Stonefly: Extortion Attacks Continue Against U.S. Targets

2024-10-02 Symantec

https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion

Thumbnail for Stonefly: Extortion Attacks Continue Against U.S. Targets

Symantec observed North Korea-linked Stonefly, also known as Andariel, APT45, Silent Chollima, and Onyx Sleet, conducting intrusions against three U.S. private-sector organizations in August 2024 after a U.S. indictment named an alleged group member. The affected companies had no obvious intelligence value, and Symantec assesses the activity was likely financially motivated even though ransomware was not successfully deployed. The intrusions used Stonefly’s custom Backdoor.Preft alongside tools and techniques including Nukebot, Sliver, Chisel, PuTTY, Plink, FRP, Megatools for exfiltration, registry changes enabling plaintext WDigest credentials, and a custom Mimikatz variant writing credentials to a Windows temp log. The excerpt also describes keyloggers, fake or campaign-specific certificates, and hashes for Preft, keyloggers, tunneling tools, credential tools, and other malicious or suspicious files. The activity matters because Stonefly appears to be continuing extortion-oriented operations against U.S. organizations despite law-enforcement exposure and reward pressure.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 96118268f9ab475860c3ae3edf00d9e… 2024-10-02 2024-12-13
HASH e5d56cb7085ed8caf6c8269f4110265… 2024-10-02 2024-12-13
HASH 75448c81d54acb16dd8f5c14e3d4713… 2024-10-02 2024-12-13
HASH fce7db964bef4b37f2f430c6ea99f43… 2024-10-02 2024-12-13
HASH 5633691b680b46b8bd791a656b0bb9f… 2024-10-02 2024-12-13
HASH 12bf9fe2a68acb56eb01ca97388a126… 2024-10-02 2024-12-13
HASH f64dab23c50e3d131abcc1bdbb35ce9… 2024-10-02 2024-12-13
HASH d71f478b1d5b8e489f5daafda99ad20… 2024-10-02 2024-12-13
HASH ee7926b30c734b49f373b88b3f0d73a… 2024-10-02 2024-12-13
IPv4 172.96.137.224 2024-10-02 2024-10-31
HASH 2b254ae6690c9e37fa7d249e8578ee2… 2024-10-02 2024-10-30
HASH 243ad5458706e5c836f8eb88a9f67e1… 2024-10-02 2024-10-30
HASH 6de5219d913ed93389ae8e9e295695d… 2024-10-02 2024-10-02
HASH 7bec0b28eb52f7a2e218367c0fef91e… 2024-10-02 2024-10-02
HASH 37b1c57120760acefb6ad9a99eb1a7d… 2024-10-02 2024-10-02
HASH 4ef8f3be7615392e4fe5751c9647ede… 2024-10-02 2024-10-02
HASH e11e57d6d0944c2856828a287a868af… 2024-10-02 2024-10-02
HASH cdd079bcb01e0f1229194f1f0ff9b62… 2024-10-02 2024-10-02
HASH ee017325a743516155210f367272ac7… 2024-10-02 2024-10-02
HASH 88b3c100d4a3168b1807fe9d1c4cb9d… 2024-10-02 2024-10-02
HASH a65cefb3c2ccdb50704b1af1008a1f8… 2024-10-02 2024-10-02
HASH 93b75bc724a4a85b93fb749b734381e… 2024-10-02 2024-10-02
HASH b9b5d20438cf54acf33ee5731dc2835… 2024-10-02 2024-10-02
HASH ea2867c5de97e512b9780b6e73c0752… 2024-10-02 2024-10-02
HASH 1e2fad6c77410965ea2b3a5d36e8d98… 2024-10-02 2024-10-02
HASH 42d52a78058954fcb85f538c8625321… 2024-10-02 2024-10-02
HASH 3f880395c9d5820c4018daecf56711c… 2024-10-02 2024-10-02
HASH f0bc0f94ac743185e6d0c865a9e162f… 2024-10-02 2024-10-02
HASH c5a6a18ec53a8743853112f58dd1fcc… 2024-10-02 2024-10-02
HASH 58d267dd80298c6d582ea7e45cf85a6… 2024-10-02 2024-10-02
HASH a7711b8314b256d279e104ea3809f06… 2024-10-02 2024-10-02
HASH d867aaa627389c377a29f01493e9dff… 2024-10-02 2024-10-02
HASH 966319464e10b5a1ccc214a76a57ecf… 2024-10-02 2024-10-02
HASH 89aa7b67e9476d0f91df71a2b92ebe2… 2024-10-02 2024-10-02
HASH 94eef46095c231b1ee33cd63e063d8a… 2024-10-02 2024-10-02
HASH 3b1fa5ffbdc79a395df274d558eed7c… 2024-10-02 2024-10-02
HASH 09795d17d027c561e8e48f6089a8cf3… 2024-10-02 2024-10-02
HASH 28149b1e55551948a629dcd2dacad32… 2024-10-02 2024-10-02
HASH 511a75b2daca294db39d0e82e7af616… 2024-10-02 2024-10-02
HASH 485465f38582377f9496a6c77262670… 2024-10-02 2024-10-02
HASH 003815b3b170437316614c66e63fc07… 2024-10-02 2024-10-02
HASH f3f17480a3e5c86d1ed876243a06db9… 2024-10-02 2024-10-02
HASH 5df907d0ff950194758a8ef32dabe78… 2024-10-02 2024-10-02
HASH ac6f6c77e0c9082f85324dcde9aabbd… 2024-10-02 2024-10-02
HASH 35bbea3e077e63616e6785b667ddc67… 2024-10-02 2024-10-02
HASH 2c70973b2b70e60f4187cb704bbc3c7… 2024-10-02 2024-10-02
HASH 313cffaac3d1576ca3c1cee8f9a68a1… 2024-10-02 2024-10-02
HASH efe03d9be2cd148594e5fcb7272a40b… 2024-10-02 2024-10-02
HASH 10b8b939400a59d2cb79fff735796d4… 2024-10-02 2024-10-02
IPv4 144.208.127.115 2024-10-02 2024-10-02
IPv4 216.120.201.112 2024-10-02 2024-10-02
IPv4 217.195.153.209 2024-10-02 2024-10-02
IPv4 51.81.168.157 2024-10-02 2024-10-02
IPv4 1.3.14.3 2024-10-02 2024-10-02
HASH 7ab3f076e70350f06ad19863fdd9e79… 2022-04-27 2024-10-02

Related Actors

Related Reports

« Back