Summary:
On July 25, 2024, Rim Jong Hyok, an alleged member of the North Korean threat group Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet), was indicted by the U.S. Justice Department for his involvement in extorting U.S. hospitals and other healthcare providers between 2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.

Despite the indictment, cybersecurity firm Symantec states it uncovered Stonefly intrusions against three different organizations in the U.S. in August 2024, only a month after the disclosure by the U.S. Justice Department. While Stonefly did not succeed in deploying ransomware in these attacks, Symantec was able to attribute the attacks to Stonefly due to the deployment of a custom backdoor dubbed Preft (aka Dtrack, Valefor, etc.). For its part, Preft is capable of downloading and uploading files, executing commands, and downloading additional plugins (executable files, VBS, BAT, and shellcode). In addition to Preft, several Stonefly IOCs were observed by Symantec including the use of a fake Tableau certificate documented by Microsoft in addition to two other certificates which seem to be unique to this campaign.

Security Officer Comments:
Victims of the August intrusions were private companies and involved in businesses with no obvious intelligence value, indicating that the motive of this campaign was financial gain. Since 2019, Stonefly has mainly focused on espionage operations against high-value targets, especially organizations that hold classified or highly sensitive information or intellectual property. While we have seen other North Korean groups launch attacks including the deployment of ransomware and crypto miners to illicit funds, Stonefly’s move into financially motivated attacks is a relatively recent development, according to researchers.

Suggested Corrections:
Recommendations from Microsoft for defending against Stonefly attacks:

• Keep software up to date. Apply new security patches as soon as possible.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Enable network protection to help prevent access to malicious domains.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to help resolve breaches, significantly reducing alert volume

IOCs for the latest campaign can be accessed here

Link(s):
https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion