Insights, news, education and announcements from PolySwarm

Silent Chollima Extortion Activity Targets US Entities

Written by The Hivemind | Oct 11, 2024 6:12:45 PM

Related Families: Preft

Executive Summary

Silent Chollima has traditionally focused on espionage operations but was recently observed engaging in what appear to be financially motivated attacks. PolySwarm analysts consider this shift in Silent Chollima’s TTPs to be significant, indicating an evolving threat.

Key Takeaways

  • Silent Chollima, a North Korea nexus threat actor group, was recently observed shifting TTPs. 
  • The group has traditionally focused on espionage operations targeting entities of high intelligence value but has recently exhibited an increase in extortion and other financially motivated activities.
  • While other North Korean threat actor groups have been observed conducting campaigns for financial gain, this is a relatively new focus for Silent Chollima. 
  • PolySwarm analysts consider this shift in Silent Chollima’s TTPs to be significant, indicating an evolving threat. 

An Evolving Threat

Silent Chollima, a North Korea nexus threat actor, was recently observed shifting TTPs. The group has traditionally focused on espionage operations targeting entities of high intelligence value but has exhibited an increase in extortion and other financially motivated activities over the last few months. This activity continues, despite the US Department of Justice (DOJ) indicting an individual affiliated with Silent Chollima in July. 

Symantec reported on the extortion activity. According to Symantec, the activity occurred in August 2024 and targeted at least three US-based organizations. The verticals in which those entities lie were not specified. However, Symantec noted the victims had no obvious intelligence value and were likely being targeted for a follow-on ransomware attack. 

While other North Korean threat actor groups have been observed conducting campaigns for financial gain, this is a relatively new focus for Silent Chollima. A researcher at Symantec noted it is possible Silent Chollima has been conducting extortion activities for quite some time and that the activity was only recently discovered. 

Preft backdoor, also known as Dtrack and Valefor, was used in the attacks. This tool is exclusively used by Silent Chollima and aided in attributing the attacks to the group. Other tools leveraged in this campaign include Nukebot backdoor, Mimikatz, two unnamed keyloggers, Sliver, PuTTY, Plink, Megatools, Chisel, and FastReverseProxy. Additionally, the threat actors used a fake Tableau certificate and two other certificates previously linked to Silent Chollima. 

PolySwarm analysts consider this shift in Silent Chollima’s TTPs to be significant, indicating an evolving threat. 

Who is Silent Chollima?

Silent Chollima, also known as Stonefly, Andariel, Onyx Sleet, TDrop2, and DarkSeoul, is a North Korean threat actor group that is reportedly an offshoot of Lazarus Group. The group has been active since at least 2009 and is known to conduct espionage operations on behalf of North Korea. They are linked to North Korea’s Reconnaissance General Bureau. More recently, the group has been observed conducting activities for financial gain. Verticals targeted by Silent Chollima include military, defense, engineering, technology, education, construction, manufacturing, gambling, and energy. Their targets are primarily located in India, South Korea, and the US. 

For initial access, Silent Chollima is known to use spearphishing. However, they have more recently moved to exploiting N-day vulnerabilities as well. For example, in late 2023, the group was observed exploiting the TeamCity vulnerability CVE-2023-42793, allowing them to perform remote code execution and obtain administrative control of the server.  

Silent Chollima has an extensive arsenal of custom tools and malware, regularly evolving its TTPs to adapt to changes in the threat landscape and evade detection. These custom tools range from RATs to ransomware. Custom malware associated with Silent Chollima includes but is not limited to Dtrack (Preft), Dora RAT, TigerRAT, SmallTiger, LightHand, and ValidAlpha. The group is also known to use open source tools, including Sliver, RMM tools, SOCKS proxy tools, Ngrok, and masscan.

IOCs

PolySwarm has multiple samples associated with this activity.

 

f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5

12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444

96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3

e5d56cb7085ed8caf6c8269f4110265f9fb9cc7d8a91c498f3e2818fc978eee2

fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047

75448c81d54acb16dd8f5c14e3d4713b3228858e07e437875fbea9b13f431437

d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a 

5633691b680b46b8bd791a656b0bb9fe94e6354f389ab7bc6b96d007c9d41ffa 

ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269  

 

You can use the following CLI command to search for all Silent Chollima samples in our portal:

$ polyswarm link list -t SilentChollima

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.