Posted: 5 Min ReadThreat Intelligence

Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets

Espionage group focuses on obtaining classified or sensitive intellectual property that has civilian and military applications.

The North Korean-linked Stonefly group is continuing to mount espionage attacks against highly specialized engineering companies with a likely goal of obtaining sensitive intellectual property.

Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment. Virtually all of the technologies it appears to be interested in have military as well as civilian uses and some could have applications in the development of advanced weaponry.

History of ambitious attacks

Stonefly (aka DarkSeoul, BlackMine, Operation Troy, and Silent Chollima) first came to notice in July 2009, when it mounted distributed denial-of-service (DDoS) attacks against a number of South Korean, U.S. government, and financial websites.

It reappeared again in 2011, when it launched more DDoS attacks, but also revealed an espionage element to its attacks when it was found to be using a sophisticated backdoor Trojan (Backdoor.Prioxer) against selected targets.

In March 2013, the group was linked to the Jokra (Tojan.Jokra) disk-wiping attacks against a number of South Korean banks and broadcasters. Three months later, the group was involved in a string of DDoS attacks against South Korean government websites.

In recent years, the group’s capabilities have grown markedly and, since at least 2019 Symantec has seen its focus shift solely to espionage operations against select, high-value targets. It now appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property. Stonefly’s operations appear to be part of a broader North Korean-sponsored campaign to acquire information and intellectual property, with Operation Dream Job, a more wider-ranging trawl across multiple sectors, being carried out by another North Korean group, Pompilus.

Latest target

The most recent attack discovered by Symantec, a division of Broadcom Software, was against an engineering firm that works in the energy and military sectors. The attackers breached the organization in February 2022, most likely by exploiting the Log4j vulnerability (CVE-2021-44228) vulnerability on a public-facing VMware View server. The attackers then moved across the network and compromised 18 other computers.

17 hours later: Shortly after compromising the initial server, the attackers installed an updated version of Stonefly’s Backdoor.Preft malware (aka Dtrack, Valefor). The attackers then used a masqueraded version (file name: pvhost.exe) of PuTTY’s PSCP command line application, presumably to exfiltrate data from the infected machine. Shortly after PSCP was executed, the credential-dumping tool Mimikatz (masquerading under the file name pl.exe) was run.

Day 2: Malicious activity resumed when 3proxy tiny proxy server, a publicly available proxy tool (file name: svhost.exe) was executed. Use of this tool continued for the next four days. A second suspected proxy tool was installed two days into this four day period (file name: tapi.exe). Several hours afterwards, a copy of the Preft backdoor (file name: svchost.exe) was installed. Two days later, WinSCP, an open-source SSH file-transfer tool was used, presumably to exfiltrate or upload data to the compromised computer.

Day 3: The next phase of the intrusion began on the following day, when Preft was executed and the attackers began moving latterly across the organization’s network, using Invoke-TheHash, a publicly available PowerShell pass-the-hash utility (file name: rev.ps1), and wmiexec.py, a publicly available Impacket tool used to run WMI commands (file name: notepad.exe).

Updated Preft backdoor

The attackers used an updated version of Stonefly’s custom Preft backdoor. Analysis of the backdoor revealed that it is a multistage tool:

Stage 1 is the main binary. A python script is used to unpack the binary and shellcode.

Stage 2 is shellcode. It performs the following actions:

  • Sleeps for 19,999 seconds, probably in an attempt to evade sandbox detection
  • Opens a mutex, with the name specified in the Stage 3 shellcode
  • Instead of loading an executable file, it starts Internet Explorer (iexplore.exe) or explorer.exe and injects the Stage 3 shellcode into either. It sets up a named pipe ("\.\pipe\pipe") for communication. The file name of the main binary is sent over the pipe.

Stage 3 is more shellcode.

Stage 4 is the payload. It is an HTTP remote access tool (RAT) that supports various commands, including:

  1. Download (Download a file and save locally)
  2. Upload (Upload a file to a C&C server)
  3. Set Interval (Change C&C server query interval - in minutes)
  4. Shell Execute (Execute a command in the shell)
  5. Download Plugin
  6. Update (Download a new version and replace)
  7. Info (Return debug information about the current infection)
  8. Uninstall
  9. Download Executable

The malware can support four different kinds of plugins: executable files, VBS, BAT, and shellcode. It supports three different persistence modes: Startup_LNK, Service, Registry, and Task Scheduler.

Custom information stealer

Along with the Preft backdoor, Stonefly also deployed what appears to be a custom developed information stealer (infostealer). Analysis of this malware revealed that it is a three-staged threat. The main binary extracts and decrypts the encrypted shellcode with a modified RC4 algorithm.

Stage 2 is shellcode which retrieves the payload and decrypts it with the same modified RC4 algorithm. The decrypted payload is an executable file that is loaded in-memory. It is designed to search the infected computer for files using pre-configured parameters. These are then copied to temporary files before being copied to a single .zip file and the temporary files are removed. The ZIP file path is %TEMP/~[XXXXXXXX].tmp, where XXXXXXXX is a simple hash of the computer name (eight uppercase hex digits).

