Hackers from North Korea use Konni RAT malware to attack targets in the EU

Threat researchers have discovered a fresh campaign that is being carried out by the North Korean hacking group APT37 and is aimed at high-value organizations in the Czech Republic, Poland, and other nations in Europe.

A remote access trojan (RAT) known as Konni, which can establish persistence and perform host privilege escalation, is the malware the hackers are using in this campaign.

Since 2014, North Korean cyberattacks have been linked to Konni, and most recently, it was used in a spear-phishing attempt against the Russian Ministry of Foreign Affairs.

Researchers at Securonix have been tracking and analyzing the most recent, still-active campaign, which they have dubbed STIFF#BIZON. It mirrors APT (advanced persistent threat) operational sophistication-matched tactics and methodologies .

The STIFF#BIZON campaign

An email phishing scam with a Word document (missile.docx) and a Windows shortcut file (_weapons.doc.lnk.lnk) archive attachment is what starts the attack.

When the LNK file is accessed, code searches for a base64-encoded PowerShell script in the DOCX file to start a C2 connection and download the two extra files weapons.doc and wp.vbs.

The downloaded file is a ruse that seems to be a report from Russian combat correspondent Olga Bozheva. A scheduled job is created on the host at the same time the VBS file is silently running in the background.

Since the attacker has already loaded the RAT and created a data exchange link at this point in the attack, they are able to carry out the following operations:

Use the Win32 GDI API to take screenshots, then export them in GZIP format.

Extract state keys from the Local State file to decrypt cookie databases, which is useful for getting around MFA.

Get the victim’s saved login information from their web browsers.

Start a remote interactive shell with 10 second command execution intervals.

The fourth stage of the assault, as depicted in the diagram below, involves the hackers downloading extra files that help the modified Konni sample function. They do this by retrieving them as compressed “.cab” archives.

These include DLLs that swap out trustworthy Windows service libraries, such as the “wpcsvc” in System32, which is used to run commands with greater user rights within the OS.

Possible links to APT28

Securonix emphasizes the likelihood that APT28 (also known as FancyBear), rather than APT37, is behind the STIFF#BIZON campaign even though the methods and toolkit point to APT37.

According to the report’s conclusion, “There appears to be a direct correlation between IP addresses, hosting provider, and hostnames between this attack and historical data we have previously seen from FancyBear/APT28.”

The likelihood of misattribution in this instance is high since state-sponsored threat groups sometimes try to imitate the TTPs of other expert APTs to hide their tracks and trick threat analysts.