Cyber extortion is a cybercrime under which the threat actors illicitly access “sensitive data” in systems and demand a “ransom” to stop the attack to restore access.
There are two primary types of cyber extortion: “Ransomware,” which encrypts data and demands payment for decryption, and “DDoS” attacks, through which threat actors flood a network with unwanted traffic.
Symantec’s Threat Hunter Team recently found that North Korean hackers have been actively attacking US organizations with unique hacking tools.
The notorious North Korean hacking group “Stonefly” (aka “Andariel,” “APT45,” “Silent Chollima,” and “Onyx Sleet”) has been actively conducting cyber attacks against US-based organizations.
The group executed intrusions against “three different U.S. organizations” in August 2023, despite facing legal consequences via a “charge” and considerable “multi-million dollar reward” for their capture.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Their primary weapon is a sophisticated custom malware called “Backdoor.Preft” (also known as “Dtrack” or “Valefor”), and this sophisticated primary weapon is linked to their operations.
Misleading techniques like a fake “Tableau certificate” along with two unique certificates specific to this campaign were employed by the threat actors.
Here the fake “Tableau certificate” was previously documented by “Microsoft.”
The nature of the targets strongly suggests financially motivated attacks, but their attempts to deploy ransomware were unsuccessful.
This series of events illustrates the persistent threat posed by “state-sponsored” threat actors.
Symantec added that their evolving tactics in bypassing cybersecurity measures highlight the urgent need for strong security defense systems and international cybersecurity cooperation.
Besides this, their toolset offers the following tools:-
- Preft
- Nukebot
- Batch files
- Mimikatz
- Keyloggers
- Sliver
- Chisel
- PuTTY
- Plink
- Megatools
- Snap2HTML
- FastReverseProxy (FRP)
On July 25, 2024, the U.S. Justice Department formally indicted North Korean cyber operative Rim Jong Hyok for conducting a series of complex cyberattacks.
“Rim Jong Hyok” is a confirmed member of the sophisticated hacking group “Stonefly.”
The attacks, which used ransomware, initially targeted U.S. healthcare providers between 2021 and 2023. The ransom payments obtained were laundered through cryptocurrency networks.
Later they funded more advanced cyber operations against high-profile targets (“U.S. Air Force installations,” “NASA’s Office of Inspector General” (NASA-OIG), and “various other organizations” (across ‘Taiwan,’ ‘South Korea,’ and ‘China’).
Stonefly’s technical evolution is notable due to the following things:-
- Beginning with basic DDoS attacks in 2009 that dominated server capacity.
- They progressed to using sophisticated tools like the ‘Backdoor.Prioxer’ trojan in 2011 for covert system access.
- The destructive ‘Trojan.Jokra’ disk-wiping malware in 2013 against South Korean institutions.
By 2019, the group had significantly advanced its capabilities to focus on cyber espionage by employing APT techniques.
Despite the U.S. State Department offering a “$10 million” reward for information leading to Rim’s capture, Stonefly continues its dual-purpose campaign against U.S. entities.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar