Symantec’s Threat Hunter Team has discovered new evidence of North Korea's Andariel group (aka Stonefly, APT45, Silent Chollima, Onyx Sleet) launching financially motivated cyberattacks against organizations in the US.

The intrusions, observed in August 2024, came just a month after the US Department of Justice's indictment of North Korean national Rim Jong Hyok, an alleged member of Andariel.

In the recent wave of attacks, Andariel, tracked by Symantec as StoneFly, targeted three private US companies, all in industries with no apparent intelligence value, suggesting financial motives rather than espionage.

While the attackers were unsuccessful in deploying ransomware, Symantec’s analysis indicates that the goal was likely monetary gain.

Stonefly first emerged in 2009 with a series of distributed denial-of-service (DDoS) attacks against South Korean and US targets. Over the years, its operations have evolved from disruptive attacks to more targeted cyber-espionage campaigns. The group made headlines in 2013 with its involvement in Trojan.Jokra disk-wiping attacks against South Korean banks and broadcasters. While Stonefly has a history of cyber espionage, it appears to be expanding its repertoire, moving into financially driven operations.

In several of the detected intrusions, Stonefly used its custom malware, Backdoor.Preft (also known as Dtrack or Valefor).

Preft is a multi-stage backdoor is capable of downloading and uploading files, executing commands, and downloading additional plugins. It supports a wide range of plugin types, including executable files, VBS, BAT, and shellcode, and utilizes multiple persistence mechanisms such as Startup LNK, Service, Registry, and Task Scheduler.

Symantec also detected additional indicators of compromise (IoCs) linked to Stonefly. These included certificates identified by Microsoft, including a fake Tableau certificate used to cloak malicious activity. Researchers also noted two new certificates associated with the campaign.

The group has also been observed using Nukebot, a backdoor tool not previously associated with Stonefly. Nukebot, which can execute commands, take screenshots, and transfer files, was likely obtained by Stonefly after its source code was leaked.

The threat actor also deployed a malicious batch file that manipulated the Windows registry to enable plaintext credential storage. This was followed by the use of a customized variant of Mimikatz, a publicly available credential-dumping tool. The attackers wrote harvested credentials to a log file on the compromised systems, and this customized Mimikatz variant has previously been linked to Stonefly by cybersecurity firm Mandiant.

In addition to these tools, two distinct keyloggers capable of clipboard data theft were found, Symantec said.

“In recent years, the group’s capabilities have grown markedly and, since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets. It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property. While other North Korean groups are well known for mounting financial attacks driven by the need to raise foreign currency for the regime, Stonefly had until recent years appeared not to be involved in financially motivated attacks,” the report concludes.