Back

Stonefly: Extortion Attacks Continue Against U.S. Targets

Oct. 3, 2024, 5:23 p.m.

Tags

mimikatz
2024-10-03
plink
snap2html
megatools

External References

https://symantec-enterprise-blogs.security.com/

https://otx.alienvault.com/

Description

In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. The attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates (see Indicators of Compromise) that appear to be unique to this campaign.

Date

Published Created Modified
Oct. 3, 2024, 5:08 p.m. Oct. 3, 2024, 5:08 p.m. Oct. 3, 2024, 5:23 p.m.

Indicators

fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047

f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5

f3f17480a3e5c86d1ed876243a06db9b4d7d6aea91e284fa555882e0f1360206

f0bc0f94ac743185e6d0c865a9e162f4ce2f306df13b2ea80df984160eb3363c

ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269

ee017325a743516155210f367272ac736bbfc8284b9613180744f26dda6502b0

ea2867c5de97e512b9780b6e73c075291259f5b24e95569ccbb05ed249d511a3

e5d56cb7085ed8caf6c8269f4110265f9fb9cc7d8a91c498f3e2818fc978eee2

e11e57d6d0944c2856828a287a868af96b47be32d4fe411f58dae4f0fe45ee2d

d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91

d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a

cdd079bcb01e0f1229194f1f0ff9b6261e24ee16f8f75ec83763a33561c2071a

c5a6a18ec53a8743853112f58dd1fcc73d0b2fc6e9cb73b2424e29d78b4504df

ac6f6c77e0c9082f85324dcde9aabbdd1c4dcd51b78e45d1d8ace4d1648213dd

a7711b8314b256d279e104ea3809f0668d3615fba584ca887d9c495795d0a98e

a65cefb3c2ccdb50704b1af1008a1f8c7266aa85bd24aaf21f6eb1ddd5b79c81

966319464e10b5a1ccc214a76a57ecf8afb322055f55154cf6e039c7373fd5e7

94eef46095c231b1ee33cd63e063d8a2fc663e44832e45a294cf8d8cf9df31f8

93b75bc724a4a85b93fb749b734381ef79ab54c2debf27907794c8fd632fa0f5

89aa7b67e9476d0f91df71a2b92ebe21f63f218afb6446296403f34f91831d15

88b3c100d4a3168b1807fe9d1c4cb9d772e294c1cdf29ff287bc451d37891d8c

7bec0b28eb52f7a2e218367c0fef91e83c9df8f0463d55f3a064a2d6ca77c8d0

7ab3f076e70350f06ad19863fdd9e794648020f621c0b1bd20ad4d80f0745142

75448c81d54acb16dd8f5c14e3d4713b3228858e07e437875fbea9b13f431437

6de5219d913ed93389ae8e9e295695da1adc889c0352a9069f9921a0a2cb5ec6

5df907d0ff950194758a8ef32dabe78c31c7470c6e771c4f82e4c135a898f8fb

58d267dd80298c6d582ea7e45cf85a6e665d172d4122cc029cbcd427a33c2472

5633691b680b46b8bd791a656b0bb9fe94e6354f389ab7bc6b96d007c9d41ffa

511a75b2daca294db39d0e82e7af6161e67aab557b6b86bfea39ccbd2d7b40ae

4ef8f3be7615392e4fe5751c9647ede1c6be2d2723af9b0fab69b6e58543e6ca

485465f38582377f9496a6c77262670a313d8c6e01fd29a5dbd919b9a40e68d5

42d52a78058954fcb85f538c86253214bacf475b4abecf3b426dad9d5b6543d6

3f880395c9d5820c4018daecf56711ce4ee719736590792f652ea29cbcbdb8f3

3b1fa5ffbdc79a395df274d558eed7cfebb3863d2cf4607c816a6e7d26007899

37b1c57120760acefb6ad9a99eb1a7dfa49d4ee6c4e6afcc09b385c24c5f0639

35bbea3e077e63616e6785b667ddc67c3360be80b690fd0eea4e531b38777b0c

2c70973b2b70e60f4187cb704bbc3c74da25a526828384b841b53778fb53fd38

28149b1e55551948a629dcd2dacad32f6a197ed9324dc08b27ff00fa0bf0d909

2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a

243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7

1e2fad6c77410965ea2b3a5d36e8d980d839cc7a2b6f2e2d795d915e496ff398

12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444

09795d17d027c561e8e48f6089a8cf37e71c5985afbf7f51945fc359b4697a16

003815b3b170437316614c66e63fc0750e459f47cb0caf2af9cf584fffee4916

96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3

51.81.168.157

216.120.201.112

144.208.127.115

217.195.153.209

172.96.137.224

Attack Patterns

T1114.001

T1573.002

T1573.001

T1059.001

T1056.001

T1113

T1204.002

T1566.001

T1140

T1027

Additional Informations

Defense