Threat Research

North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack | Mandiant

GoogleCloudIntel

Mandiant investigated a July 2023 supply chain compromise in which UNC4899 gained access to downstream customers by inserting malicious commands into JumpCloud’s commands framework, deploying a Ruby downloader and multiple macOS backdoors (FULLHOUSE.DOORED, STRATOFEAR, TIEDYE). The intrusions used masquerading, persistence via LaunchDaemons/LaunchAgents, HTTP-based C2, and OPSEC errors that exposed DPRK infrastructure. #UNC4899 #JumpCloud

Keypoints

  • Initial access was achieved by a spearphishing campaign targeting JumpCloud, allowing insertion of malicious code into JumpCloud’s commands framework.
  • A lightweight Ruby script (init.rb) downloaded and executed a first-stage binary (com.docker.vmnat), which acted as a FULLHOUSE.DOORED backdoor.
  • FULLHOUSE.DOORED (C/C++ backdoor) provided HTTP C2, shell execution, file transfer, file management, and process injection; it was used to deploy second-stage backdoors such as STRATOFEAR and TIEDYE.
  • STRATOFEAR is a modular Mach-O backdoor (ARM64 observed) with embedded encrypted config paths (/Library/Fonts/ArialUnicode.ttf.md5) and module/monitor capabilities for file/process/network monitoring and module execution.
  • TIEDYE (xpc.protect) supports many transport protocols (tcp, http, ssl, proxy_socks4, rdp, etc.), AES-128-encrypted configs, and can load modules from disk or memory.
  • Forensics leveraged macOS artifacts: JumpCloud agent logs (/private/var/log/jcagent.log), Rosetta AOT files under /private/var/db/oah, FSEvents for deleted files, and the XProtect XPdb (exec_signing_id, exec_cdhash) to identify malicious executables despite file deletion.
  • OPSEC lapses (VPN failures, unchanged PTR records) exposed DPRK-origin infrastructure and links to previously identified domains/IPs used by RGB-aligned actors.

MITRE Techniques

  • [T1566] Phishing – Initial compromise began with a “sophisticated spear phishing campaign aimed at JumpCloud” leading to unauthorized access.
  • [T1195] Supply Chain Compromise – Adversary inserted malicious code into JumpCloud’s commands framework to reach downstream customers: ‘supply chain compromise affecting a US-based software solutions entity.’
  • [T1078] Valid Accounts – Unauthorized access to JumpCloud accounts enabled command insertion and execution: ‘JumpCloud reported this unauthorized access impacted fewer than five customers.’
  • [T1053] Scheduled Task/Job – The JumpCloud agent logs show a workflow directive that triggered immediate execution: ‘Fallback Poll was required to handle the following directive: RunWorkflow’ and ‘Policy manager creating schedule cron monitor … schedule=immediate type=WORKFLOW’.
  • [T1543.003] Create or Modify System Process: Launch Daemons/Agents – Persistence and service deployment used LaunchDaemons/LaunchAgents (e.g., com.microsoft.teams.TeamsDaemon.plist, us.zoom.ZoomService.plist) to persist backdoors.
  • [T1036] Masquerading – Backdoors and files used filenames and directories that mimic legitimate software (e.g., com.docker.vmnat, npx-cli, us.zoom.ZoomUpdate) to evade detection: ‘directory choices and naming conventions … masquerading as legitimate files’.
  • [T1055] Process Injection – FULLHOUSE.DOORED supports process injection as part of its backdoor functionality: ‘supporting backdoor commands including shell command execution, file transfer, file management, and process injection.’
  • [T1070.004] Indicator Removal on Host: File Deletion – The actor repeatedly removed prior payloads from disk: ‘threat actor was consistently observed removing prior payloads from disk’.
  • [T1071.001] Application Layer Protocol: Web Protocols (HTTP/HTTPS) – Backdoors communicated with C2 over HTTP/HTTPS and related protocols (STRATOFEAR and TIEDYE configs reference pssl://, ssl, https): ‘STRATOFEAR is a modular backdoor that communicates with C2 servers using a protocol specified in its C2 configuration’ and configuration hex shows ‘pssl://…’.
  • [T1555] Credentials from Password Stores – The actor targeted macOS keychains for credential/secret collection: ‘identified UNC4899 targeting MacOS keychains and reconnaissance data associated with executives’.

