2024-11-07

North Korean Andariel Group Linked to Play Ransomware in New Cyber Campaign

Level: 
Tactical
  |  Source: 
Unit 42
Global
Share:

North Korean Andariel Group Linked to Play Ransomware in New Cyber Campaign

Collaboration between nation-state threat actors and ransomware affiliates appears to deepen as Unit 42 has identified notable threat activity involving Andariel (aka Jumpy Pisces, Onyx Sleet, PLUTONIUM, Silent Chollima), a North Korean state-sponsored threat group. The group, which traditionally focuses on cyber espionage, financial crime, and ransomware attacks, is suspected of working with the Play ransomware group. While some groups operate within a Ransomware-as-a-Service model, Play ransomware has publicly stated it does not follow this approach. Unit 42 said they have “moderate confidence that Andariel, or a faction of the group, is now collaborating with the Play ransomware group.” This collaboration marks a tactical shift for Jumpy Pisces, with Unit 42's investigation revealing that this state-sponsored actor may be acting as an initial access broker (IAB) or affiliate of Play ransomware, representing “the first observed instance of the group using existing ransomware infrastructure.”

Insights from Unit 42's incident response investigation, spanning from May 28, 2024, to September 5, 2024, revealed that initial access was achieved through a compromised user account in late May 2024, with threat actors maintaining persistence until September. Once inside, Andariel leveraged various tools, including the open-source C2 framework Sliver and their custom infostealer malware, DTrack. These payloads were spread via SMB connections as the threat actors used the 'net use' command to connect to a remote system's C$ administrative share, enabling them to copy malware to targeted hosts within the network. The Sliver beaconing activity was consistent throughout the months-long intrusion. Throughout May, June, and August, the activity included service creation, RDP sessions, and credential theft through tools such as Mimikatz and Task Manager LSASS dumps. Other actions, including extracting SAM and security registry hives, were also observed as the attackers gained further access to credentials for lateral movement.

Between August 3 and August 30, 2024, Andariel expanded its control over the compromised environment. The threat actors leveraged Sliver’s C2 capabilities and other techniques to exfiltrate network configuration details and increase their foothold across additional systems. They created malicious services to further their control, accessed RDP sessions, and persisted in gathering credentials, specifically targeting system and registry hives. Leading up to the Play ransomware deployment on September 5, the attackers utilized a custom tool to abuse Windows Access Tokens, enabled lateral movement using PsExec, and took steps to uninstall EDR protection to evade detection across multiple endpoints in the compromised network.

Regarding the overlap in activity between Andariel and Play, some crucial findings included the placement of tools within the "C:\Users\Public\Music" directory and the role of the compromised account in key aspects of the intrusion, such as being used “to abuse Windows access tokens, move laterally and escalate to SYSTEM privileges via PsExec. This eventually led to the mass uninstallation of EDR sensors and the onset of Play ransomware activity.” These insights from Unit 42 demonstrate a potential collaboration between nation-states and ransomware actors. However, Unit 42 prefaces its findings with the clarification that “It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an IAB by selling network access to Play ransomware actors. If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have acted as an IAB.” Tracking this development is critical in identifying the evolving nature of North Korean threat groups and their involvement with ransomware operations.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now