Stonefly: Extortion Attacks Continue Against U.S. Targets

Summary: Symantec’s Threat Hunter Team has identified ongoing financially motivated attacks by the North Korean Stonefly group against U.S. organizations, despite an indictment and reward for information on its members. The group has utilized custom malware and various tools to attempt extortion without successfully deploying ransomware.

Threat Actor: Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet) | Stonefly
Victim: Private Companies in the U.S. | Private Companies in the U.S.

Key Point :

Stonefly has been linked to multiple intrusions against U.S. organizations, employing custom malware such as Backdoor.Preft and various other tools.
The group has shifted focus to financially motivated attacks, targeting private companies with no apparent intelligence value.
Despite legal actions against its members, Stonefly continues its operations, indicating resilience and adaptability in its attack strategies.

IOC Description

a65cefb3c2ccdb50704b1af1008a1f8c7266aa85bd24aaf21f6eb1ddd5b79c81 Backdoor.Preft

f0bc0f94ac743185e6d0c865a9e162f4ce2f306df13b2ea80df984160eb3363c Backdoor.Preft

96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3 Backdoor.Preft

28149b1e55551948a629dcd2dacad32f6a197ed9324dc08b27ff00fa0bf0d909 Chisel

d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91 Keylogger

a7711b8314b256d279e104ea3809f0668d3615fba584ca887d9c495795d0a98e Malicious file

5633691b680b46b8bd791a656b0bb9fe94e6354f389ab7bc6b96d007c9d41ffa Malicious file

4ef8f3be7615392e4fe5751c9647ede1c6be2d2723af9b0fab69b6e58543e6ca Megatools

511a75b2daca294db39d0e82e7af6161e67aab557b6b86bfea39ccbd2d7b40ae Nukebot

7bec0b28eb52f7a2e218367c0fef91e83c9df8f0463d55f3a064a2d6ca77c8d0 Plink

ee017325a743516155210f367272ac736bbfc8284b9613180744f26dda6502b0 Plink

cdd079bcb01e0f1229194f1f0ff9b6261e24ee16f8f75ec83763a33561c2071a Sliver

58d267dd80298c6d582ea7e45cf85a6e665d172d4122cc029cbcd427a33c2472 Sliver

1e2fad6c77410965ea2b3a5d36e8d980d839cc7a2b6f2e2d795d915e496ff398 Suspicious file

7ab3f076e70350f06ad19863fdd9e794648020f621c0b1bd20ad4d80f0745142 Suspicious file

f3f17480a3e5c86d1ed876243a06db9b4d7d6aea91e284fa555882e0f1360206 Suspicious file

3b1fa5ffbdc79a395df274d558eed7cfebb3863d2cf4607c816a6e7d26007899 Suspicious file

35bbea3e077e63616e6785b667ddc67c3360be80b690fd0eea4e531b38777b0c Suspicious file

ac6f6c77e0c9082f85324dcde9aabbdd1c4dcd51b78e45d1d8ace4d1648213dd Suspicious file

5df907d0ff950194758a8ef32dabe78c31c7470c6e771c4f82e4c135a898f8fb Suspicious file

93b75bc724a4a85b93fb749b734381ef79ab54c2debf27907794c8fd632fa0f5 Suspicious file

c5a6a18ec53a8743853112f58dd1fcc73d0b2fc6e9cb73b2424e29d78b4504df Suspicious file

75448c81d54acb16dd8f5c14e3d4713b3228858e07e437875fbea9b13f431437 Fast Reverse Proxy

51.81.168[.]157:443 Command-and-control server

172.96.137[.]224 IP address used by Plink

Certificate 1

thumbprint = "313cffaac3d1576ca3c1cee8f9a68a15a24ff418"
issuer = "/CN=Baramundi Inc."
subject = "/CN=Baramundi Inc."
version = 3
algorithm = "sha1WithRSA"
algorithm_oid = "1.3.14.3.2.29"
serial = "af:6d:f9:f9:69:86:58:80:49:1e:2b:ae:20:9f:0d:12"
not_before = 1683852503
not_after = 2208988799
verified = 1
digest_alg = "sha1"
digest = "efe03d9be2cd148594e5fcb7272a40b85e33d2bf"
file_digest = "efe03d9be2cd148594e5fcb7272a40b85e33d2bf"
number_of_certificates = 1

Certificate 2

thumbprint = "10b8b939400a59d2cb79fff735796d484394f8dd"
issuer = "/CN=VEXIS SOFTWARE LTD."
subject = "/CN=VEXIS SOFTWARE LTD."
version = 3
algorithm = "sha1WithRSA"
algorithm_oid = "1.3.14.3.2.29"
serial = "bc:bf:05:4e:a8:b2:69:be:4c:c9:04:f0:8d:f9:eb:97"
not_before = 1710348691
not_after = 2208988799
verified = 1
digest_alg = "sha1"
digest = "b9b5d20438cf54acf33ee5731dc283554b8a044c"
file_digest = "b9b5d20438cf54acf33ee5731dc283554b8a044c"
number_of_certificates = 1

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion

Tags: BACKDOOR, PROXY