Three different organizations in the US were targeted in August 2024 by a North Korean state threat actor named Andariel in a suspected financially motivated attack.
“While the attackers were unable to deploy ransomware on the networks of any of the affected organizations, it is likely that the attacks were financially motivated,” Symantec, which is part of Broadcom, said in a statement. the report shared with The Hacker News.
Andariel is a threat actor believed to be a sub-cluster of the infamous Lazarus group. It is also tracked as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. It has been active since at least 2009.
The hacking team, which is part of North Korea’s General Intelligence Bureau (RGB), has a track record deployment of ransomware strains such as SHATTEREDGLASS and Mauiwhile developing an Arsenal with custom backdoors like Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT and LightHand.
Some of the other lesser known tools used by the threat actor include a data cleaner under the code name Dzhokra and an advanced implant is called Prioxer which allows commands and data to be exchanged with the command and control (C2) server.
In July 2024, the operational unit of the North Korean military intelligence group Andariel was accused by the US Department of Justice (DoJ) for allegedly conducting ransomware attacks on healthcare facilities in the country and using the ill-gotten funds for additional intrusions into defense, technology and government organizations around the world.
The latest series of attacks is characterized by the deployment of Dtrack, as well as another backdoor called Nukebot, which has the ability to execute commands, download and upload files, and take screenshots.
“Nukebot was not previously associated with Stonefly; however, its source code was leaked, which is likely how Stonefly obtained the tool,” Symantec said.
The exact method by which the initial access was denied is unclear, although Andariel has a habit of exploiting known N-day security flaws in Internet applications to hack into targeted networks.
Some of the other programs used in the intrusions are Mimikatz, Sliver, Chisel, PuTTY, Plink, Snap2HTML, and FastReverseProxy (FRP), all of which are open source or publicly available.
It has also been observed that attackers are using an invalid certificate impersonating Tableau software to sign some tools, a tactic previously disclosed from Microsoft.
While Andariel has had espionage operations in focus since 2019, Symantec said the attitude toward financially motivated attacks is a relatively recent development that continues despite the actions of the US government.
“The group is believed to be continuing its attempts to conduct extortion attacks against organizations in the United States,” the report added.
The development comes as Der Spiegel reported that German defense systems manufacturer Diehl Defense has been compromised by a North Korean state actor called Kimsuki in a sophisticated phishing attack that involved sending fake job offers from US defense contractors.
