North Korea’s Stonefly group has continued to target U.S. organizations for financial gain, despite facing indictments and rewards. Despite unsuccessful ransomware attempts in August 2024, their persistent attacks on private companies highlight their ongoing threat to U.S. businesses.
The attackers used Stonefly’s custom malware Backdoor.Preft and fake certificates to compromise networks by leveraging indicators of compromise documented by Microsoft to execute their attacks.
Preft is a multi-stage backdoor that can download and upload files, execute commands, and download additional plugins of various types by offering multiple persistence mechanisms, ensuring its continued presence on a compromised system.
While Nukebot, a backdoor tool capable of executing commands, downloading and uploading files, and taking screenshots, has been obtained by Stonefly. The tool’s source code was leaked, allowing Stonefly to acquire and potentially modify it for their own malicious activities.
The attackers exploited a vulnerability by executing a malicious batch file that modified the registry to enable plaintext credential storage, which allowed the attackers to use Mimikatz to extract sensitive credentials from the system.
They employed a modified version of the Mimikatz tool to steal credentials. The custom variant saved stolen information in the C:\Windows\Temp\KB0722.log file, which has been linked to the Stonefly threat group.
The attackers used two keyloggers to steal data, where the first keylogger captured clipboard data, logged program start times and keystrokes, and saved the data in a password-protected ZIP archive, while the second keylogger stole clipboard data and saved it in a randomly named DAT file.
Sliver is a comprehensive penetration testing framework that works across different operating systems, and Chisel creates secure tunnels for network communication over HTTP and SSH.
PuTTY provides a graphical interface for SSH connections, while Plink offers a command-line alternative, which together enable secure and flexible remote access and network operations.
Malicious actors leveraged Megatools to exfiltrate data (CSIDL_WINDOWS\temp\sig.rar) to Mega.nz storage, likely using Snap2HTML to capture directory structure and FastReverseProxy for potential command and control.
The U.S. indicted a North Korean hacker for extorting US healthcare providers and using the proceeds to fund further cyberattacks against various sectors worldwide, including defense, technology, and government targets. The hacker is alleged to be a member of the Stonefly group linked to the North Korean military intelligence agency.
Stonefly, initially known for DDoS attacks, has evolved to focus on espionage targeting high-value organizations by employing sophisticated techniques like backdoors and disk-wiping malware to steal sensitive data and intellectual property.
The recent indictment of a Stonefly member, while highlighting their financially motivated attacks, has not stopped their extortion attempts against US organizations.
According to Symantec, the group continues to actively pursue these attacks, showcasing their persistence and adaptability in the cybercrime landscape.
The provided indicators of compromise (IOCs) indicate a malicious activity involving various attack vectors, including backdoors, keyloggers, and malicious files.
The attackers are using command-and-control servers to communicate with compromised systems, and the presence of legitimate tools like PuTTY and Plink suggests potential misuse for unauthorized access or lateral movement within networks.
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1 "Low-Privilege Code Execution Risk Found in Cato Networks Client for macOS")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Microsoft Telnet Server Flaw Lets Attackers Bypass Guest Login Restrictions")
