Citrine and Onyx Sleet: An Inside Look at North Korean Threat Actors
Sherrod DeGrippo: Welcome to "The Microsoft Threat Intelligence Podcast". I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, and fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Welcome to "The Microsoft Threat Intelligence Podcast". I am Sherrod DeGrippo:, and I am joined with one of our Microsoft Threat Intelligence researchers, as well as Greg Schloemer, Threat Intelligence Analyst. Welcome to the show, everyone.
Greg Schloemer: Hello, it's good to be back.
Threat Intelligence Researcher: Thanks for having us.
Sherrod DeGrippo: Yes, it's good to have you back. And this is a special episode of the Microsoft Threat Intelligence Podcast, because we are North Korea-heavy today. We've got two threat actors based out of North Korea that we're going to talk about. The first one is Onyx Sleet. So, I know that part of this story is, started back in July of 2024, where the DOJ indicted an individual linked to this particular threat actor, Onyx Sleet. Tell me kind of what the story is with this particular threat actor and how all this fits together.
Greg Schloemer: When I think of Onyx Sleet, like, it is a quintessential example of North Korean espionage actors, right? They're doing all the things, when we think about North Korean espionage, targeting of defense companies, targeting of energy companies, lots of targeting in the US and India. They've been around a long time, and they've been pretty consistently representing all of the sectors and geolocations that are a priority for North Korea.
Sherrod DeGrippo: And just to kind of do everyone's favorite threat actor-naming dance, this is also a track of Silent Chollima and Andariel, which has been around for a while, I think, right?
Greg Schloemer: Quite awhile. One of the oldest.
Sherrod DeGrippo: One of the oldest, a classic.
Greg Schloemer: Yep.
Sherrod DeGrippo: So, you're saying that they do traditional espionage, but we often think of North Korean actors as super-focused on cryptocurrency. Do they do any crypto stuff, too?
Greg Schloemer: So, yeah, that's what's interesting, especially interesting about this group. They have long been an espionage-focused actor. But in 2021, and actually in 2022 as well, on a separate campaign, we saw them doing ransomware. So, it's kind of just an interesting reminder of the fact that every group, every threat actor in North Korea, has to support this mission of generating revenue and bringing in money to support the regime's objectives. So there is no just, like, Oh, I'm going to do espionage in a vacuum. The groups have to be multifaceted, and they have to be able to kind of pivot and do ransomware, when they've been doing espionage for, you know, six years, eight years, or however long.
Sherrod DeGrippo: So in this particular post that we put out on "The Microsoft Threat Intelligence Blog" around summer, mid-summer, kind of give me an idea of, like, what Onyx Sleet is doing. I know that they're using malware, downloaders. They've got a backdoor, and they're leveraging a bunch of vulns, too.
Threat Intelligence Researcher: Yeah, I can jump in here. So, they have taken part in leveraging zero days and end-day vulnerabilities. Just to kind of reiterate, zero days are those vulnerabilities that are unknown to an organization, and end-day vulnerabilities are those vulnerabilities that are known, but they may or may not have a patch available. So, some of these were the Apache ActiveMQ, Confluence, PaperCut, TeamCity, and then also obviously the Log4j vulnerability.
Sherrod DeGrippo: Wow, that is also a classic. Log4j is from December 2022, I believe.
Threat Intelligence Researcher: Yeah, and so they were able to launch a custom remote access Trojan called D-Track, and they deployed this RAT. And it's following the common attack chain that's used by Onyx Sleet currently, and this is exploiting that Log4j vulnerability for initial access. And D-Track can conduct system discovery by collecting outputs from several built-in Windows commands, and has also been reported support key logging and file transfer onto the compromised device.
Sherrod DeGrippo: I also see here that they're using a fake Tableau software certificate. Can you kind of help me understand how that fits into this whole attack chain and campaign?
Threat Intelligence Researcher: Yeah, so Microsoft identified a campaign attributed to Onyx Sleet back in January of '24 that, like this D-Track RAT, they were using the Sliver framework. So, this is a custom framework and it's signed with an invalid certificate that impersonates the Tableau software. And so further analysis revealed that this Onyx Sleet campaign compromised multiple aerospace and defense organizations from October of 2023 all the way through June of 2024.
Sherrod DeGrippo: So, they're actively essentially using this pretty regularly.
Greg Schloemer: And that one's kind of interesting, because we've seen maybe over the last two years or so, several North Korean actors have gotten into, like, the software supply chain space. We've seen Diamond Sleet has pulled off a couple of Trojanized open-source software applications. Citrine Sleet had the 3CX supply chain compromise. I think that was in 2023? I don't know. Time is a blur. But I think this maybe is, like, Onyx Sleet's take on that, right? It's not a legitimate supply chain compromise, but it's sort of playing on that same idea of, like, Oh, let's make a fake certificate that impersonates something that people trust, and we're going to leverage that to evade detection and, you know, maybe make people think that this is something legit.
Sherrod DeGrippo: Something else I find interesting, too, is you mentioned the Sliver framework, which is a remote monitoring and management framework, and Grok, they're also using Mass Scan, so are they leveraging a lot of living off the land-type tactics as well?
Greg Schloemer: Yeah, again, they're a weird group. They probably have more custom malware than any other North Korean actor. Like, they have --
Sherrod DeGrippo: But they're using all of this off-the-shelf stuff, too.
Greg Schloemer: Yeah, they have dozens of custom RATs and custom proxy tools. But then they also use Ngrok and Sliver and pick your favorite off-the-shelf tool. I don't really know what's up with that. I find it super fascinating. We don't see that a lot from other actors. Like, they typically, in North Korea at least, they tend to fall more into, like, Oh, we're either using custom capabilities or we're using off-the-shelf stuff. But Onyx does both.
Sherrod DeGrippo: Also, I think it's fun to mention that the Dora RAT, the remote access Trojan that they're using, is developed in Go. So, like, are they, is North Korea a Go shop? Is that what we're learning?
Greg Schloemer: They do it all.
Sherrod DeGrippo: They're all over the place.
Greg Schloemer: Every RE I've ever talked to absolutely hates reversing Go binaries.
Sherrod DeGrippo: Right.
Greg Schloemer: So, you know, I think they're just trying to make life hard for our reverse engineer friends.
Sherrod DeGrippo: Shout out to the reverse engineers that are an incredibly strange and integral part of threat intelligence. We should do a whole episode on just, like, the life of a reverse engineer at Microsoft, because I'm sure it's just absolute weirdness all day, every day. What else should we know about Onyx Sleet? Anything that's important to pull out? Anything that's important to the story here?
Threat Intelligence Researcher: We can talk a little bit about affiliations with other threat actors.
Sherrod DeGrippo: Yeah.
Threat Intelligence Researcher: So for example, Onyx Sleet has demonstrated some affiliations of a bunch of different North Korean actors, but most notably Storm 0530. So, Storm 0530 has been observed interacting with Onyx Sleet email accounts and also communicating with known Onyx Sleet attacker accounts. And both groups operate from the same infrastructure set, and they also use custom malware controllers with similar names.
Sherrod DeGrippo: And so can I kind of understand then, between those two groups, Onyx Sleet and that Storm, which means it's an in-development, Storm 0530 is in-development in terms of attribution, confidence, things like that. How are you differentiating between these two groups? Like, what qualifies one to be a named actor and the other to be in dev, or how are you telling them apart? Because they almost sound like twins using the same infrastructure.
Threat Intelligence Researcher: Yeah, it's a great question. So a lot of North Korean threat groups are tracked under the umbrella as Lazarus Group by a bunch of different security researchers. However, Microsoft breaks out these clusters into subgroups, such as Onyx Sleet or Storm 0530 into their distinct groups. So what Storm 0530 is really known for is they call themselves H0lyGh0st. And they have a H0lyGh0st ransomware payload and it's known for campaigns that have compromised small businesses in multiple countries as early as September of 2021.
Sherrod DeGrippo: Okay, so this is making me think for all of our listeners, what you're going to need to do is you're going to need to go to a URL that is aka.msthreatactors. There is a spreadsheet there that you can download, as well as a JSON file that is updated, that you can see all of these AKAs and other names. I have memorized the spreadsheet as have I'm sure both of you, but our listeners probably need to get to work on memorizing those names.
Greg Schloemer: Just to touch a little more on Storm 0530. So that's one of my favorite, or most interesting parts of Onyx Sleet's operation. So when I talked about the ransomware from Onyx Sleet, Storm 0530 was that ransomware component. It was the H0lyGh0st ransomware that was just mentioned. And when we think about, like, Oh, why do we characterize that as something separate, as I mentioned before, Onyx Sleet is a traditional espionage actor. And so when we suddenly started seeing -- I mean, North Korean actors doing ransomware is not new. It's been happening for quite some time. But we had never seen that fall under the umbrella of Onyx Sleet. And so when we saw suddenly this ransomware variant emerged and we had technical links to Onyx Sleet, it was like, Okay, wait a second. This is a drastic shift in tactics and in overall methodology. And so as we dug into that, we saw that there was some infrastructure overlap, but whereas Onyx Sleet has always been highly targeted, like, there are clear objectives in what they're doing, H0lyGh0st was kind of all over the place. It was this, like, janky ransomware that was hitting super small organizations, like small schools, mom-and-pop shops. There was, like, a family-owned plumbing business that was a victim of H0lyGh0st. So just completely different when we look at the targeting space between these two actors. So we had the technical overlaps, we had shared infrastructure, but it really was a remarkable change in what we had come to expect from them.
Sherrod DeGrippo: And do you have any idea where the H0lyGh0st name comes from?
Greg Schloemer: I have no idea, they picked it.
Sherrod DeGrippo: Oh, like, it's self-chosen, they're a self-named actor?
Greg Schloemer: It is self-chosen. That's what they put on their ransom page.
Sherrod DeGrippo: And it's a zero too, right? It's like holy and then gh zero.
Greg Schloemer: Yes.
Sherrod DeGrippo: Yeah. Leet.
Greg Schloemer: Yeah, very leet. They're also really bad.
Sherrod DeGrippo: Like, they're not skilled?
Greg Schloemer: No, they're really bad at ransomware. From the visibility we had into the crypto wallets they were using, does anyone want to guess how many Bitcoin they got?
Sherrod DeGrippo: Okay, I'm going to say five Bitcoin.
Threat Intelligence Researcher: I was going to say something like that, like, three.
Greg Schloemer: Drum roll. Zero.
Sherrod DeGrippo: They had no Bitcoin?
Greg Schloemer: No one ever paid them.
Sherrod DeGrippo: Bitcoin-less? Oh my God.
Greg Schloemer: Completely Bitcoin-less, no one ever paid them. I don't know if that's because, like, the ransomware didn't work or if they were just really bad at, you know, actually closing the deal and getting the payment.
Sherrod DeGrippo: I mean, just from my focus on crimeware, which is sort of, like, where I feel more familiar, yeah, there's a lot of hurdles. Like, there's a heavy burden to the process of paying ransomware, paying a ransom for a ransomware event. Like, many organizations don't have Bitcoin or easy ways to access it, and get frustrated and upset and just sort of say, like, You know what? We're going to live with this. We're going to figure something else out. So H0lyGh0st has made zero Bitcoins. That's fascinating.
Threat Intelligence Researcher: I would say overall, though, I mean, as far as North Koreans targeting cryptocurrency, the United Nations estimates that North Korean cyber actors have actually stolen over $3 billion dollars in cryptocurrency since 2017. So there's a lot of trains of thought of, like, Why is this happening? Why are North Korean threat actors using ransomware? And I think this is a really interesting conversation because there are kind of two trains of thought on this. And the first possibility is that North Korea is sponsoring this activity. And this could be due from maybe the sanctions back in 2016. There's a lot of natural disasters, like drought, that have impacted their economy. And then also from that COVID-19 lockdown since early 2020. And so all of these economic setbacks have kind of thrown the North Korean government into that area of sponsoring threat actors to steal from banks and cryptocurrency wallet. If the North Korean government is ordering these ransomware attacks, then the attacks are just another tactic that the government has enabled to offset that financial loss. But then there's another theory that maybe state-sponsored activity has targeted a much broader set of victims, and so because of this, it's equally possible that North Korean government is not enabling these ransomware attacks. Especially with individuals tied to Onyx Sleet infrastructure, that these individuals could be doing this for moonlighting, and this could also explain why the targeting of victims in Storm 0530 is so erratic.
Sherrod DeGrippo: So, and this is something that we've seen I think as well with Russia-based threat actors, where there is kind of a rogue overlap of, like, moonlighting, doing crimeware-type stuff after they do their day job at an espionage factory. So, you know, are you kind of saying that that's a possible setup for the way that these particular actors based out of North Korea could be operating?
Threat Intelligence Researcher: Yeah, absolutely. And I also think, you know, there's, it's under such a suppressive environment as well. So it makes sense if some individuals are looking also to generate individual income in that regard. But as far as the government side of North Korea, it's known that a lot of these funds are going towards their weapons programs and also to collect intelligence on the United States, South Korea, and Japan. And so North Korea has conducted very many missile tests and military drills over the past year, and they've even launched a military reconnaissance satellite back in November of 2023.
