APT37, a North Korean threat group, has been targeting organizations in the Czech Republic, Poland, and other European countries. The threat actors use a Remote Access Trojan (RAT) called Konni which can perform privilege escalation on the host. APT37’s latest campaign has been analyzed by researchers at Securonix who have named the campaign STIFF#BISON. The STIFF#BISON campaigns begin with a phishing email with a malicious attachment. The fake email is supposedly a report from Olga Bozheva, a Russian war correspondent. Once the RAT is loaded, it is capable of capturing screenshots using the Win32 GDI API and exfiltrating them in GZIP form. It can also extract state keys stored in the Local State file for cookie database decryption, which is useful in MFA bypassing. It can also extract saved credentials from the victims’ web browsers and launch a remote interactive shell that can execute commands every ten seconds. Researchers reported that this campaign uses several tactics that are similar to APT28, otherwise known as Fancy Bear. Although similar, Securonix researchers believe APT37 is simply imitating APT28. Threat groups often use similar tactics of more sophisticated APTs to mislead analyst and investigators.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security