North Korean Attack: Hackers Use Play For Financial Gains
As per recent media reports, multiple threat actors linked to North Korea have been implicated in using a known ransomware family called Play. Reports claim that the North Korean attack was orchestrated for financial motives. In this article, we’ll uncover the details of the North Korean attack, uncover the attack life cycle, tools, and more. Let’s begin!
North Korean Attack Threat Actor Uncovered
Before we dive into the details of the North Korean attack, it’s worth mentioning that activities pertaining to it were observed between May and September 2024. These activities have been attributed to the threat actor named Jumpy Pisces. The threat actor also goes by multiple names that include:
- Andariel.
- APT45.
- DarkSeoul.
- Nickel Hyatt.
- Onyx Sleet (formerly Plutonium).
- Operation Troy.
- Silent Chollima.
- Stonefly.
The threat actor behind the North Korean attack was identified by Palo Alto Network Unit 42. It is believed that the entity is sponsored by North Korea and is associated with the Reconnaissance General Bureau of the Korean People’s Army.
The group has been involved in various online initiatives that include cyber espionage, financial crime, and ransomware attacks. Initial investigations have detailed a shift in the group tactics given the collaboration with the Play ransomware.
It’s worth noting that the change marks the group’s first instance of using an existing ransomware infrastructure. During the attack, the group may have acted as an initial access broker (IAB) or an affiliate of Play.
In addition, this tactical shift highlights the group’s deeper involvement in the broader ransomware threat landscape. Jumpy Pisces has also been indicted by the United States (US) Justice Department for developing custom malware called Maui.
Jumpy Pisces Cyber Attack Initial Discovery
The initial discovery of the Jumpy Pisces attack dates back to September 2024, however, the Play ransomware was first reported in mid-2022. In early September, Unit 42 was addressing an incident response request for an organization believed to be impacted by the Play ransomware.
It’s worth noting that Play is believed to be the closed group operating threat by developing and executing the attacks. While the findings suggest that the group has transitioned to a ransomware-as-a-service (RaaS) operational model. However, the hacker group has denied such a transition on their leak site.
As part of the investigation of the attack, it was identified that Jumpy Pisces gained initial access via a compromised user account back in May 2024.
Attack Tools Detailed
After acquiring the access, several lateral movements were conducted allowing the threat actor to maintain persistence. In addition, the hacker group also spread an open-source tool Sliver, and its own custom malware called DTrack to other hosts. The Server Message Block (SMB) protocol was used for this distribution.
Cybersecurity experts who investigated the North Korean attack, uncovered several tools that were used up until the deployment of the Play ransomware. These tools include:
- Sliver – Sliver is a customized version of the open-source red-teaming tool used for C2 initiatives. In recent attacks, the tool has been observed as an alternative for Cobalt Strike. This customized beacons to the IP address “172.96.137[.]224.” Both, this IP address and its domain, “americajobmail[.]site,” have been linked to Jumpy Pisces.
- DTrack – DTrack is an infostealer that has previously been used in online crime incidents reported to have attributions to North Korea. The North Korean attack infostealer initially collects data, then compresses it, and then disguises it as a GIF file.
- Mimikatz – Mimikatz is a customized version of the publicly available credential dumping tool that utilizes “C:\windows\temp\KB0722.log” as its dump log.
Apart from these tools, the threat actor also utilized a dedicated tool developed for creating a privileged user account on the compromised devices. To do this, the tool relied on the Remote Desktop Protocol (RDP).
In addition, a trojanized binary was also used for stealing browser history, autofills, and credit card details for Chrome, Edge, and Brave. The information scrapped by the binary was saved in the “%TEMP%” directory. Providing further insights, Unit 42 experts stated that:
“All the above-mentioned files were signed using a couple of invalid certificates that we note in the Indicators of Compromise section of this article. These certificates, previously linked to Jumpy Pisces, enabled the files to impersonate ones created by legitimate entities.”
Play Ransomware Sequence And Life Cycle
Once distributed, the remote tools communicated with their command-and-control (C2) server until early September, allowing the Play ransomware to be deployed. The group had access to the network from May 2024 to September 2024 and provided below is the detailed sequence of events.
May 28th to May 31
During this time the earliest signs of malicious activities were detected. To launch the North Korean attack, hackers first compromised a user account to gain initial access. After that, they conducted a partial registry dump for credential access and started to spread Sliver and DTrack to multiple hosts.
June 5th to June 25th
After the deployment of the malicious tools, the hackers then initiated Sliver C2 beaconing. The tool was being distributed to other hosts even as the beaconing process continued. Once deployed successfully, the tools were used to launch internet browsers with custom user data directors and sandboxing features were disabled.
August 3rd to August 30th
In this phase of the North Korean attack, the hackers initiate persistence development and internal discovery protocols. This included creating a malicious service, gathering network configuration data, conducting RDP sessions, and C2 beaconing.
Sept 2nd to Sept 4th
In the fourth phase of the North Korean attack, credential access was acquired. After that, the threat actors initiated the extraction of Windows Security Account Manager (SAM), Security, and System registry hives.
September 5th
This stage of the North Korean attack is when the pre-ransomware activity began. To prepare the compromised system for ransomware deployment, various malicious initiatives were initiated. These include:
- Using the Task Manager for LSASS dump.
- Abusing Windows Access Tokens.
- Using PsExec for lateral movements.
- Escalating to SYSTEM.
- Utilization of EDR sensors.
Once these activities were completed successfully, multiple hosts on that network that had been compromised were encrypted by the Play ransomware.
Mitigation Measures To Ensure Protection
Before we dive into the mitigation measures, it’s worth noting that the compromised account used in this North Korean attack for acquiring initial access was the same as the one used in previous ransomware deployments. Palo Alto Network has stated that these findings have been shared with Cyber Threat Alliance (CTA) members.
These experts are likely to use these insights for deploying protection measures that ensure the security of their customers. Commenting on the prevalence of the threat, Unit 42 experts have stated that:
“We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.”
For now, users have been urged to contact the Unit 42 Incident Response Team if they believe that they have fallen prey to the North Korean attack.
결론
The North Korean attack orchestrated by Jumpy Pisces highlights a dangerous shift in ransomware tactics, with North Korea-backed hackers targeting financial gain. Using tools like Sliver, DTrack, and Play ransomware, these cybercriminals executed a sophisticated multi-phase attack over months.
As ransomware continues to evolve, it’s critical for organizations to stay vigilant, implement robust security measures, and monitor for indicators of compromise linked to online threat actors.
The sources for this piece include articles in The Hacker News and Unit 42.