{"id":23201,"date":"2023-10-30T08:37:37","date_gmt":"2023-10-30T16:37:37","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16931\/"},"modified":"2023-10-30T08:37:37","modified_gmt":"2023-10-30T16:37:37","slug":"news-16931","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16931\/","title":{"rendered":"Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability"},"content":{"rendered":"

Credit to Author: Microsoft Threat Intelligence| Date: Wed, 18 Oct 2023 16:30:00 +0000<\/strong><\/p>\n

Since early October 2023, Microsoft has observed two North Korean nation-state threat actors \u2013 Diamond Sleet and Onyx Sleet \u2013 exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration\/continuous deployment (CI\/CD) application used by organizations for DevOps and other software development activities.<\/p>\n

In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments. Given this, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected. JetBrains has released an update<\/a> to address this vulnerability and has developed a mitigation for users who are unable to update to the latest software version.<\/p>\n

While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation.<\/p>\n

Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments.<\/p>\n

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments.<\/p>\n

Who are Diamond Sleet and Onyx Sleet?<\/h2>\n

Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world. Microsoft reported on Diamond Sleet\u2019s targeting of security researchers<\/a> in January 2021 and the actor\u2019s weaponizing of open-source software<\/a> in September 2022. In August 2023, Diamond Sleet conducted a software supply chain compromise of a German software provider.<\/p>\n

Onyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India. Onyx Sleet employs a robust set of tools that they have developed to establish persistent access to victim environments and remain undetected. The actor frequently exploits N-day vulnerabilities as a means of gaining initial access to targeted organizations.<\/p>\n

Diamond Sleet attack path 1: Deployment of ForestTiger backdoor<\/h2>\n

Following the successful compromise of TeamCity servers, Diamond Sleet utilizes PowerShell to download two payloads from legitimate infrastructure previously compromised by the threat actor. These two payloads, Forest64.exe<\/em> and 4800-84DC-063A6A41C5C<\/em> are stored in the C:ProgramData<\/em> directory.<\/p>\n

When launched, Forest64.exe<\/em> checks for the presence of the file named 4800-84DC-063A6A41C5C<\/em>, then reads and decrypts the contents of that file using embedded, statically assigned key of \u2018uTYNkfKxHiZrx3KJ\u2019:<\/p>\n

c:ProgramDataForest64.exe  uTYNkfKxHiZrx3KJ<\/em><\/p>\n

Interestingly, this same value is specified as a parameter when the malware is invoked, but we did not see it utilized during our analysis. The same value and configuration name was also referenced in historical activity reported by Kaspersky\u2019s Securelist<\/a> on this malware, dubbed ForestTiger<\/em>.<\/p>\n

The decrypted content of 4800-84DC-063A6A41C5C<\/em> is the configuration file for the malware, which contains additional parameters, such as the infrastructure used by the backdoor for command and control (C2). Microsoft observed Diamond Sleet using infrastructure previously compromised by the actor for C2.<\/p>\n

Microsoft observed Forest64.exe<\/em> then creating a scheduled task named Windows TeamCity Settings User Interface<\/em> so it runs every time the system starts with the above referenced command parameter \u201cuTYNkfKxHiZrx3KJ\u201d. Microsoft also observed Diamond Sleet leveraging the ForestTiger<\/em> backdoor to dump credentials via the LSASS memory. Microsoft Defender Antivirus detects this malware as ForestTiger<\/em>.<\/p>\n

\"diagram\"
Figure 1. Diamond Sleet attack chain 1 using ForestTiger backdoor<\/em><\/figcaption><\/figure>\n

Diamond Sleet attack path 2: Deploying payloads for use in DLL search-order hijacking attacks<\/h2>\n

Diamond Sleet leverages PowerShell on compromised servers to download a malicious DLL from attacker infrastructure. This malicious DLL is then staged in C:ProgramData<\/em> alongside a legitimate .exe file to carry out DLL search-order hijacking. Microsoft has observed these malicious DLL and legitimate EXE combinations used by the actor:<\/p>\n

