Researchers at Securonix detailed an ongoing campaign against several European countries, where North Korean-linked hackers (APT37) are cyber attacking with Konni RAT.

They named the campaign STIFF#BIZON and say the Konni RAT has been used for stealing data, deploying malicious payloads, etc., from high-value organizations in the targeted countries. Aside from APT37, researchers also attributed this campaign to APT28, aka Fancy Bear, a Russian APT.

APT Using Konni RAT For Reconnaissance

In what is named an ongoing attack against high-level organizations in several European countries, Securonix researchers noted that hackers are using Konni RAT โ€“ which has been linked to North Korean state-sponsored teams since 2014.

They termed this campaign as STIFF#BIZON and linked the attackers to APT37, a North Korean APT. But also, the tactics and infrastructure used in this campaign make them linked to APT28 (aka Fancy Bear) too, a Russian APT.

This campaign starts with a phishing email, having an archive attachment of a Word document (missile.docx) and a Windows Shortcut file (_weapons.doc.lnk.lnk). Opening the Ink file will run a code to find a base64-encoded PowerShell script in the DOCX file that came along, to establish C2 communication with the hacker.

This will also help them download two additional files, โ€˜weapons.docโ€™ and โ€˜wp.vbsโ€™. While the weapons doc is a simple list from Olga Bozheva, a Russian war correspondent, the VBS file runs in the background to create a scheduled task on the host.

In this process, they bring Konni RAT to perform the below operations;

  • Capture screenshots using the Win32 GDI API and exfiltrate them in GZIP form.
  • Extract state keys stored in the Local State file for cookie database decryption, useful in MFA bypassing.
  • Extract saved credentials from the victimโ€™s web browsers.
  • Launch a remote interactive shell that can execute commands every 10 seconds.

To avoid this, researchers noted the detection techniques and mitigation measuresย in their blog.

LEAVE A REPLY

Please enter your comment!
Please enter your name here