STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea)
Contents
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
Last Updated: July 20, 2022
Introduction
The Securonix Threat Research (STR) team has been observing and investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries. The attack campaign has been tracked by STR as STIFF#BIZON.
Based on the tradecraft and artifacts observed by the Threat Research team as part of this on-going campaign, some of the artifacts and tradecraft observed are known to be associated with Konni (APT37 in North Korea) malicious activity (see details below.)
Background
Konni malware is classified as a RAT (remote access trojan) which was heavily used by APT37, contains built-in functions to elevate privileges and maintain persistence on the affected host. This particular malware was discovered in 2014 and has been attributed to the North Korean APT37 group[3].
STIFF#BIZON – Attack Chain: High Level Overview
The initial infil part of the attack chain is relatively …
Last Updated: July 20, 2022
Introduction
The Securonix Threat Research (STR) team has been observing and investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries. The attack campaign has been tracked by STR as STIFF#BIZON.
Based on the tradecraft and artifacts observed by the Threat Research team as part of this on-going campaign, some of the artifacts and tradecraft observed are known to be associated with Konni (APT37 in North Korea) malicious activity (see details below.)
Background
Konni malware is classified as a RAT (remote access trojan) which was heavily used by APT37, contains built-in functions to elevate privileges and maintain persistence on the affected host. This particular malware was discovered in 2014 and has been attributed to the North Korean APT37 group[3].
STIFF#BIZON – Attack Chain: High Level Overview
The initial infil part of the attack chain is relatively …
IoC
07b10c5a772f6f3136eb58a7034bcb5ce71c0c740aaa528d3bae318d939b2242
12df9753abd867118ce97e6570c2bde780c7913ecab4b91ef7f540c4fede2772
185.176.43.106
31a9801e5e2e5fd7f66f23bc8456069b6a958e03838e431ccf7d84867f88c840
35d38eed9168c16d2dd595fa9542a411080d12de971ea3d3c12dd5c44e454049
44566d506e0348c999a66ee5158b0014a74bdd3f038e40ca76e5b069b8991f85
5d28072d76bd6af944fcec8045cbc24410a58fe70eef6f83c50934245ec92e60
5f3483823342318c4154bbef806cec2187a0360f079237a456603896ff7f5473
5fce9f27326549cc6091ba1f806e7c161878a2642411a941ba484b0c1c7adb8f
6f325fb0a7de6f05490f1eb3c0e5826a44a11ed2dee4c17f486b8200f539d49e
9c82477eac14abfb7f507806a941e4e5633dd07c4b73a44b10296ec28e3df162
9f27430ed919e74c81b0487542fe29a65a0b860a6a290e3b032f3a5ba7c691bc
b6987a717741329d5b64f769c9d3f1f572b42c7375dd841aecbf2b6d4096d6de
b9727fb553894d857900c0a18f82723659d136329ef56bbe9388905a666f1197
dee7826f5b7f0cbc97a81de8f6844a011cc836269bc5d00a0594dfec5386613c
http://185.176.43.106
http://547857.c1.biz/dn.php?name=
http://547857.c1.biz
http://65487.c1.biz
12df9753abd867118ce97e6570c2bde780c7913ecab4b91ef7f540c4fede2772
185.176.43.106
31a9801e5e2e5fd7f66f23bc8456069b6a958e03838e431ccf7d84867f88c840
35d38eed9168c16d2dd595fa9542a411080d12de971ea3d3c12dd5c44e454049
44566d506e0348c999a66ee5158b0014a74bdd3f038e40ca76e5b069b8991f85
5d28072d76bd6af944fcec8045cbc24410a58fe70eef6f83c50934245ec92e60
5f3483823342318c4154bbef806cec2187a0360f079237a456603896ff7f5473
5fce9f27326549cc6091ba1f806e7c161878a2642411a941ba484b0c1c7adb8f
6f325fb0a7de6f05490f1eb3c0e5826a44a11ed2dee4c17f486b8200f539d49e
9c82477eac14abfb7f507806a941e4e5633dd07c4b73a44b10296ec28e3df162
9f27430ed919e74c81b0487542fe29a65a0b860a6a290e3b032f3a5ba7c691bc
b6987a717741329d5b64f769c9d3f1f572b42c7375dd841aecbf2b6d4096d6de
b9727fb553894d857900c0a18f82723659d136329ef56bbe9388905a666f1197
dee7826f5b7f0cbc97a81de8f6844a011cc836269bc5d00a0594dfec5386613c
http://185.176.43.106
http://547857.c1.biz/dn.php?name=
http://547857.c1.biz
http://65487.c1.biz