North Korean-linked threat actors have been involved in a recent incident involving the deployment of a known ransomware family called Play, highlighting their financial motivations.
The activity observed from May to September 2024 has been attributed to a threat actor tracked as Jumpy Pisces, also known by the aliases Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima and Stonefly.
Palo Alto Networks Unit 42 stated in a newly published report that they believe, with moderate confidence, Jumpy Pisces or a faction of the group is currently collaborating with the Play ransomware group.
This incident is noteworthy as it represents the first documented collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network.
Andariel, active since at least 2009, is linked to North Korea’s Reconnaissance General Bureau (RGB). Previously, it has been observed deploying two other ransomware strains known as SHATTEREDGLASS and Maui.
Earlier this month, Symantec, a division of Broadcom, reported that in August 2024 three separate organizations in the U.S. were targeted by a state-backed hacking team. This attack was likely financially motivated; however, no ransomware was deployed on their networks.
Play, alternatively known as Balloonfly, Fiddling Scorpius, and PlayCrypt, is a ransomware operation that has reportedly affected around 300 organizations as of October 2023.
Late last year, cybersecurity firm Adlumin suggested that the operation might have shifted to a ransomware-as-a-service (RaaS) model. However, the threat actors behind Play later announced on their dark web data leak site that this is not true.
In the incident examined by Unit 42, it is believed that Andariel initially accessed the system through a compromised user account in May 2024. Subsequently, they engaged in lateral movement and persistence activities utilizing the Sliver command-and-control (C2) framework and a custom backdoor known as Dtrack (also referred to as Valefor and Preft).
According to Unit 42, “The remote tools maintained communication with their command-and-control (C2) server until early September. This eventually resulted in the deployment of Play ransomware.”
Before deploying the Play ransomware, an unidentified threat actor infiltrated the network using a compromised user account.
They were then observed engaging in credential harvesting, privilege escalation, and uninstalling endpoint detection and response (EDR) sensors activities commonly associated with pre-ransomware stages.
The attack also employed a Trojanized binary designed to collect web browser history, auto-fill data, and credit card information from Google Chrome, Microsoft Edge, and Brave.
Apart from the shared use of a compromised user account by both Andariel and Play, evidence linking these two intrusion sets comes from continuous communication with the Sliver C2 server (172.96.137[.]224) until just one day before deploying ransomware. Interestingly, this C2 IP address has been offline since the deployment occurred.
Unit 42 informed The Hacker News that the ransomware incident has several similarities with the attacks reported by Symantec, including in tools, infrastructure, target selection, and timeline. Notably, this includes a Sliver C2 IP address identified by Symantec as being used alongside the Plink command-line connection utility.
According to Navin Thomas, a threat researcher at Unit 42, the observed activity revealed that the threat actor mainly utilized IP address 172.96.137[.]224 for Sliver C2 operations.
The IP address was utilized for various purposes, featuring multiple open ports that served different functions. These included Sliver, a web service for tool distribution, and SSH services. However, our investigation couldn’t confirm any use of Plink from this IP address.
Regardless of the specifics of the partnership between these two threat groups, this development indicates that North Korean cybercriminals might launch more extensive ransomware attacks in the future to bypass sanctions and raise funds for their financially struggling country.
Unit 42 concluded
That it is still uncertain if Jumpy Pisces has officially joined as an affiliate for Play ransomware or simply served as an Initial Access Broker (IAB) by selling network access to the ransomware group. “If Play’s claim of a RaaS ecosystem isn’t accurate, it’s possible that Jumpy Pisces solely acted in the role of an IAB.”
