North Korean hackers are working with the Play ransomware

A hacking group backed by North Korea has engaged in a ransomware campaign for the first time, according to Palo Alto Networks.

Hacking group Jumpy Pisces, linked to the Korean People’s Army’s General Intelligence Bureau, was involved in a recent ransomware incident, according to a new report from the Palo Alto Threat Intelligence Group, Unit 42, released on October 30.

This marks a change in tactics for the nation-state group, and for the first time they have been involved with financially motivated cyber threat actors.

A collaboration between Jumpy Pisces and Play

In early September 2024, Unit 42 engaged incident response services for a client affected by the Play ransomware.

First discovered in 2022, Play is now one of the most active ransomware gangs. Palo Alto tracks this group as Fiddling Scorpius.

During their investigation, Unit 42 observed the earliest signs of unauthorized activity in late May 2024. Researchers estimated with high confidence that it came from Jumpy Pisces, with the group gaining initial access through a compromised user account.

The North Korean group lateralized and maintained resilience by spreading the open source tool Sliver and their unique custom DTrack malware to other hosts via the Server Message Block (SMB) protocol.

These tools continued to communicate with Jumpy Pisces’ Command and Control (C2) server until early September. This eventually led to the deployment of the Play ransomware.

“It remains unclear whether Jumpy Pisces has officially become an affiliate of Play ransomware or whether they acted as an initial access broker (IAB), selling network access to Play ransomware actors,” Unit 42 researchers wrote.

However, Play claimed on its data leak site (DLS) that it does not use a ransomware-as-a-service (RaaS) model, suggesting that the IAB’s hypothesis is more likely.

“In any case, this incident is significant as it marks the first recorded collaboration between Jumpy Pisces (…) and an underground ransomware network,” Unit 42 researchers wrote. “This event may indicate a future trend North Korean threat groups will increasingly engage in broader ransomware campaigns, potentially leading to more widespread and malicious attacks worldwide.”

Invasion tactics and tools

Jumpy Pisces gained unauthorized initial access after a compromised user account gained access to a specific host through a firewall. Partial registry dumps on the host indicate possible use of Impacket’s credential collection module, secretsdump.py.

The attackers copied files related to the Sliver and DTrack malware families to various hosts using a compromised account via SMB.

DTrack was blocked by the Endpoint Detection and Response (EDR) solution. However, Unit 42 observed Sliver beacon activity for several days until early September 2024, with quiet periods in July and sporadically on other days.

An unknown threat actor infiltrated the network in early September via the same compromised user account. They performed ransomware actions, including credential harvesting, elevation of privilege, and removal of EDR sensors, which ultimately led to the deployment of the Play ransomware.

Along with Sliver and DTrack, the attackers used a special tool designed to create a privileged user account on victim computers with Remote Desktop Protocol (RDP) enabled, a customized version of Mimikatz, a publicly available credential dump tool, and a Trojan binary that steals browser history, autofill, and credit card information for Chrome, Edge, and Brave Internet browsers.

All of these tools were signed using multiple invalid certificates previously associated with Jumpy Pisces.