Cyber Security

North Korean hackers attack EU targets with Konni RAT malware

Threat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value organizations in the Czech Republic, Poland, and other European countries.

In this campaign, the hackers use malware known as Konni, a remote access trojan (RAT) capable of establishing persistence and performing privilege escalation on the host.

Konni has been associated with North Korean cyberattacks since 2014, and most recently, it was seen in a spear-phishing campaign targeting the Russian Ministry of Foreign Affairs.

The latest and still ongoing campaign was observed and analyzed by researchers at Securonix, who call it STIFF#BIZON, and resembles tactics and methods that match the operational sophistication of an APT (advanced persistent threat).

The STIFF#BIZON campaign

The attack begins with the arrival of a phishing email with an archive attachment containing a Word document (missile.docx) and a Windows Shortcut file (_weapons.doc.lnk.lnk).

When the LNK file is opened, code runs to find a base64-encoded PowerShell script in the DOCX file to establish C2 communication and download two additional files, ‘weapons.doc’ and ‘wp.vbs’.

 

Properties of the malicious shortcut file

The downloaded document is a decoy, supposedly a report from Olga Bozheva, a Russian war correspondent. At the same time, the VBS file runs silently in the background to create a scheduled task on the host.

Base64-encoded PowerShell adds scheduled task (Securonix)

At this phase of the attack, the actor has already loaded the RAT and established a data exchange link, and is capable of performing the following actions:

  • Capture screenshots using the Win32 GDI API and exfiltrate them in GZIP form.
  • Extract state keys stored in the Local State file for cookie database decryption, useful in MFA bypassing.
  • Extract saved credentials from the victim’s web browsers.
  • Launch a remote interactive shell that can execute commands every 10 seconds.

In the fourth stage of the attack, as shown in the diagram below, the hackers download additional files that support the function of the modified Konni sample, fetching them as compressed “.cab” archives.

Infection chain diagram (Securonix)

These include DLLs that replace legitimate Windows service libraries like the “wpcsvc” in System32, which is leveraged for executing commands in the OS with higher user privileges.

Possible links to APT28

While the tactics and toolset point to APT37, Securonix underscores the possibility of APT28 (aka FancyBear) being behind the STIFF#BIZON campaign.

“There seems to be a direct correlation between IP addresses, hosting provider, and hostnames between this attack and historical data we’ve previously seen from FancyBear/APT28,” concludes the report.

State-sponsored threat groups often attempt to mimic the TTPs of other skillful APTs to obscure their trace and mislead threat analysts, so the chances of misattribution, in this case, are significant.

Source: https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/

Click to comment

You May Also Like

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

The Cyber Safety Review Board will assess how a hacking group reportedly linked to China leveraged a vulnerability in Microsoft Exchange Online to access...

Cyber Security

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The...

Business News

The nuclear-powered submarine USS Michigan approaches a naval base in Busan, South Korea, Friday, June 16, 2023. The United States deployed the nuclear-powered submarine...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version