Threat players linked to N. Korea have been implicated in a recent incident that deployed a known ransomware family called ‘Play,’ revealing their financial motivations.
This activity, observed between May & Sept. 2024, has been attributed to a threat player tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, & Stonefly.
‘Jumpy Pisces’
“We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group,” Palo Alto Networks Unit 42 said in a report published today.
“This incident is significant because it marks the 1st recorded collaboration between the ‘Jumpy Pisces’ N. Korean state-sponsored group & an underground ransomware network.”
‘Andariel’
Andariel, active since at least 2009, is affiliated with N. Korea’s Reconnaissance General Bureau (RGB). It has been previously observed deploying 2 other ransomware types known as SHATTEREDGLASS & Maui.
Earlier in Oct., Symantec, part of Broadcom, noted that 3 different organisations in the US were targeted by the state-sponsored hacking group in Aug. 2024 as part of a likely financially motivated attack, even though no ransomware was deployed on their networks.
Play, on the other hand, is a ransomware operation that’s believed to have impacted circa 300 organisations as of Oct. 2023. It is also known as Balloonfly, Fiddling Scorpius, & PlayCrypt.
RaaS Model
While cyber-security firm Adlumin revealed late last 2023 that the operation may have transitioned to a ransomware-as-a-service (RaaS) model, the threat actors behind Play have since announced on their dark web data leak site that it’s not the case.
In the incident investigated by Unit 42, Andariel is believed to gained initial access via a compromised user account in May 2024, followed by undertaking lateral movement & persistence activities using the Sliver command-&-control (C2) framework & a bespoke backdoor called Dtrack (aka Valefor & Preft).
“These remote tools continued to communicate with their command-&-control (C2) server until early Sept.,” Unit 42 said. “This ultimately led to the deployment of Play ransomware.”
Unidentified Threat Player
The Play ransomware usage was preceded by an unidentified threat player infiltrating the network using the same compromised user account, after which they were observed conducting credential harvesting, privilege escalation, & uninstallation of endpoint detection & response (EDR) sensors, all hallmarks of pre-ransomware activities.
Also used as part of the attack was a trojanised binary that is capable of harvesting web browser history, auto-fill information, & credit card details for Google Chrome, Microsoft Edge, & Brave.
Compromised Account
The use of the compromised user account by both Andariel & Play aside, the connection between the 2 intrusion sets stems from that communication with the Sliver C2 server (172.96.137[.]224) remained ongoing until the day before ransomware deployment. The C2 IP address has been offline since the day the deployment took place.
Unit 42 commented that the ransomware incident shares ‘multiple overlaps’ in the tools, infrastructure, target selection, & timeline with the attacks disclosed by Symantec. Of interest is the Sliver C2 IP address, which Symantec flagged as used in conjunction with the Plink command-line connection utility.
Sliver C2 Activity
“We observed that the threat actor used IP address 172.96.137[.]224 primarily for Sliver C2 activity,” Navin Thomas, threat researcher at Unit 42, observed.
“Having said that, this IP address was used for various purposes, with multiple open ports serving different functions, including Sliver, a web service for tool distribution, & SSH services. However, we were unable to verify the usage of Plink from this IP in our investigation.”
Widespread Ransomware Attacks
Irrespective of the exact nature of the collaboration between the 2 threat groups, the development is a sign that N. Korean threat players could stage more widespread ransomware attacks in the future to evade sanctions & generate revenue for the cash-strapped nation.
“It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they functioned as an IAB [initial access broker] by selling network access to Play ransomware actors,” Unit 42 concluded. “If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have functioned as an IAB.”
