Researchers at Securonix detailed an ongoing campaign against several European countries, where North Korean-linked hackers (APT37) are cyber attacking with Konni RAT.
They named the campaign STIFF#BIZON and say the Konni RAT has been used for stealing data, deploying malicious payloads, etc., from high-value organizations in the targeted countries. Aside from APT37, researchers also attributed this campaign to APT28, aka Fancy Bear, a Russian APT.
APT Using Konni RAT For Reconnaissance
In what is named an ongoing attack against high-level organizations in several European countries, Securonix researchers noted that hackers are using Konni RAT – which has been linked to North Korean state-sponsored teams since 2014.
They termed this campaign as STIFF#BIZON and linked the attackers to APT37, a North Korean APT. But also, the tactics and infrastructure used in this campaign make them linked to APT28 (aka Fancy Bear) too, a Russian APT.
This campaign starts with a phishing email, having an archive attachment of a Word document (missile.docx) and a Windows Shortcut file (_weapons.doc.lnk.lnk). Opening the Ink file will run a code to find a base64-encoded PowerShell script in the DOCX file that came along, to establish C2 communication with the hacker.
This will also help them download two additional files, ‘weapons.doc’ and ‘wp.vbs’. While the weapons doc is a simple list from Olga Bozheva, a Russian war correspondent, the VBS file runs in the background to create a scheduled task on the host.
In this process, they bring Konni RAT to perform the below operations;
- Capture screenshots using the Win32 GDI API and exfiltrate them in GZIP form.
- Extract state keys stored in the Local State file for cookie database decryption, useful in MFA bypassing.
- Extract saved credentials from the victim’s web browsers.
- Launch a remote interactive shell that can execute commands every 10 seconds.
To avoid this, researchers noted the detection techniques and mitigation measures in their blog.