STIFF#BIZON marketing campaign
The assault begins with the arrival of a phishing e-mail with an archive attachment containing a Phrase doc (missile.docx) and a Home windows Shortcut file (_weapons.doc.lnk.lnk).
When the LNK file is opened, code runs to discover a base64-encoded PowerShell script within the DOCX file to ascertain C2 communication and obtain two extra recordsdata, ‘weapons.doc’ and ‘wp.vbs’.
The downloaded doc is a decoy, supposedly a report from Olga Bozheva, a Russian warfare correspondent. On the identical time, the VBS file runs silently within the background to create a scheduled job on the host.
At this part of the assault, the actor has already loaded the RAT and established a knowledge change hyperlink, and is able to performing the next actions:
- Seize screenshots utilizing the Win32 GDI API and exfiltrate them in GZIP type.
- Extract state keys saved within the Native State file for cookie database decryption, helpful in MFA bypassing.
- Extract saved credentials from the sufferer’s internet browsers.
- Launch a distant interactive shell that may execute instructions each 10 seconds.
Within the fourth stage of the assault, as proven within the diagram under, the hackers obtain extra recordsdata that assist the perform of the modified Konni pattern, fetching them as compressed “.cab” archives.
These embody DLLs that change respectable Home windows service libraries just like the “wpcsvc” in System32, which is leveraged for executing instructions within the OS with greater consumer privileges.
Potential hyperlinks to APT28
Whereas the techniques and toolset level to APT37, Securonix underscores the opportunity of APT28 (aka FancyBear) being behind the STIFF#BIZON marketing campaign.
“There appears to be a direct correlation between IP addresses, internet hosting supplier, and hostnames between this assault and historic knowledge we’ve beforehand seen from FancyBear/APT28,” concludes the report.
State-sponsored menace teams typically try to mimic the TTPs of different skillful APTs to obscure their hint and mislead menace analysts, so the possibilities of misattribution, on this case, are vital.