Is APT28 behind the STIFF#BIZON attacks attributed to APT37 linked to North Korea?Security Affairs

The North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland and other countries.

Researchers from the Securonix Threat Research (STR) team have discovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in several countries, including the Czech Republic and Poland. Researchers attribute this campaign to the North Korean-linked group APT37, aka Ricochet Chollima.

The attackers used the Konni RAT (Remote Access Trojan), which was first spotted by Cisco Talos researchers in 2017 and has gone undetected since 2014 when it was used in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it is capable of executing arbitrary code on target systems and stealing data.

The Konni RAT has been attributed to North Korea-linked threat actors being tracked like Thallium and APT37.

The attack chain begins with phishing messages that attempt to trick victims into opening a malicious attachment.

The attachment used in this campaign is an archive containing a Word document (missile.docx) and a Windows shortcut file (_weapons.doc.lnk.lnk).

Once the LNK file is opened, the chain of infection starts.

“Code execution begins with embedding small snippets of code in the shortcut file that will execute and run with the intended binary when the user double-clicks it.” reads the analysis published by the experts. “This code runs and executes the Base64 encoded text appended to the end of the missile.docx file.”

The Base64 payload is executed with a PowerShell script that contacts the C2 to download and execute the “weapons.doc” and “wp.vbs” files.

The weapon.doc is a decoy document, while the wp.vbs runs silently in the background and creates a scheduled task on the host called “Office Update” which runs a Base64 encoded PowerShell script.

At this point, C2 communications are established again, allowing attackers to gain access to the system.

Once the Konni RAT is loaded on the infected system, hackers can implement the following functionality using specific modules:

  • Capture.net.exe – Capture screenshots using the Win32 GDI API and upload the compressed results to the C2 server.
  • chkey.net.exe – Extract the state keys stored in the local state file, encrypted using DPAPI. A state key allows attackers to decrypt cookie database decryption, useful for bypassing MFA.
  • pull.net.exe – Extract saved credentials from victim’s web browsers.
  • shell.net.exe – Establish a remote interactive shell that can execute commands every 10 seconds.

To further maintain persistence, hackers use a modified version of Konni malware, they are able to download a .cab file containing several malware-related files (bat, dll, dat, ini, dll).

Experts are also discussing the possibility of false flag operations where the Russian-bordered APT28 group could pose as APT37.

“Furthermore, there appears to be a direct correlation between IP addresses, hosting provider and hostnames between this attack and the historical data we have already seen from FancyBear/APT28[3]. Ultimately, what makes this particular case interesting is the use of Konni malware in conjunction with commercial similarities to APT28. concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, APT37)



Share on


Comments are closed.