Onyx Sleet, a North Korean threat actor tracked by Microsoft as Onyx Sleet, uses a diverse malware toolkit to gather intelligence and, increasingly, pursue financial gain, attacking defense, engineering, and energy targets across India, South Korea, and the United States. The campaigns feature a broad attack chain—ranging from loaders and droppers to multiple custom RATs (TigerRAT, SmallTiger, LightHand, ValidAlpha, Dora RAT) and sophisticated C2 infrastructure—augmented by exploitation of public vulnerabilities (notably CVE-2023-42793) and in-memory execution techniques. #OnyxSleet #SILENTCHOLLIMA #Storm-0530 #TigerRAT #SmallTiger #LightHand #ValidAlpha
Keypoints
- Microsoft and the FBI are monitoring Onyx Sleet, the North Korean threat actor indicted by the DOJ, with continued vigilance on activity changes.
- Targets are primarily military, defense, and technology sectors in India, South Korea, and the United States, with recent focus on South Korean educational institutions, construction, and manufacturing.
- The threat actor uses a wide spectrum of tools—custom RATs (TigerRAT, SmallTiger, LightHand, ValidAlpha, Dora RAT) and loaders/droppers—paired with evolving C2 infrastructure.
- Initial access has shifted from traditional spear-phishing to exploiting N-day vulnerabilities, including CVE-2023-42793 (TeamCity).
- Campaigns feature in-memory execution, heavy encryption/obfuscation, and use of packers (Themida, VMProtect) to evade detection.
- DTrack (linked to past campaigns) and Dora RAT illustrate varying malware families; Log4j 2 CVE-2021-44228 has been leveraged for initial access in some attacks.
- Notable IOCs include specific IPs, domains, a fake Tableau certificate, and multiple SHA-256 hashes associated with TigerRAT, LightHand, and ValidAlpha.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – “In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability as a part of a targeted attack. Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server.”
- [T1566.001] Spearphishing – “historically leveraged spear-phishing to compromise target environments”‘
- [T1113] Screen Capture – “keylogging and screen recording” as described in TigerRAT capabilities.
- [T1056.001] Keylogging – “carry out commands, such as keylogging and screen recording, from the C2.”‘
- [T1083] File and Directory Discovery – “get system storage information, perform directory listing”‘
- [T1027] Obfuscated/Compressed Files and Information – “heavily using custom encryption and obfuscation algorithms and launching as much of its code in memory as possible.”‘
- [T1036] Masquerading – “payloads signed with an invalid certificate masquerading as legitimate software to evade detection.”‘
- [T1041] Exfiltration – “Stole over 1.2 TB of data from targeted South Korean defense contractors using custom malware.”‘
- [T1071] Command and Control – “leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2).”‘
Indicators of Compromise
- [IP Address] context – 84.38.134.56, 45.155.37.101, and 4 more IPs
- [URL] context – hxxp://84.38.134.56/procdump.gif
- [Domain] context – americajobmail.site, privatemake.bounceme.net, ww3c.bounceme.net, advice.uphearth.com
- [SHA-256] TigerRAT – f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c, 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207, and 3 more hashes
- [SHA-256] LightHand – f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5, 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1, and 2 more hashes
- [SHA-256] ValidAlpha – c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c, c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1, and 0 more hashes