April 24, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
APT29 aka Nobelium – Active IOCs
October 31, 2024Russian APT29 Exploits RDP Files in Spear-Phishing Campaign Targeting Over 100 Organizations – Active IOCs
October 31, 2024APT29 aka Nobelium – Active IOCs
October 31, 2024Russian APT29 Exploits RDP Files in Spear-Phishing Campaign Targeting Over 100 Organizations – Active IOCs
October 31, 2024
Severity
High
Analysis Summary
The financial objectives of North Korean threat actors have been highlighted by their involvement in a recent event that used the Play family of ransomware. The threat actor identified as APT45—also known as Andariel, Jumpy Pisces, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly—has been blamed for the activity, which was seen between May and September 2024.
The researchers said, “We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group.”
This incident is noteworthy since it is the first time that an underground ransomware network and the state-sponsored North Korean Andariel have been known to act together. Andariel has been a part of North Korea's Reconnaissance General Bureau (RGB) since at least 2009. It has been seen to use two additional ransomware variants, Maui and SHATTEREDGLASS, in the past.
Although no ransomware was installed on the networks of the three U.S. firms attacked by the state-sponsored threat group in August 2024, researchers reported earlier this month that the attack was likely financially motivated. In contrast, Play is a ransomware operation that, as of October 2023, is thought to have affected about 300 enterprises. Other names for it include PlayCrypt, Balloonfly, and Fiddling Scorpius.
The threat actors behind Play have since declared on their dark web data leak site that the operation has not switched to a ransomware-as-a-service (RaaS) model, despite the researchers’ revelation late last year. According to the investigation, Andariel is thought to have obtained initial access in May 2024 through a compromised user account. Then, lateral movement and persistence activities were carried out using the Sliver command-and-control (C2) framework and a custom backdoor known as Dtrack (also known as Valefor and Preft).
Up until the beginning of September, these remote tools kept in touch with their command-and-control (C2) server. The Play ransomware was eventually released as a result of this. Before the Play ransomware deployment, an unknown threat actor gained access to the network using the same compromised user account. They were then seen performing pre-ransomware activities such as credential harvesting, privilege escalation, and uninstalling endpoint detection and response (EDR) sensors.
A trojanized malware that can collect credit card information, auto-fill data, and web browser history for Google Chrome, Microsoft Edge, and Brave was also used in the attack. Both Andariel and Play used the compromised user account, and the two intrusion sets have been connected since contact with the Sliver C2 server continued until the day before the ransomware was deployed. Since the day of the deployment, the C2 IP address has not been available.
It is still unclear if Andariel sold network access to the Play ransomware actors in an IAB (initial access broker) capacity or if they have formally joined the Play ransomware affiliate network. Andariel may have simply served as an IAB if the Play ransomware does not offer a RaaS ecosystem as it purports to.
Impact
- Financial Loss
- Unauthorized Access
- Credential Theft
- Privilege Escalation
Indicators of Compromise
Domain Name
- americajobmail.site
IP
- 172.96.137.224
MD5
- e12f93d462a622f32a4ff1e646549c42
- f01eae4ee3cc03d621be7b0af7d60411
SHA-256
- f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
- b1ac26dac205973cd1288a38265835eda9b9ff2edc6bd7c6cb9dee4891c9b449
SHA-1
- 540853beffb0ba9b26cf305bcf92fad82599eb3c
- e3069713add2d99750af6c30580fb3595a0b6abc
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure all operating systems and software are up to date with the latest security patches.
- Employ reliable antivirus and antimalware software to detect and block known threats.
- Regularly update these tools to maintain the latest threat intelligence.
- Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
- Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
- Segment your network to limit lateral movement for attackers.
- Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.
