North Korean Stonefly Group Continues Attacks on US Targets

Stonefly group -HiatusRAT Actors

Symantec’s Threat Hunter Team reveals that Stonefly, a North Korean cyberespionage group, persists in targeting U.S. organizations despite recent indictments and a multi-million dollar reward offered for information leading to the arrest of one of its members.

This revelation comes after researchers uncovered evidence of Stonefly intrusions into three U.S. companies in August 2024. While the attacks were ultimately unsuccessful in deploying ransomware, the targeting of private companies with no apparent intelligence value strongly suggests a financial motive.

Known for their custom malware, Stonefly deployed their signature backdoor, Backdoor.Preft, in several of these attacks. Additionally, researchers discovered the presence of Nukebot, a leaked backdoor not previously associated with the group, indicating an expansion of their toolset.

To achieve their goals, Stonefly employed a variety of tactics, including:

  • Credential theft: Utilizing malicious batch files and a custom variant of Mimikatz to steal sensitive login information.
  • Keylogging: Deploying two distinct keyloggers to capture keystrokes and clipboard data.
  • Data exfiltration: Leveraging Megatools to transfer stolen data to Mega.nz cloud storage.
  • Open-source tools: Employing tools like Sliver, Chisel, PuTTY, Plink, Snap2HTML, and FastReverseProxy to facilitate their operations.

Stonefly, also known as Andariel, APT45, Silent Chollima, and Onyx Sleet, has been active since at least 2009, initially gaining notoriety for distributed denial-of-service (DDoS) attacks. Over time, their focus shifted to espionage, primarily targeting organizations with valuable intellectual property.

However, in recent years, Stonefly has demonstrated a growing interest in financially motivated attacks. This shift culminated in the indictment of Rim Jong Hyok, an alleged Stonefly member, for his role in extorting U.S. hospitals and healthcare providers.

Related Posts: