APT37 Detection: North Korean Hackers Distribute Konni RAT, Target Orgs in Czechia and Poland

The APT37, aka Reaper, Ricochet Chollima, and ScarCruft, is a hacking group affiliated with North Korea. The hackers have been active since at least 2012, mostly targeting orgs in the public and private sectors in South Korea. Starting in 2017, the adversaries expanded their targeting, now seeking victims globally. The affected sectors include but are not limited to manufacturing, electronics, healthcare, and automotive industry verticals.

In the most recent campaign tracked as STIFF#BIZON, the APT37 group uses malware identified as a remote access trojan (RAT) known as Konni to establish persistence and perform host privilege escalation within breached systems. The Konni RAT has been attributed to North Korea-based hacking groups Thallium and APT37.

Detect APT37’s Activity

North Korean hackers continuously enhance social engineering tactics to gain illicit access to the targets. To proactively defend against APT37, SOC Prime has released a unique, context-enriched Sigma rule developed by the perspicacious Threat Bounty developer Kyaw Pyiyt Htet:

North Korean APT37’s Konni Malware Activity by Detection of Associated Commands (via CmdLine

The massive boom in the number of cyber-attack occurrences stresses the importance of keeping one’s finger on the pulse of cyber risks’ development. SOC Prime’s comprehensive detection content library accumulates 200,000 context-enriched detections aligned with the MITRE ATT&CK® framework to advance the threat coverage with thoroughly curated and verified detection content. Press the Detect & Hunt button to access a repository of Sigma rules associated with the activity of APT37. The Explore Threat Context button will reveal the latest content updates and the relevant threat context.

Detect & Hunt Explore Threat Context

APT37’ STIFF#BIZON Campaign Analysis

The Reaper APT group is targeting high-value organizations in their latest campaign, spreading Konni RAT malware via an email phishing scam. According to the current data, the primary targets are orgs in Czechia and Poland.

The North Korean hacking group distributes Konni RAT (first spotted in 2017) with phishing messages. The malicious attachment is an archive containing a Word document (missile.docx) and a Windows Shortcut file (_weapons.doc.lnk.lnk), reads the research released by Securonix Threat Labs. The initial infil part of the attack chain (the compromise via malicious .lnk files) is similar to one in other campaigns associated with Bumblebee and DogWalk.

Once the victim opens a weaponized file, the infection chain starts. Adversaries use Konni RAT to collect victim information, capture screenshots, steal files of interest, and establish a remote interactive shell.

Get top-tier professionals and tools in your cyber defense corner: Uncoder CTI, powered by SOC Prime’s platform, allows security researchers to automatically convert IOCs of multiple types into custom queries enabling instant IOC searching for unique customer environments.