A recent incident involving threat actors in North Korea showcased their financial interests through the use of a well-known ransomware variant named Play.
The occurrence, noted from May to September 2024, has been associated with a threat actor known as Jumpy Pisces, also recognized as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly.
Palo Alto Networks Unit 42 mentioned in a new report released today that “With reasonable certainty, we believe that Jumpy Pisces or a segment of the group is presently working together with the Play ransomware group.”
“This occurrence is notable as it signifies the initial documented collaboration between the North Korean state-linked group Jumpy Pisces and an underground ransomware syndicate.”
Andariel, operational since at least 2009, is linked to North Korea’s Reconnaissance General Bureau (RGB) and has been previously identified deploying two other ransomware entities named SHATTEREDGLASS and Maui.
Earlier in the same month, Symantec, a part of Broadcom, reported that three separate U.S. organizations were compromised by the state-associated hacking group in August 2024 as part of an expected financially-driven incursion, even though no ransomware was activated on their systems.
Play is a ransomware operation that has allegedly impacted roughly 300 organizations as of October 2023. It is also identified as Balloonfly, Fiddling Scorpius, and PlayCrypt.
Though cybersecurity firm Adlumin disclosed in the previous year that the operation might have shifted to a ransomware-as-a-service (RaaS) model, Play operators have debunked this claim on their dark web data leakage site.
In the investigation by Unit 42, it is believed that Andariel infiltrated initially via a compromised user account in May 2024, followed by lateral movement and persistence actions using the Sliver command-and-control (C2) framework and a customized backdoor dubbed Dtrack (also known as Valefor and Preft).
“These remote tools were in continuous communication with their command-and-control (C2) server until early September,” as mentioned by Unit 42. “This eventually led to the activation of Play ransomware.”
The Play ransomware deployment followed an unknown threat actor gaining access to the network through the same compromised user account, executing activities such as credential harvesting, privilege escalation, and removal of endpoint detection and response (EDR) sensors, all indicative of activities before ransomware deployment.
Another element of the attack involved a trojanized binary capable of extracting web browsing history, autofill data, and credit card information for Google Chrome, Microsoft Edge, and Brave.
The shared use of the compromised user account by both Andariel and Play Asia suggests a link between the two intrusion campaigns through ongoing communication with the Sliver C2 server (172.96.137[.]224) until the day before the ransomware attack. The C2 IP address has been inactive since the deployment took place.
“It is unclear whether Jumpy Pisces has actually joined forces with Play ransomware or if they contributed as an IAB [initial access broker] by peddling network access to Play ransomware actors,” Unit 42 concluded. “If Play ransomware doesn’t offer the RaaS ecosystem as claimed, Jumpy Pisces might have simply acted as an IAB.”
About Author
