Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.

In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments. Given this, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected. JetBrains has released an update to address this vulnerability and has developed a mitigation for users who are unable to update to the latest software version.

While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation.

Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments.

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments.

Who are Diamond Sleet and Onyx Sleet?

Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world. Microsoft reported on Diamond Sleet’s targeting of security researchers in January 2021 and the actor’s weaponizing of open-source software in September 2022. In August 2023, Diamond Sleet conducted a software supply chain compromise of a German software provider.

Onyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India. Onyx Sleet employs a robust set of tools that they have developed to establish persistent access to victim environments and remain undetected. The actor frequently exploits N-day vulnerabilities as a means of gaining initial access to targeted organizations.

Diamond Sleet attack path 1: Deployment of ForestTiger backdoor

Following the successful compromise of TeamCity servers, Diamond Sleet utilizes PowerShell to download two payloads from legitimate infrastructure previously compromised by the threat actor. These two payloads, Forest64.exe and 4800-84DC-063A6A41C5C are stored in the C:\ProgramData directory.

When launched, Forest64.exe checks for the presence of the file named 4800-84DC-063A6A41C5C, then reads and decrypts the contents of that file using embedded, statically assigned key of ‘uTYNkfKxHiZrx3KJ’:

c:\ProgramData\Forest64.exe  uTYNkfKxHiZrx3KJ

Interestingly, this same value is specified as a parameter when the malware is invoked, but we did not see it utilized during our analysis. The same value and configuration name was also referenced in historical activity reported by Kaspersky’s Securelist on this malware, dubbed ForestTiger.

The decrypted content of 4800-84DC-063A6A41C5C is the configuration file for the malware, which contains additional parameters, such as the infrastructure used by the backdoor for command and control (C2). Microsoft observed Diamond Sleet using infrastructure previously compromised by the actor for C2.

Microsoft observed Forest64.exe then creating a scheduled task named Windows TeamCity Settings User Interface so it runs every time the system starts with the above referenced command parameter “uTYNkfKxHiZrx3KJ”. Microsoft also observed Diamond Sleet leveraging the ForestTiger backdoor to dump credentials via the LSASS memory. Microsoft Defender Antivirus detects this malware as ForestTiger.

Diamond Sleet attack path 2: Deploying payloads for use in DLL search-order hijacking attacks

Diamond Sleet leverages PowerShell on compromised servers to download a malicious DLL from attacker infrastructure. This malicious DLL is then staged in C:\ProgramData\ alongside a legitimate .exe file to carry out DLL search-order hijacking. Microsoft has observed these malicious DLL and legitimate EXE combinations used by the actor:

DSROLE.dll attack chain

When DSROLE.dll is loaded by wsmprovhost.exe, the DLL initiates a thread that enumerates and attempts to process files that exist in the same executing directory as the DLL. The first four bytes of candidate files are read and signify the size of the remaining buffer to read. Once the remaining data is read back, the bytes are reversed to reveal an executable payload that is staged in memory. The expected PE file should be a DLL with the specific export named ‘StartAction’. The address of this export is resolved and then launched in memory.

While the functionality of DSROLE.dll is ultimately decided by whatever payloads it deobfuscates and launches, Microsoft has observed the DLL being used to launch wksprt.exe, which communicates with C2 domains. Microsoft Defender Antivirus detects DSROLE.dll using the family name RollSling.

Version.dll attack chain

When loaded by clip.exe, Version.dll loads and decrypts the contents of readme.md, a file  downloaded alongside Version.dll from attacker-compromised infrastructure. The file readme.md contains data that is used as a multibyte XOR key to decrypt position-independent code (PIC) embedded in Version.dll. This PIC loads and launches the final-stage remote access trojan (RAT).

Once loaded in memory, the second-stage executable decrypts an embedded configuration file containing several URLs used by the malware for command and control. Shortly after the malware beacons to the callback URL, Microsoft has observed a separate process iexpress.exe created and communicating with other C2 domains. Microsoft Defender Antivirus detects Version.dll using the family name FeedLoad.

After successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.

In some cases, Microsoft observed Diamond Sleet intrusions that utilized tools and techniques from both paths 1 and 2.

Onyx Sleet attack path: User account creation, system discovery, and payload deployment

Following successful exploitation using the TeamCity exploit, Onyx Sleet creates a new user account on compromised systems. This account, named krtbgt, is likely intended to impersonate the legitimate Windows account name KRBTGT, the Kerberos Ticket Granting Ticket. After creating the account, the threat actor adds it to the Local Administrators Group through net use:

net  localgroup administrators krtbgt /add

The threat actor also runs several system discovery commands on compromised systems, including:

net localgroup 'Remote Desktop Users’
net localgroup Administrators
cmd.exe "/c tasklist | findstr Sec"
cmd.exe "/c whoami"
cmd.exe "/c netstat -nabp tcp"
cmd.exe "/c ipconfig /all"
cmd.exe "/c systeminfo"

Next, the threat actor deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. Microsoft observed these file paths for the unique payload:

• C:\Windows\Temp\temp.exe
• C:\Windows\ADFS\bg\inetmgr.exe

This payload, when launched, loads and decrypts an embedded PE resource. This decrypted payload is then loaded into memory and launched directly. The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure. Microsoft Defender Antivirus detects this proxy tool as HazyLoad.

Microsoft also observed the following post-compromise tools and techniques leveraged in this attack path:

• Using the attacker-controlled krtbgt account to sign into the compromised device via remote desktop protocol (RDP)
• Stopping the TeamCity service, likely in an attempt to prevent access by other threat actors
• Dumping credentials via the LSASS memory
• Deploying tools to retrieve credentials and other data stored by browsers

Recommended mitigation actions

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Apply the update or mitigations released by JetBrains to address CVE-2023-42793.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Block in-bound traffic from IPs specified in the IOC table.
• Use Microsoft Defender Antivirus to protect from this threat. Turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Take immediate action to address malicious activity on the impacted device. If malicious code has been launched, the attacker has likely taken complete control of the device. Immediately isolate the system and perform a reset of credentials and tokens.
• Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
• Ensure that “Safe DLL Search Mode” is set.
• Turn on the following attack surface reduction rule:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Detections

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the CVE-2023-42793 vulnerability leveraged in these attacks.

Microsoft Defender Antivirus

Microsoft Defender Antivirus customers should look for the following family names for activity related to these attacks:

• ForestTiger
• RollSling
• FeedLoad
• HazyLoad

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts could indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

• Diamond Sleet Actor activity detected
• Onyx Sleet Actor activity detected
• Possible exploitation of JetBrains TeamCity vulnerability
• Suspicious behavior by cmd.exe was observed
• Suspicious DLL loaded by an application
• Suspicious PowerShell download or encoded command execution
• Possible lateral movement involving suspicious file
• A script with suspicious content was observed
• Suspicious scheduled task

Advanced hunting queries

Microsoft 365 Defender

Command and control using iexpress.exe or wksprt.exe

DeviceNetworkEvents
| where (InitiatingProcessFileName =~ "wksprt.exe" and InitiatingProcessCommandLine == "wksprt.exe") 
or (InitiatingProcessFileName =~ "iexpress.exe" and InitiatingProcessCommandLine == "iexpress.exe")

Search order hijack using Wsmprovhost.exe and DSROLE.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "wsmprovhost.exe"
| where FileName =~ "DSROLE.dll"
| where not(FolderPath has_any("system32", "syswow64"))

Search order hijack using clip.exe and Version.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "clip.exe"
| where FileName in~("version.dll")
| where not(FolderPath has_any("system32", "syswow64", "program files", "windows defender\\platform", "winsxs", "platform",
"trend micro"))

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.  

• PowerShell downloads
• Dumping LSASS Process into a File
• Anomalous Account Creation
• RDP Rare Connection
• Anomalous RDP Activity

Indicators of compromise (IOCs)

The list below provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Diamond Sleet path 1

Diamond Sleet path 2

Onyx Sleet path

NOTE: These indicators should not be considered exhaustive for this observed activity.

References

• Following the Lazarus group by tracking DeathNote campaign | Securelist

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.