Indicators of Compromise

  • [IP Address] Network C2 / infrastructure – 146.19.173.125, 198.244.135.250, and other IPs (e.g., 23.227.202.54)
  • [Domain] Malicious download/C2 domains – primerosauxiliosperu[.]com (downloaded lic.dat), contortonset[.]com, relysudden[.]com, rentedpushy[.]com, basketsalute[.]com, prontoposer[.]com
  • [Filename] Deployed binaries and scripts – init.rb (Ruby downloader), com.docker.vmnat (FULLHOUSE.DOORED), com.docker.vmnat.aot (Rosetta translation artifact)
  • [File hash] File hashes for samples and artifacts – init.rb SHA256 a8b1c5eb2254e1a3cec397576ef42da038600b4fa7cd1ab66472d8012baabf17, com.docker.vmnat SHA256 5701d7bcf809d5ffc9061daeb24d3e7cc6585d9b42bacf94fc68a6c500542f8c
  • [Plist/LaunchDaemon] Persistence artifacts – us.zoom.ZoomService.plist (SHA256 88f23c22…), com.microsoft.teams.TeamsDaemon.plist (SHA256 88f23c22…), com.xpc.agent.plist (MD5 b0e0e0d2…)
  • [XPdb exec_signing_id / exec_cdhash] XProtect DB signatures – exec_signing_id mac-555549440ea0d64e96bb34428e08cc8d948b40e7 (for com.docker.vmnat/npx-cli), exec_cdhash e5d42bee74a1e1813e8aad9a46a5ebc219953926

Initial access and the follow-on technical sequence: UNC4899 compromised JumpCloud and injected a lightweight Ruby downloader (init.rb) into the JumpCloud commands framework. The Ruby script created files at /usr/local/bin (ffn ‘/usr/local/bin/com.docker.vmnat’ and fn ‘/usr/local/bin/com.docker.vmnat.lock’), downloaded binary payloads from attacker-controlled domains (e.g., hxxps://primerosauxiliosperu[.]com/lic.dat and lic_bak.dat), set executable permissions, and executed the first binary, which acted as a FULLHOUSE.DOORED first-stage backdoor.

FULLHOUSE.DOORED (C/C++) provided HTTP-based command-and-control, shell execution, file transfer, file management, and process injection. On Apple Silicon hosts, x86-64 binaries produced Rosetta AOT artifacts under /private/var/db/oah (e.g., com.docker.vmnat.aot), enabling recovery of translated code and symbol information even after the original binary was deleted. The operator used FULLHOUSE.DOORED to deploy modular second-stage backdoors—STRATOFEAR (Mach-O ARM64 observed) and TIEDYE (xpc.protect)—each with embedded configuration files, module-loading capabilities, and monitor threads for file/process/network events. STRATOFEAR stores its main config at /Library/Fonts/ArialUnicode.ttf.md5 and supports downloading/loading modules into memory or from disk; TIEDYE’s config lists multiple C2 protocols (tcp, http, ssl, proxy_socks4, rdp, etc.) and uses an AES-128-encrypted local config file.

Forensic recovery used JumpCloud agent logs (/private/var/log/jcagent.log) showing RunWorkflow events, FSEvents to reconstruct deleted file activity and rename history, Rosetta AOT files to analyze translated payloads, and Apple’s XProtect DB (XPdb at /var/protected/xprotect/XPdb) to identify exec_signing_id and exec_cdhash values that linked deleted binaries across hosts. The actor attempted to remove on-disk artifacts but left persistence plists, AOT translations, and XPdb/cdhash evidence; OPSEC errors (VPN lapses, stale PTR records) revealed parts of the DPRK-linked infrastructure used for C2 and relay hops.

Read more: https://www.mandiant.com/resources/blog/north-korea-supply-chain