APT37, a North Korean threat group, has been targeting organizations in the Czech Republic, Poland, and other European countries. The threat actors use a Remote Access Trojan (RAT) called Konni which can perform privilege escalation on the host. APT37’s latest campaign has been analyzed by researchers at Securonix who have named the campaign STIFF#BISON. The STIFF#BISON campaigns begin with a phishing email with a malicious attachment. The fake email is supposedly a report from Olga Bozheva, a Russian war correspondent. Once the RAT is loaded, it is capable of capturing screenshots using the Win32 GDI API and exfiltrating them in GZIP form. It can also extract state keys stored in the Local State file for cookie database decryption, which is useful in MFA bypassing. It can also extract saved credentials from the victims’ web browsers and launch a remote interactive shell that can execute commands every ten seconds. Researchers reported that this campaign uses several tactics that are similar to APT28, otherwise known as Fancy Bear. Although similar, Securonix researchers believe APT37 is simply imitating APT28. Threat groups often use similar tactics of more sophisticated APTs to mislead analyst and investigators.
Even the most sophisticated attacks often start with a phishing email. Educating users on how to spot phishing emails is always important. However, it is becoming increasingly difficult for users to spot more sophisticated attacks. Email scanning can be a helpful tool when attempting to recognize and quarantine phishing emails. Malicious URL detection can also be used to help block emails that include links to malicious content. Due to the escalating number of known and unknown vulnerabilities in modern computing systems, a defense in depth strategy utilizing post-exploitation detection approaches, such as those employed by Binary Defense’s MDR and Threat Hunting services, is highly recommended.