Stonefly: Extortion Attacks Continue Against U.S. Targets
Oct. 3, 2024, 5:23 p.m.
Description
In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. The attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates (see Indicators of Compromise) that appear to be unique to this campaign.
Tags
Date
- Created: Oct. 3, 2024, 5:08 p.m.
- Published: Oct. 3, 2024, 5:08 p.m.
- Modified: Oct. 3, 2024, 5:23 p.m.
Indicators
- fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047
- f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
- f3f17480a3e5c86d1ed876243a06db9b4d7d6aea91e284fa555882e0f1360206
- f0bc0f94ac743185e6d0c865a9e162f4ce2f306df13b2ea80df984160eb3363c
- ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269
- ee017325a743516155210f367272ac736bbfc8284b9613180744f26dda6502b0
- ea2867c5de97e512b9780b6e73c075291259f5b24e95569ccbb05ed249d511a3
- e5d56cb7085ed8caf6c8269f4110265f9fb9cc7d8a91c498f3e2818fc978eee2
- e11e57d6d0944c2856828a287a868af96b47be32d4fe411f58dae4f0fe45ee2d
- d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91
- d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a
- cdd079bcb01e0f1229194f1f0ff9b6261e24ee16f8f75ec83763a33561c2071a
- c5a6a18ec53a8743853112f58dd1fcc73d0b2fc6e9cb73b2424e29d78b4504df
- ac6f6c77e0c9082f85324dcde9aabbdd1c4dcd51b78e45d1d8ace4d1648213dd
- a7711b8314b256d279e104ea3809f0668d3615fba584ca887d9c495795d0a98e
- a65cefb3c2ccdb50704b1af1008a1f8c7266aa85bd24aaf21f6eb1ddd5b79c81
- 966319464e10b5a1ccc214a76a57ecf8afb322055f55154cf6e039c7373fd5e7
- 94eef46095c231b1ee33cd63e063d8a2fc663e44832e45a294cf8d8cf9df31f8
- 93b75bc724a4a85b93fb749b734381ef79ab54c2debf27907794c8fd632fa0f5
- 89aa7b67e9476d0f91df71a2b92ebe21f63f218afb6446296403f34f91831d15
- 88b3c100d4a3168b1807fe9d1c4cb9d772e294c1cdf29ff287bc451d37891d8c
- 7bec0b28eb52f7a2e218367c0fef91e83c9df8f0463d55f3a064a2d6ca77c8d0
- 7ab3f076e70350f06ad19863fdd9e794648020f621c0b1bd20ad4d80f0745142
- 75448c81d54acb16dd8f5c14e3d4713b3228858e07e437875fbea9b13f431437
- 6de5219d913ed93389ae8e9e295695da1adc889c0352a9069f9921a0a2cb5ec6
- 5df907d0ff950194758a8ef32dabe78c31c7470c6e771c4f82e4c135a898f8fb
- 58d267dd80298c6d582ea7e45cf85a6e665d172d4122cc029cbcd427a33c2472
- 5633691b680b46b8bd791a656b0bb9fe94e6354f389ab7bc6b96d007c9d41ffa
- 511a75b2daca294db39d0e82e7af6161e67aab557b6b86bfea39ccbd2d7b40ae
- 4ef8f3be7615392e4fe5751c9647ede1c6be2d2723af9b0fab69b6e58543e6ca
- 485465f38582377f9496a6c77262670a313d8c6e01fd29a5dbd919b9a40e68d5
- 42d52a78058954fcb85f538c86253214bacf475b4abecf3b426dad9d5b6543d6
- 3f880395c9d5820c4018daecf56711ce4ee719736590792f652ea29cbcbdb8f3
- 3b1fa5ffbdc79a395df274d558eed7cfebb3863d2cf4607c816a6e7d26007899
- 37b1c57120760acefb6ad9a99eb1a7dfa49d4ee6c4e6afcc09b385c24c5f0639
- 35bbea3e077e63616e6785b667ddc67c3360be80b690fd0eea4e531b38777b0c
- 2c70973b2b70e60f4187cb704bbc3c74da25a526828384b841b53778fb53fd38
- 28149b1e55551948a629dcd2dacad32f6a197ed9324dc08b27ff00fa0bf0d909
- 2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a
- 243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7
- 1e2fad6c77410965ea2b3a5d36e8d980d839cc7a2b6f2e2d795d915e496ff398
- 12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444
- 09795d17d027c561e8e48f6089a8cf37e71c5985afbf7f51945fc359b4697a16
- 003815b3b170437316614c66e63fc0750e459f47cb0caf2af9cf584fffee4916
- 96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3
- 51.81.168.157
- 216.120.201.112
- 144.208.127.115
- 217.195.153.209
- 172.96.137.224
Attack Patterns
- T1114.001
- T1573.002
- T1573.001
- T1059.001
- T1056.001
- T1113
- T1204.002
- T1566.001
- T1140
- T1027
Additional Informations
- Defense