North Korean threat actors have been implicated in a recent incident that deployed a prominent ransomware family called Play, highlighting their financial motives.
Activity observed between May and September 2024 was attributed to an individual tracked as a threat Jumping Fishwhich is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly.
“We believe with moderate confidence that Jumpy Pisces or a faction of the group is now working with the Play ransomware group,” Division 42 Palo Alto Networks. said in a new report released today.
“This incident is significant because it marks the first documented collaboration between North Korea’s state-sponsored Jumpy Pisces group and an underground ransomware network.”
Andariel, active since at least 2009, is linked to North Korea’s General Intelligence Bureau (RGB). Two other strains of ransomware, known as SHATTEREDGLASS and Maui.
Earlier this month, Symantec, part of Broadcom, noted that in August 2024, three different organizations in the US were targeted by a government-sponsored hacking group in a likely financially motivated attack, even though no ransomware was deployed on their networks.
Play, on the other hand, appears ransomware operation As of October 2023, around 300 organizations are believed to be affected. It is also known as Balloonfly, Fiddling Scorpius and PlayCrypt.
While cybersecurity firm Adlumin revealed late last year that the operation may have moved to a ransomware-as-a-service (RaaS) model, the threat actors behind Play have since announced on their dark web leak site that this was not the case.
In an incident investigated by Unit 42, Andariel is believed to have initially gained access through a compromised user account in May 2024, then performed lateral movement and save actions using A scrap command and control structure (C2) and a custom backdoor called Dtrack (aka Valefor and Preft).
“These remote tools continued to interact with their control server (C2) until early September,” Unit 42 said. “This ultimately led to the deployment of the Play ransomware.”
The deployment of the Play ransomware was preceded by an unidentified threat that infiltrated the network using the same compromised user account, after which they were seen harvesting credentials, escalating privileges, and removing Endpoint Detection and Response (EDR) sensors, which is a characteristic sign of previous ransomware activity.
The attack also used a Trojan binary capable of collecting web browser history, autofill information, and credit card information for Google Chrome, Microsoft Edge, and Brave.
Using a compromised Andariel and Play Asia user account, the connection between the two sets of intrusions appears to be that communication with the Sliver C2 server (172.96.137(.)224) continued until the day before the ransomware was deployed. The IP address of C2 has been offline since the day of deployment.
“It remains unclear whether Jumpy Pisces officially became an affiliate of the Play ransomware, or whether they acted as an IAB (initial access broker) selling network access to Play ransomware participants,” Unit 42 concluded. RaaS, she claims, Jumpy Pisces could only act as an IAB.”
