| Category | Details |
|---|---|
| Threat Actors | – Stonefly group (also known as Andariel, APT45, Silent Chollima, Onyx Sleet) – A North Korean advanced persistent threat (APT) group – Linked to North Korea’s military intelligence agency, the Reconnaissance General Bureau (RGB) – Individual named in U.S. indictment: Rim Jong Hyok |
| Campaign Overview | – Stonefly continues financially motivated attacks against U.S. organizations despite a U.S. indictment and a multi-million-dollar reward for information – Attacks observed in August 2024, targeting three different U.S. organizations – Attackers did not succeed in deploying ransomware but were likely aiming for financial gain – Victims were private companies with no obvious intelligence value |
| Target Regions (Victims) | – United States: Three private companies targeted in August 2024 – Previous targets included U.S. Air Force bases and NASA-OIG – Other regions affected: Taiwan, South Korea, and China |
| Methodology | – Deployed custom malware Backdoor.Preft (aka Dtrack, Valefor) – Used fake digital certificates, including a fake Tableau certificate – Utilized a variety of tools such as custom batch files, custom variants of Mimikatz for credential dumping, and keyloggers – Leveraged open-source tools like Sliver, Chisel, FastReverseProxy (FRP) for proxying and tunneling – Exfiltrated data using Megatools to upload to Mega.nz cloud storage |
| TTPs | – Custom malware deployment (Backdoor.Preft) – Credential harvesting using registry modifications to enable plaintext credentials and custom Mimikatz – Keylogging and clipboard data theft using custom keyloggers – Data exfiltration via cloud storage services (Mega.nz) using Megatools – Use of open-source penetration testing frameworks (Sliver) – Establishing proxy tunnels with Chisel and FRP – Use of fake digital certificates – Utilizing publicly available tools like PuTTY, Plink, Snap2HTML |
| Attribution | – Attributed to Stonefly, a North Korean APT group linked to the Reconnaissance General Bureau (RGB) – Individual indicted: Rim Jong Hyok – Group has a history dating back to 2009 involving DDoS attacks, disk-wiping attacks, and espionage – Recent shift towards financially motivated attacks against organizations without obvious intelligence value |
| Recommendations | – Monitor for known Indicators of Compromise (IOCs) associated with Stonefly – Enhance security monitoring to detect deployment of custom malware and misuse of open-source tools – Audit registry changes, especially those enabling plaintext credential storage – Implement multi-factor authentication to mitigate credential theft – Keep systems and software updated with the latest security patches – Educate employees on phishing and social engineering tactics |
Read More: https://www.security.com/threat-intelligence/stonefly-north-korea-extortion
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply