Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37?

North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland, and other countries.

Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in multiple countries, including Czech Republic, and Poland. The researchers attribute this campaign to the North Korea-linked APT37 group, aka Ricochet Chollima.

The attackers employed the Konni RAT (remote access trojan), which was first spotted by Cisco Talos researchers in 2017 and has been undetected since 2014 while being employed in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it is able of executing arbitrary code on the target systems and stealing data.

The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.

The attack chain starts with phishing messages that attempt to trick victims into opening a malicious attachment.

The attachment used in this campaign is an archive containing a Word document (missile.docx) and a Windows Shortcut file (_weapons.doc.lnk.lnk).

Once opened the LNK file, the infection chain starts.

“The code execution begins by embedding small snippets of code into the shortcut file which will run and execute along with the intended binary when the user double clicks on it.” reads the analysis published by the experts. “This code runs and executes Base64 encoded text appended to the end of the missile.docx file.”

The Base64 payload is executed along with a PowerShell scriptes that contacts the C2 to downloads and executes both “weapons.doc” and “wp.vbs” files.

The weapons.doc is a decoy document, while the wp.vbs silently runs in the background and creates a scheduled task on the host called “Office Update” that executes a PowerShell script encoded in Base64.

At this point, C2 communications are once again established allowing the attackers to access the system.

Once the Konni RAT is loaded on the infected system, threat actors can impelemts the following capabilities using specific modules:

• Capture.net.exe – Capture screenshots using the Win32 GDI API and upload the gzipped results to the C2 server.
• chkey.net.exe – Extract state keys stored in the Local State file, encrypted using DPAPI. A State key allows attackers to decrypt cookie database decryption, useful in MFA bypassing.
• pull.net.exe – Extract saved credentials from the victim’s web browsers.
• shell.net.exe – Establish a remote interactive shell that can run commands every 10 seconds.

To further maintain persistence, threat actors use a modified version of the Konni malware, they are able to download a .cab file containing several files related to the malware (bat, dll, dat, ini, dll).

The experts also discuss the possibility of false flag operations where the Russia-lined APT28 group may be masquerading as APT37.

“Additionally, there seems to be a direct correlation between IP addresses, hosting provider and hostnames between this attack and historical data we’ve previously seen from FancyBear/APT28^[3]. In the end, what makes this particular case interesting is the usage of Konni malware in conjunction with tradecraft similarities to APT28.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT37)

[adrotate banner=”5″]

[adrotate banner=”13″]