Security Researchers have uncovered a new cyber espionage campaign. Attackers of the North Korean hacking group are believed to be behind a recent effort that targets high-value organizations in the Czech Republic, Poland, and other European nations.
APT37 frequently used the Konni RAT, which is categorized as a RAT (remote access trojan) and has built-in functionality to escalate privileges and sustain persistence on the infected system. This malware was found in 2014, and the North Korean APT37 group is believed to be responsible.
Most recently, Konni was seen targeting the Russian Ministry of Foreign Affairs in a spear-phishing campaign.
Securonix Threat Research team has identified the attack campaign as STIFF#BIZON.
STIFF#BIZON Campaign: Overview
An email phishing scam with a Word document (missile.docx) and a Windows shortcut file (_weapons.doc.lnk.lnk) archive attachment is what starts the attack.
When the LNK file is opened, code runs to find a base64-encoded PowerShell script in the DOCX file to establish C2 communication and download two additional files, ‘weapons.doc’ and ‘wp.vbs’.
The downloaded document was allegedly created by Olga Bozheva who is a war correspondent in Russia.
At the same time, the VBS file runs silently in the background to create a scheduled task on the host.
In the fourth stage of the attack, the Attackers download additional files that support the function of the modified Konni sample, fetching them as compressed “.cab” archives.
These include DLLs that swap out Windows service libraries, such as the “wpcsvc” in System32, which is used to run commands with greater user rights within the OS.