Summary: Symantec’s Threat Hunter Team has identified ongoing financially motivated attacks by the North Korean Stonefly group against U.S. organizations, despite an indictment and reward for information on its members. The group has utilized custom malware and various tools to attempt extortion without successfully deploying ransomware.
Threat Actor: Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet) | Stonefly
Victim: Private Companies in the U.S. | Private Companies in the U.S.
Key Point :
- Stonefly has been linked to multiple intrusions against U.S. organizations, employing custom malware such as Backdoor.Preft and various other tools.
- The group has shifted focus to financially motivated attacks, targeting private companies with no apparent intelligence value.
- Despite legal actions against its members, Stonefly continues its operations, indicating resilience and adaptability in its attack strategies.
Certificate 1
thumbprint = "313cffaac3d1576ca3c1cee8f9a68a15a24ff418"
issuer = "/CN=Baramundi Inc."
subject = "/CN=Baramundi Inc."
version = 3
algorithm = "sha1WithRSA"
algorithm_oid = "1.3.14.3.2.29"
serial = "af:6d:f9:f9:69:86:58:80:49:1e:2b:ae:20:9f:0d:12"
not_before = 1683852503
not_after = 2208988799
verified = 1
digest_alg = "sha1"
digest = "efe03d9be2cd148594e5fcb7272a40b85e33d2bf"
file_digest = "efe03d9be2cd148594e5fcb7272a40b85e33d2bf"
number_of_certificates = 1
Certificate 2
thumbprint = "10b8b939400a59d2cb79fff735796d484394f8dd"
issuer = "/CN=VEXIS SOFTWARE LTD."
subject = "/CN=VEXIS SOFTWARE LTD."
version = 3
algorithm = "sha1WithRSA"
algorithm_oid = "1.3.14.3.2.29"
serial = "bc:bf:05:4e:a8:b2:69:be:4c:c9:04:f0:8d:f9:eb:97"
not_before = 1710348691
not_after = 2208988799
verified = 1
digest_alg = "sha1"
digest = "b9b5d20438cf54acf33ee5731dc283554b8a044c"
file_digest = "b9b5d20438cf54acf33ee5731dc283554b8a044c"
number_of_certificates = 1
Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion