In August 2024, three organizations in the United States fell victim to targeted attacks by the North Korean state-sponsored threat actor Andariel, with suspicions pointing towards a financially motivated assault. Although the attempts to deploy ransomware on the networks of the affected entities were unsuccessful, the nature of the attacks indicated an underlying financial agenda, according to insights shared by Symantec, a division of Broadcom.
Andariel, a subgroup operating within the notorious Lazarus Group, is also known as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. With a history dating back to 2009, the threat actor has garnered attention for its use of ransomware strains such as SHATTEREDGLASS and Maui, along with the development of custom backdoors like Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT, and LightHand.
Moreover, Andariel has employed additional tools such as a data wiper codenamed Jokra and an advanced implant named Prioxer, allowing for the exchange of commands and data with a command-and-control server. In a recent indictment by the U.S. Department of Justice in July 2024, a North Korean military intelligence operative associated with Andariel was charged for orchestrating ransomware attacks on healthcare facilities, leveraging the proceeds to infiltrate defense, technology, and government entities globally.
The recent wave of attacks orchestrated by Andariel featured the deployment of Dtrack and a backdoor named Nukebot, enabling various functionalities such as command execution, file downloads and uploads, and screenshot capturing. Notably, Symantec highlighted that Nukebot, a tool not previously linked to Stonefly, was likely acquired through leaked source code. The mode of initial access to the target networks remains unspecified, although Andariel typically exploits known security vulnerabilities in internet-facing applications to breach the systems.
In addition to Nukebot, the perpetrators utilized tools like Mimikatz, Sliver, Chisel, PuTTY, Plink, Snap2HTML, and FastReverseProxy (FRP), many of which are publicly available or open-sourced. Furthermore, the attackers have resorted to using an invalid Tableau software certificate to sign some of the tools, mirroring a tactic previously disclosed by Microsoft.
Despite a shift in focus towards espionage activities since 2019, Andariel has continued to engage in financially motivated attacks, a trend that persists despite countermeasures implemented by the U.S. government. Symantec warned that the group is likely to persist in attempting extortion campaigns against U.S. organizations in the foreseeable future.
Meanwhile, reports emerged indicating that German defense systems manufacturer Diehl Defense was compromised by another North Korean state-backed actor known as Kimsuky. The sophisticated spear-phishing attack involved sending fraudulent job offers from American defense contractors as part of the elaborate scheme.
As the cybersecurity landscape evolves, vigilance and proactive measures are crucial to thwarting the advances of malicious threat actors seeking to exploit vulnerabilities for financial gain. Stay tuned for more updates on cybersecurity developments by following our exclusive content on Twitter and LinkedIn.