Thursday, December 5, 2024
HomeCVE/vulnerabilityNorth Korean Onyx Sleet Using Group Of Malware And Exploits to Gain...

North Korean Onyx Sleet Using Group Of Malware And Exploits to Gain Intelligence

Published on

SIEM as a Service

Onyx Sleet, a cyber espionage group also known as SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2, mainly targets the military, defense sector, and technology in the United States, South Korea, and India.

The group historically used spear-phishing, but they have now started using N-day vulnerabilities, such as in their October 2023 attack on TeamCity.

To improve functionality and evade detection, Onyx Sleet mixes open-source tools with customized ones and continually develops new RATs.

- Advertisement - SIEM as a Service

The team uses leased virtual private servers or compromised cloud infrastructure for its command-and-control operations.

Cybersecurity researchers at Microsoft recently discovered that the operators behind Onyx Sleet have been actively using an array of malware to gather intelligence for North Korea.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

North Korean Onyx Sleet

On July 25, 2024, the U.S. Department of Justice indicted an individual linked to Onyx Sleet, a North Korean cyber threat actor tracked by Microsoft since 2014. 

This group, known for cyber espionage and, more recently, financial gain, employs custom tools and evolving malware to target global organizations, particularly in the defense, engineering, and energy sectors. 

Onyx Sleet shows affiliations with other North Korean actors, notably Storm-0530, sharing infrastructure and ransomware development. 

Microsoft collaborates with the FBI to monitor Onyx Sleet’s activities, directly notifying affected customers and providing security guidance to combat these persistent threats.

Onyx Sleet targeted a South Korean educational institution, a construction company, and a manufacturing organization in May 2024.

Here, the financial gain may be why they are interested in online gambling websites.

Onyx Sleet has changed its methods by creating custom ransomware and using Dtrack RAT into their campaigns without leaving persistent TTPs.

Security analysts observed the Dtrack RAT globally from September 2019 to January 2024. It exploited flaws such as Log4j (CVE-2021-44228) and employed signed payloads for evasion purposes.

Onyx Sleet attack chain (Source – Microsoft)

In May 2024, AhnLab Security Intelligence Center uncovered a campaign that illustrated how the group’s attack chain had evolved while remaining similar in terms of structure.

Here below we have mentioned all the vulnerabilities that Onyx Sleet recently exploited:-

Onyx Sleet introduced the Go-based Dora RAT in a campaign targeting South Korean organizations. To evade detection, the group employs custom encryption, obfuscation, and in-memory execution. 

Their toolkit includes custom malware like TDrop2, off-the-shelf tools like Sliver, and commercial packers like Themida. 

In January 2024, Onyx Sleet deployed a Sliver implant signed with an invalid Tableau certificate, compromising aerospace and defense organizations from October 2023 to June 2024. 

The group exploits well-known and custom vulnerabilities, targeting various applications, including remote desktops, data loss prevention, network access control, and EDR products, primarily affecting South Korean users.

The custom malware families used in Onyx Sleet’s attacks are TigerRAT, SmallTiger, LightHand, and ValidAlpha.

Recommendations

Here below we have mentioned the recommendations provided:-

  • Make sure to update software promptly.
  • Apply security patches immediately.
  • Enable cloud-delivered protection in your AV tool.
  • Activate network protection.
  • Use EDR in block mode to intercept threats missed by other AV solutions.
  • Set investigation and remediation to fully automated mode.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

Thinkware Cloud APK Vulnerability Allows Code Execution With Elevated Privileges

A critical vulnerability identified as CVE-2024–53614 has been discovered in the Thinkware Cloud APK...