Loading...
Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks.
Symantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel,
APT45, Silent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against
organizations in the U.S., despite being the subject of an indictment and a multi-million dollar reward.
Symantec, part of Broadcom, found evidence of intrusions against three different organizations in the
U.S. in August of this year, a month after the indictment was published. While the attackers didn’t
succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the
attacks were financially motivated. All the victims were private companies and involved in businesses
with no obvious intelligence value.
Attribution
In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed.
This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of
compromise recently documented by Microsoft were found on the compromised networks. The attackers
used a fake Tableau certificate documented by Microsoft in addition to two other certificates (see
Indicators of Compromise) that appear to be unique to this campaign.
Toolset
Preft: Multi-stage backdoor capable of downloading and uploading files, executing commands, and
downloading additional plugins. Preft can support multiple plugin types, including executable files, VBS,
BAT, and shellcode. It has multiple persistence modes, including Startup_LNK, Service, Registry, and
Task Scheduler.
Nukebot: Backdoor capable of executing commands, downloading and uploading files, and taking
screenshots. Nukebot has not been associated with Stonefly before; however, its source code was
leaked and this is likely how Stonefly obtained the tool.
Batch files: The attackers used a malicious batch file to enable plaintext credentials, modifying the
registry to add:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v
UseLogonCredential /t REG_DWORD /d 1
Mimikatz (see below) was then executed to dump credentials.
Mimikatz: Publicly available credential dumping tool. The attackers used a custom variant of the tool that
writes harvested credentials to the file C:\Windows\Temp\KB0722.log. A similar custom variant of
Mimikatz found on VirusTotal was linked by Mandiant to Stonefly.
2/3
Keyloggers: The attackers deployed two distinct keyloggers in their attacks:
The first (SHA256: 485465f38582377f9496a6c77262670a313d8c6e01fd29a5dbd919b9a40e68d5)
was a keylogger capable of stealing data from the clipboard. In addition to this, it logs when a
program starts and captures which program’s keystrokes are input. Data captured is logged in a file
named 0.log, which is archived into a ZIP archive named as a TMP file in the temporary directory
with the password Pass@w0rd#384.
The second (SHA256: d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91)
was a keylogger capable of stealing data from the clipboard. It logs stolen data into a randomly
named DAT file in the temporary directory.
Sliver: Open-source cross-platform penetration testing framework.
Chisel: Open-source proxy tool. It creates a TCP/UDP tunnel that is transported over HTTP and secured
via SSH.
PuTTY: Publicly available SSH client.
Plink: A command-line connection tool for PuTTY
Megatools: A command line client for the Mega.nz cloud storage service. Megatools was used to
perform data exfiltration:
CSIDL_WINDOWS\temp\mt.exe put -u [REMOVED] -p [REMOVED]
CSIDL_WINDOWS\temp\sig.rar /Root
Snap2HTML: Publicly available tool that takes snapshots of folder structures on a hard drive and saves
them as HTML files.
FastReverseProxy (FRP): Open-sourced tool to expose local servers to the public internet.
Background
On July 25, 2024, the U.S. Justice Department indicted a North Korean man named Rim Jong Hyok on
charges related to the attack campaign. Rim is alleged to be a member of the Stonefly group, which is
linked to the North Korean military intelligence agency, the Reconnaissance General Bureau (RGB).
He was charged with being involved in extorting U.S. hospitals and other healthcare providers between
2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional
cyberattacks against targets in the defense, technology, and government sectors worldwide. Targets of
these follow-on attacks included two U.S. Air Force bases, NASA-OIG, and organizations located in
Taiwan, South Korea, and China. In addition to the indictment, the U.S. Department of State offered a
reward of up to $10 million for information on his location or identification.
Stonefly
Stonefly first came to notice in July 2009, when it mounted distributed denial-of-service (DDoS) attacks
against a number of South Korean, U.S. government, and financial websites.
3/3
It reappeared again in 2011, when it launched more DDoS attacks, but also revealed an espionage
element to its attacks when it was found to be using a sophisticated backdoor Trojan (Backdoor.Prioxer)
against selected targets.
In March 2013, the group was linked to the Jokra (Tojan.Jokra) disk-wiping attacks against a number of
South Korean banks and broadcasters. Three months later, the group was involved in a string of DDoS
attacks against South Korean government websites.
In recent years, the group’s capabilities have grown markedly and, since at least 2019, Symantec has
seen its focus shift mainly to espionage operations against select, high-value targets. It appears to
specialize in targeting organizations that hold classified or highly sensitive information or intellectual
property. While other North Korean groups are well known for mounting financial attacks driven by the
need to raise foreign currency for the regime, Stonefly had until recent years appeared not to be involved
in financially motivated attacks.
Undeterred
While Stonefly’s move into financially motivated attacks is a relatively recent development, the spotlight
shone on the group’s activities due to the indictment naming one of its members has not yet led to a
cessation of activity. The group is likely continuing to attempt to mount extortion attacks against
organizations in the U.S
