Key Takeaways
An Evolving Threat
While other North Korean threat actor groups have been observed conducting campaigns for financial gain, this is a relatively new focus for Silent Chollima. A researcher at Symantec noted it is possible Silent Chollima has been conducting extortion activities for quite some time and that the activity was only recently discovered.
Preft backdoor, also known as Dtrack and Valefor, was used in the attacks. This tool is exclusively used by Silent Chollima and aided in attributing the attacks to the group. Other tools leveraged in this campaign include Nukebot backdoor, Mimikatz, two unnamed keyloggers, Sliver, PuTTY, Plink, Megatools, Chisel, and FastReverseProxy. Additionally, the threat actors used a fake Tableau certificate and two other certificates previously linked to Silent Chollima.
PolySwarm analysts consider this shift in Silent Chollima’s TTPs to be significant, indicating an evolving threat.
Who is Silent Chollima?
Silent Chollima, also known as Stonefly, Andariel, Onyx Sleet, TDrop2, and DarkSeoul, is a North Korean threat actor group that is reportedly an offshoot of Lazarus Group. The group has been active since at least 2009 and is known to conduct espionage operations on behalf of North Korea. They are linked to North Korea’s Reconnaissance General Bureau. More recently, the group has been observed conducting activities for financial gain. Verticals targeted by Silent Chollima include military, defense, engineering, technology, education, construction, manufacturing, gambling, and energy. Their targets are primarily located in India, South Korea, and the US.
For initial access, Silent Chollima is known to use spearphishing. However, they have more recently moved to exploiting N-day vulnerabilities as well. For example, in late 2023, the group was observed exploiting the TeamCity vulnerability CVE-2023-42793, allowing them to perform remote code execution and obtain administrative control of the server.
Silent Chollima has an extensive arsenal of custom tools and malware, regularly evolving its TTPs to adapt to changes in the threat landscape and evade detection. These custom tools range from RATs to ransomware. Custom malware associated with Silent Chollima includes but is not limited to Dtrack (Preft), Dora RAT, TigerRAT, SmallTiger, LightHand, and ValidAlpha. The group is also known to use open source tools, including Sliver, RMM tools, SOCKS proxy tools, Ngrok, and masscan.
IOCs
PolySwarm has multiple samples associated with this activity.
f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444
96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3
e5d56cb7085ed8caf6c8269f4110265f9fb9cc7d8a91c498f3e2818fc978eee2
fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047
75448c81d54acb16dd8f5c14e3d4713b3228858e07e437875fbea9b13f431437
d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a
5633691b680b46b8bd791a656b0bb9fe94e6354f389ab7bc6b96d007c9d41ffa
ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269
You can use the following CLI command to search for all Silent Chollima samples in our portal:
$ polyswarm link list -t SilentChollima
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.