Researchers have disclosed details regarding a new attack campaign, tracked as STIFF#BIZON. It targets high-value organizations in multiple countries, including Poland and the Czech Republic.
The STIFF#BIZON attacks
The researchers linked the campaign with the North Korea-linked APT37 group (aka Ricochet Chollima). The attackers are using Konni RAT in this campaign.
The attack begins with phishing messages trying to fool targeted victims into opening a malicious attachment.
The attachment is an archive with a Word document (missile[.]docx) and a shortcut file (_weapons[.]doc[.]lnk[.]lnk).
The document is a decoy and seems to be a report from a Russian war correspondent, Olga Bozheva.
Subsequently, a VBS file (wp.vbs) runs in the background silently to create a scheduled task on the host.
To maintain persistence, the attackers used a modified version of Konni, wherein they downloaded a .cab file having multiple files associated with the malware (e.g. dll, dat, bat, ini).
Use of multiple modules
Once Konni RAT is loaded, the attackers implement the different capabilities by using certain modules:
Capture[.]net[.]exe to capture screenshots using Win32 GDI API and upload the gzipped results to the C2 server.
Chkey[.]net[.]exe is used to extract state keys saved in the Local State file, encrypted using DPAPI.
Pull[.]net[.]exe is used to extract stored credentials from the web browsers of the targeted victim’s systems.
Shell[.]net[.]exe is used to establish a remote interactive shell to execute commands in intervals of every 10 seconds.
Connection With APT27
Researchers have identified a correlation between IP addresses, hostnames, and hosting providers between this attack and APT28. However, possibility is that it could be a false flag too. What if the members of APT37 masqueraded as APT27?
Even though the tactics and tools point fingers at APT37, there is the possibility of APT28 behind the STIFF#BIZON campaign. Whatever the case, organizations are suggested to follow the recommendations of security firms, such as avoiding opening any attachments sent from unknown sources.