"Stonefly Group Targets US Firms With New Malware Tools"

According to security researchers at Symantec, despite a recent indictment, the North Korean Stonefly group, also known by aliases such as APT45 and Silent Chollima, has been observed continuing its financially motivated cyberattacks against US organizations.  The researchers noted that the group, linked to North Korea’s Reconnaissance General Bureau, has shifted its focus from espionage to targeting private companies in sectors with little intelligence value.  The researchers noted that the attackers used a fake Tableau certificate documented by Microsoft and two other certificates that appear to be unique to this campaign.  One of the most notable tools deployed was Backdoor.Preft, a multi-stage backdoor associated exclusively with Stonefly, capable of downloading files, executing commands and deploying additional plugins.  Other malware was also identified, including Nukebot and the penetration testing framework Sliver.  The researchers noted several signs that these attacks were financially driven rather than for gathering state intelligence.  Though no ransomware was successfully deployed, the group’s recent shift toward using these tactics marks a significant change in its operational strategy.

Infosecurity Magazine reports: "Stonefly Group Targets US Firms With New Malware Tools"