Related Families: Dtrack, Dora RAT, TigerRAT, SmallTiger, LightHand, ValidAlpha
Verticals Targeted: Military, Defense, Engineering, Technology, Education, Construction, Manufacturing, Gambling, Energy
Executive Summary
Last week, the US Department of Justice (DOJ) indicted Rim Jong Hyok, an individual allegedly affiliated with Silent Chollima. The group has been active since at least 2014 and is known to conduct espionage operations on behalf of North Korea.
Key Takeaways
- Last week, the US DOJ indicted Rim Jong Hyok, an individual allegedly affiliated with Silent Chollima.
- Silent Chollima is a North Korean threat actor group that is reportedly an offshoot of Lazarus Group.
- The group has been active since at least 2014 and is known to conduct espionage operations on behalf of North Korea.
- Silent Chollima has an extensive arsenal of custom tools and malware, regularly evolving its TTPs to adapt to changes in the threat landscape.
Who is Silent Chollima?
Last week, the US Department of Justice (DOJ) indicted Rim Jong Hyok, an individual allegedly affiliated with Silent Chollima. Microsoft then published its findings regarding Silent Chollima’s espionage activity.
Silent Chollima, also known as Stonefly, Andariel, Onyx Sleet, TDrop2, and DarkSeoul, is a North Korean threat actor group that is reportedly an offshoot of Lazarus Group. The group has been active since at least 2014 and is known to conduct espionage operations on behalf of North Korea. More recently, the group has also been observed conducting activities for financial gain. Verticals targeted by Silent Chollima include military, defense, engineering, technology, education, construction, manufacturing, gambling, and energy. Targets are primarily located in India, South Korea, and the US.
For initial access, Silent Chollima is known to use spearphishing. However, they have more recently moved to exploiting N-day vulnerabilities as well. For example, in late 2023, the group was observed exploiting the TeamCity vulnerability CVE-2023-42793, allowing them to perform remote code execution and obtain administrative control of the server.
Silent Chollima has an extensive arsenal of custom tools and malware, regularly evolving its TTPs to adapt to changes in the threat landscape and evade detection. These custom tools range from RATs to ransomware. Custom malware associated with Silent Chollima includes but is not limited to Dtrack, Dora RAT, TigerRAT, SmallTiger, LightHand, and ValidAlpha. These families are described in further detail below. The group is also known to use open source tools, including Sliver, RMM tools, SOCKS proxy tools, Ngrok, and masscan.
Dtrack
Dtrack RAT was used by the group from 2019 to early 2024. Its attack chain leveraged the Log4j 2 vulnerability CVE-2021-44228 for initial access.
DoraRAT
In May 2024, Silent Chollima was observed using Dora RAT to target education, construction, and manufacturing entities in South Korea. Dora RAT is written in Go and supports reverse shell and uploading and downloading of files.
TigerRAT
TigerRAT was observed in the wild as early as 2020. The threat actors can use TigerRAT to steal data and issue commands from the C2.
SmallTiger
SmallTiger was observed in February 2024 targeting defense and manufacturing entities in South Korea. It is a backdoor written in C++.
LightHand
LightHand is a custom, lightweight backdoor used for remote access. The threat actors can use LightHand to execute arbitrary commands, obtain system storage information, list directories, and create or delete files.
ValidAlpha
ValidAlpha, also known as BlackRAT, is a custom backdoor written in Go. It has been in use since at least 2023. ValidAlpha’s capabilities include running an arbitrary file, listing directory contents, downloading files, screenshotting, and launching a shell to execute commands. Silent Chollima was observed using ValidAlpha to target energy, defense, and engineering vertical entities.
IOCs
PolySwarm has multiple samples associated with Silent Chollima activity.
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
You can use the following CLI command to search for all Silent Chollima samples in our portal:
$ polyswarm link list -t SilentChollima
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.