Threat Actor: Jumpy Pisces | Jumpy Pisces
Victim: Unknown Client | Unknown Client
Price: Not disclosed
Exfiltrated Data Type: Network access credentials
Key Points :
- Jumpy Pisces is a North Korean state-sponsored threat group.
- They gained initial access to the victim’s network via a compromised user account in May 2024.
- The group utilized the open-source tool Sliver and custom malware DTrack for lateral movement and persistence.
- Communication with their command-and-control servers continued until the ransomware deployment in early September 2024.
- There is moderate confidence in a potential collaboration between Jumpy Pisces and the Play ransomware group.
- The compromised account was later used for privilege escalation and ransomware deployment.
- This incident highlights a possible trend of North Korean groups participating in global ransomware campaigns.
Play ransomware, first detected in mid-2022, is linked to a threat group identified as “Fiddling Scorpius,” which is suspected to manage both the development and execution of attacks using the ransomware. Contrary to speculation that Fiddling Scorpius may have adopted a ransomware-as-a-service (RaaS) model, the group asserted on its Play ransomware leak site that it operates independently, without providing RaaS services.
In September 2024, Unit 42 responded to a Play ransomware incident impacting one of their clients. Through Unit 42’s investigation, it was confirmed with high confidence that Jumpy Pisces, a North Korean state-sponsored threat group, gained initial access to the network in May 2024 via a compromised user account. This entry point enabled Jumpy Pisces to perform lateral movement and establish persistence, employing the open-source tool Sliver and their custom malware, DTrack. Both tools were distributed to multiple hosts through the Server Message Block (SMB) protocol, maintaining communication with their command-and-control (C2) servers up until the ransomware deployment in early September.
Analysis of Potential Collaboration
Based on Unit 42’s observations, moderate confidence is placed in the likelihood of collaboration between Jumpy Pisces and Play ransomware. The compromised account initially accessed by Jumpy Pisces was later leveraged for Windows access token abuse and SYSTEM privilege escalation through PsExec, ultimately leading to the uninstallation of EDR sensors and ransomware deployment. Notably, Sliver C2 communication continued until the day before the ransomware attack, and the associated IP address went offline immediately after the ransomware deployment, supporting a potential link.
While it is uncertain if Jumpy Pisces acted as an affiliate or simply as an initial access broker (IAB) selling network access to the ransomware operators, this event highlights a notable collaboration between a state-sponsored North Korean group and an underground ransomware network. This alignment could suggest an emerging trend of North Korean groups joining global ransomware campaigns, potentially leading to broader, more destructive attacks on a global scale.
Full research.
The post Unit42 Detected Possible Collaboration Between North Korea and Play Ransomware appeared first on Daily Dark Web.