STIFF#BIZON Threat Campaign

The Securonix Threat Research (STR) team is tracking ongoing campaign STIFF#BIZON. The campaign has been launched against high-profile targets in the Czech Republic, Poland, and other countries. The attack chain for the campaign begins with a phishing email carrying a malicious Word file and shortcut (lnk) file. Execution of the LNK file launches an encoded PowerShell command to communicate with the attacker's C2 and download additional payloads. Along with a decoy document, a VBS script is downloaded and executed to set persistence with a scheduled task. The scheduled task launches an encoded PowerShell script. With the Konni remote administration tool loaded, the attacker is able to capture system information on the host, screenshots, collect browser credentials, and initiate other nefarious commands. Securonix concludes the report with the reminder the campaign is still ongoing with attribution to be determined as more information is revealed "the current attribution to APT37 is possible, but not 100% certain due to the dynamic nature of the artifacts and the shared opsec, tradecraft and malware variants observed. Additionally, there seems to be a direct correlation between IP addresses, hosting provider and hostnames between this attack and historical data we’ve previously seen from FancyBear/APT28. In the end, what makes this particular case interesting is the usage of Konni malware in conjunction with tradecraft similarities to APT28."