\n\n\n\n\n\n\n
Malicious DLL name<\/th>\nLegitimate binary name<\/th>\n<\/tr>\n<\/thead>\n
DSROLE.dll<\/em><\/td>\nwsmprovhost.exe<\/em><\/td>\n<\/tr>\n
Version.dll<\/em><\/td>\nclip.exe<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

DSROLE.dll<\/em> attack chain<\/strong><\/p>\n

When DSROLE.dll<\/em> is loaded by wsmprovhost.exe<\/em>, the DLL initiates a thread that enumerates and attempts to process files that exist in the same executing directory as the DLL. The first four bytes of candidate files are read and signify the size of the remaining buffer to read. Once the remaining data is read back, the bytes are reversed to reveal an executable payload that is staged in memory. The expected PE file should be a DLL with the specific export named \u2018StartAction\u2019. The address of this export is resolved and then launched in memory.<\/p>\n

While the functionality of DSROLE.dll<\/em> is ultimately decided by whatever payloads it deobfuscates and launches, Microsoft has observed the DLL being used to launch wksprt.<\/em>exe, which communicates with C2 domains. Microsoft Defender Antivirus detects DSROLE.dll<\/em> using the family name RollSling<\/em>.<\/p>\n

Version.dll<\/em> attack chain<\/strong><\/p>\n

When loaded by clip.exe<\/em>, Version.dll<\/em> loads and decrypts the contents of readme.md<\/em>, a file  downloaded alongside Version.dll<\/em> from attacker-compromised infrastructure. The file readme.md<\/em> contains data that is used as a multibyte XOR key to decrypt position-independent code (PIC) embedded in Version.dll<\/em>. This PIC loads and launches the final-stage remote access trojan (RAT).<\/p>\n

\"Screenshot
Figure 2. Composition of readme.md used as multibyte XOR key by Version.dll<\/em><\/figcaption><\/figure>\n
\"Screenshot
Figure 3. Application of XOR key to expose next-stage code block<\/em><\/figcaption><\/figure>\n
\"Screenshot
Figure 4. Carving out embedded PE from code block<\/em><\/figcaption><\/figure>\n

Once loaded in memory, the second-stage executable decrypts an embedded configuration file containing several URLs used by the malware for command and control. Shortly after the malware beacons to the callback URL, Microsoft has observed a separate process iexpress.exe<\/em> created and communicating with other C2 domains. Microsoft Defender Antivirus detects Version.dll<\/em> using the family name FeedLoad<\/em>.<\/p>\n

\"diagram\"
Figure 5. Diamond Sleet attack chain 2 using DLL search order hijacking<\/em><\/figcaption><\/figure>\n

After successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.<\/p>\n

In some cases, Microsoft observed Diamond Sleet intrusions that utilized tools and techniques from both paths 1 and 2.<\/p>\n

Onyx Sleet attack path: User account creation, system discovery, and payload deployment<\/h2>\n

Following successful exploitation using the TeamCity exploit, Onyx Sleet creates a new user account on compromised systems. This account, named krtbgt<\/em>, is likely intended to impersonate the legitimate Windows account name KRBTGT, the Kerberos Ticket Granting Ticket. After creating the account, the threat actor adds it to the Local Administrators Group through net use:<\/p>\n

\n
 net  localgroup administrators krtbgt \/add <\/pre>\n<\/div>\n
The threat actor also runs several system discovery commands on compromised systems, including:<\/p>\n
\n
 net localgroup 'Remote Desktop Users\u2019 net localgroup Administrators cmd.exe "\/c tasklist | findstr Sec" cmd.exe "\/c whoami" cmd.exe "\/c netstat -nabp tcp" cmd.exe "\/c ipconfig \/all" cmd.exe "\/c systeminfo" <\/pre>\n<\/div>\n
Next, the threat actor deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. Microsoft observed these file paths for the unique payload:<\/p>\n