Curiously, this ZIP file is not automatically exfiltrated. It is possible that the exfiltration functionality was removed and the attackers planned to use an alternative means of exfiltration.

High-value targets

While Stonefly’s tools and tactics continue to evolve, there are some common threads between this recent activity and previous attacks, such as its ongoing development of the Preft backdoor and heavy reliance on open-source tools.

The group’s capabilities and its narrow focus on acquiring sensitive information make it one of the most potent North Korean cyber threat actors operating today.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.

SHA256 Description File name(s)
3b779a84c17a3a2b588241676ec372c543b592473dae9d6b14db0d0d33522f34 3proxy tiny proxy server svhost.exe
7ab3f076e70350f06ad19863fdd9e794648020f621c0b1bd20ad4d80f0745142 Backdoor.Preft mf.exe, mp_updt.exe
537dee22d8bc4867f45deddfa26c6d08a12c09e4fb5b539422e9b4d8fb0dff4a Backdoor.Preft svchost.exe
586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730 Backdoor.Preft svchost.exe
453014da94a1382f9f11535b3d90a44d67f43c02ffe8688465956a3ed7e71743 Backdoor.Preft svchost.exe
d824eb45247f9b8e0266dc739425d80af4145062687d7e825e03adfac1b7e03b Backdoor.Preft svchost.exe
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7 Backdoor.Preft credit.exe, credits.exe
30cd61f13d64562a41eb5e8a3d30cd46d8678acd9eef4c73386c3ea4adb50101 Infostealer mf.exe
8637a4286d87a4fa3b6a102446f437058812be0d4ebb361ac8827ea4f186df23 Infostealer mf.exe
551653deddb8d9a78c1a239cc2da99ea403ce203c5843384c986149d4c17f26c Infostealer mf.exe
b3458b3d0bb80029de30f41ffc8e318176cca650d76b75549089b8a436e8862a Infostealer mp_updt.exe
9ca9f414b689fc903afb314016155814885966b0e30b21b642819d53ba94533c Invoke-TheHash rev.ps1
07b1b9d46a926084019c9e1a22ef724d7dd20fd85d144012dd4855ca66ad96fe Mimikatz pl.exe
68d8f895135aab32f0b0f2520f1dd3ea791a0e0fec3e4e21d94040015bbbf096 Mimikatz pl.exe
5a73fdd0c4d0deea80fa13121503b477597761d82cf2cfb0e9d8df469357e3f8 PuTTY PSCP pvhost.exe
28d0e945f0648bed7b7b2a2139f2b9bf1901feec39ff4f6c0315fa58e054f44e Real VNC Bypass Authentication Scanner vnc.exe, aa.exe
1a0e33a0e434e22e25a17b5d40fbef4fe900f075fcfa0dadd473010d03185e4a Runasuser privilege escalation tool sepm.exe
b4a85ef01b5d8058cf94f3e96c48d86ce89b20295e8d1125dc3fc1c799a75789 Suspected proxy tool tapi.exe
0e20819e5584a31f00d242782c2071734d7e2377306e9ebd20dd435ce9c7d43a Keylogger avg.exe, wkeylogger.exe
147187d4ca823187724205a7dbd6502a9409674e6602363d796218503c960e2f Suspected SOCKS proxy tool svhost.exe
5e62d4851596e3fb939525fa4437c553ab5c6b9d12920af7740a3473102ccd1a Unknown file protect.exe
7399605f47be3d8ed021c9189b6b102461d5dd98a9d9082c71ff368e13cf8541 Unknown file wax4315.tmp
cb6769bd80d5a234387bdaa907857ae478e2e693a157f29d97b8ce2db07856c1 Unknown file N/A
dda85ee1e0b4916ebd2eb7cbaeaa969843a19e7b8a9bb5d360a4bbc0bad91877 Unknown file smssvc.exe
bfa7adeda4597b70bf74a9f2032df2f87e07f2dbb46e85cb7c091b83161d6b0a WinRAR (old version) ra.exe
b7de7187f0f0281c17ae349b692f70892689ddf27b6b418142c809b41dfe3ce7 WinSCP winscp.com
de00c0111a561e88d62fd84f425a6febc72e01e2e927fb76d01603319a34b4b3 WinSCP winscp.exe
14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8 wmiexec.py notepad.exe
tecnojournals[.]com Domain N/A
semiconductboard[.]com Domain N/A
cyancow[.]com Domain N/A
bluedragon[.]com Domain N/A
hxxps://tecnojournals[.]com/review Domain N/A
hxxps://tecnojournals[.]com/general Domain N/A
hxxps://semiconductboard[.]com/xml Domain N/A
hxxps://semiconductboard[.]com/xcror Domain N/A
hxxp://cyancow[.]com/find Domain N/A
hxxps://bluedragon[.]com/login Domain N/A

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.