| Category | Details |
|---|---|
| Threat Actors | - Stonefly group (also known as Andariel, APT45, Silent Chollima, Onyx Sleet) - A North Korean advanced persistent threat (APT) group - Linked to North Korea’s military intelligence agency, the Reconnaissance General Bureau (RGB) - Individual named in U.S. indictment: Rim Jong Hyok |
| Campaign Overview | - Stonefly continues financially motivated attacks against U.S. organizations despite a U.S. indictment and a multi-million-dollar reward for information - Attacks observed in August 2024, targeting three different U.S. organizations - Attackers did not succeed in deploying ransomware but were likely aiming for financial gain - Victims were private companies with no obvious intelligence value |
| Target Regions (Victims) | - United States: Three private companies targeted in August 2024 - Previous targets included U.S. Air Force bases and NASA-OIG - Other regions affected: Taiwan, South Korea, and China |
| Methodology | - Deployed custom malware Backdoor.Preft (aka Dtrack, Valefor) - Used fake digital certificates, including a fake Tableau certificate - Utilized a variety of tools such as custom batch files, custom variants of Mimikatz for credential dumping, and keyloggers - Leveraged open-source tools like Sliver, Chisel, FastReverseProxy (FRP) for proxying and tunneling - Exfiltrated data using Megatools to upload to Mega.nz cloud storage |
| TTPs | - Custom malware deployment (Backdoor.Preft) - Credential harvesting using registry modifications to enable plaintext credentials and custom Mimikatz - Keylogging and clipboard data theft using custom keyloggers - Data exfiltration via cloud storage services (Mega.nz) using Megatools - Use of open-source penetration testing frameworks (Sliver) - Establishing proxy tunnels with Chisel and FRP - Use of fake digital certificates - Utilizing publicly available tools like PuTTY, Plink, Snap2HTML |
| Attribution | - Attributed to Stonefly, a North Korean APT group linked to the Reconnaissance General Bureau (RGB) - Individual indicted: Rim Jong Hyok - Group has a history dating back to 2009 involving DDoS attacks, disk-wiping attacks, and espionage - Recent shift towards financially motivated attacks against organizations without obvious intelligence value |
| Recommendations | - Monitor for known Indicators of Compromise (IOCs) associated with Stonefly - Enhance security monitoring to detect deployment of custom malware and misuse of open-source tools - Audit registry changes, especially those enabling plaintext credential storage - Implement multi-factor authentication to mitigate credential theft - Keep systems and software updated with the latest security patches - Educate employees on phishing and social engineering tactics |
Read More: https://www.security.com/threat-intelligence/stonefly-north-korea-extortion
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply