Man
Professional
- Messages
- 3,153
- Reaction score
- 699
- Points
- 113
Government hackers Andariel are ignoring international law as they continue their attacks on U.S. companies.
Symantec has found that the North Korean group Andariel (also known as Stonefly, APT45, Silent Chollima, Onyx Sleet) continues to attack organizations in the United States for financial gain, despite the charges and the announced reward.
In August, Symantec recorded intrusions into three U.S. companies, a month after the indictment was published. Although the hackers have not been able to introduce ransomware into the victims' networks, their actions are financial in nature. All of the attacked companies are private, engaged in commercial activities that have no obvious intelligence value.
During the attacks, Stonefly used its own malware Backdoor.Preft (Dtrack, Valefor), which allows you to download files, execute commands, and install plugins. Indicators of compromise recently documented by Microsoft were also discovered, including a fake Tableau certificate.
Stonefly used other tools to provide access to the infected systems. For example, the Nukebot backdoor, which, in addition to the Backdoor.Preft functionality, can also take screenshots. Although Nukebot was not previously associated with Andariel, the leak of the malware's source code allowed the group to take advantage of it. The attackers also ran scripts to save passwords in unencrypted form and used Mimikatz to set up a tool to collect credentials.
During the attacks, two different keyloggers were identified:
In addition, tools for creating tunnels (Chisel), SSH clients (PuTTY, Plink), tools for working with cloud storage (Megatools) and data visualization tools (Snap2HTML) were used.
On July 25, the US Department of Justice indicted North Korean Rim Jong-hyuk, an alleged member of the Stonefly group, which is associated with North Korean intelligence (RGB). Jung Hyuk was accused of extorting American hospitals and other medical facilities between 2021 and 2023, laundering ransoms and financing subsequent cyberattacks on organizations in the defense, technology and government sectors.
Source
Symantec has found that the North Korean group Andariel (also known as Stonefly, APT45, Silent Chollima, Onyx Sleet) continues to attack organizations in the United States for financial gain, despite the charges and the announced reward.
In August, Symantec recorded intrusions into three U.S. companies, a month after the indictment was published. Although the hackers have not been able to introduce ransomware into the victims' networks, their actions are financial in nature. All of the attacked companies are private, engaged in commercial activities that have no obvious intelligence value.
During the attacks, Stonefly used its own malware Backdoor.Preft (Dtrack, Valefor), which allows you to download files, execute commands, and install plugins. Indicators of compromise recently documented by Microsoft were also discovered, including a fake Tableau certificate.
Stonefly used other tools to provide access to the infected systems. For example, the Nukebot backdoor, which, in addition to the Backdoor.Preft functionality, can also take screenshots. Although Nukebot was not previously associated with Andariel, the leak of the malware's source code allowed the group to take advantage of it. The attackers also ran scripts to save passwords in unencrypted form and used Mimikatz to set up a tool to collect credentials.
During the attacks, two different keyloggers were identified:
- The first one stole data from the clipboard, recorded the launch of programs and key inputs, and also archived and encrypted the collected data;
- The second also had the ability to steal data from the clipboard. The information is stored in a randomly named DAT file in a temporary directory.
In addition, tools for creating tunnels (Chisel), SSH clients (PuTTY, Plink), tools for working with cloud storage (Megatools) and data visualization tools (Snap2HTML) were used.
On July 25, the US Department of Justice indicted North Korean Rim Jong-hyuk, an alleged member of the Stonefly group, which is associated with North Korean intelligence (RGB). Jung Hyuk was accused of extorting American hospitals and other medical facilities between 2021 and 2023, laundering ransoms and financing subsequent cyberattacks on organizations in the defense, technology and government sectors.
Source