Sherrod DeGrippo: So it sounds like they have a lot of methods and capabilities, and are really agile and know how to pivot. So while we're talking about crypto theft, let's talk about another recent threat actor. This one is Citrine Sleet, also based out of North Korea. But this, I'll be honest, I read this blog and it is, quite frankly, one of the most interesting and in some ways surprising attack chains that I've ever seen, certainly out of North Korea. So kind of walk us through what's Citrine Sleep been up to?
Greg Schloemer: Yeah, so maybe we can start with a little context on this actor. As I mentioned, almost every North Korean threat actor is at least partially responsible for supporting the revenue generation mission and ultimately funding the weapons of mass destruction program. But there's really only a handful of actors that are, like, exclusively or almost exclusively dedicated to crypto theft and financial gain. And Citrine Sleet is one of those. We typically think of Sapphire Sleet, Jade Sleet, and Citrine Sleet as, like, the three big players in the crypto theft space. Citrine Sleet is also known publicly for their AppleJeus malware. And over the last few years, they have pretty extensively targeted financial institutions and particularly blockchain technology companies and crypto exchanges. And they've been pretty consistent in the methodology that they've used to do that. But in this most recent campaign, we actually saw that Citrine Sleet was using a hot new 0 day in Chromium.
Sherrod DeGrippo: So again, this is what I just find really shocking about this particular attack chain, right? It's a vulnerability in Chromium, CVE-2024-7971, a vulnerability in the Chromium engine, which powers Google Chrome, as well as Microsoft Edge, that leads to remote code execution. I don't remember, I'm sure there are, but I don't remember the last time that I saw a browser vulnerability that led to RCE. And then further on, and we'll talk about this more, they leverage this to deploy a rootkit. So I feel like I'm, it's, like, this is a very retro attack because it leverages a browser vuln, RCE, and then a rootkit. Rootkits are not something that we see around a lot these days, so help me make sense of this. How did they get here? What is this?
Greg Schloemer: So what's wild about this is there's actually two vulnerabilities that are being included.
Sherrod DeGrippo: That they're chaining, right? Like, they're chaining them together. Okay, how does that work?
Greg Schloemer: Yeah, so the Chromium browser process is sandboxed. And that's to prevent, you know, malicious code running outside the scope of that process. So they can get RCE in the Chromium process, but then they can't really do anything because that process runs in isolation. So they also chained a sandbox escape vulnerability in Windows, which was patched in the August Patch Tuesday release. And they used that to escape the sandbox of the Chromium process, and then load their FudModule rootkit in memory. So this was, like, a very elaborate and well thought-out exploit chain. We were aware of the sandbox escape vulnerability because it was, you know, actively being patched for release on August Patch Tuesday. But we were not aware until we saw this exploit chain in the wild that the North Koreans were using it. So we actually had two zero days that were being used. Well, actually, I think the sandbox escape vuln may have been publicly disclosed by the time Citrine used it, I'm not sure, but two vulnerabilities chained together to pull off this attack.
Sherrod DeGrippo: So let me ask you, let's speculate, let's do wild speculation. Are they finding their own zero days? Are they buying these zero days? Are they collaborating with another nation on the same axis to share? How is this happening? And how is North Korea leveraging these chains together? That's just really surprising to me, because I would normally would not say, from what I know over the, you know, past 10 years, North Korea is not chaining 0 days together and deploying rootkits. Like, that's just not something that I would put in their profile. So, is this an evolution?
Greg Schloemer: I have my own opinion --
Threat Intelligence Researcher: That's a really good question.
Greg Schloemer: -- on this, but I'll defer to my colleague if you'd like to give your take.
Sherrod DeGrippo: No, I want the hot takes. Like, let's do the hot takes. There's no wrong answers here, right?
Greg Schloemer: Okay, hot takes. So, I'm probably going to get some flack in, among our viewership for saying this, but if we think about, like, prioritization of what North Korean threat actors are doing, they're not really in the business of spending money, right? Like, I don't, to be honest, I have no idea how much an 0 day costs.
Sherrod DeGrippo: Millions. A good 0 day is, like, a million dollars.
Greg Schloemer: Okay, right? So, like, I mean, some of the heists that Citrine Sleet has pulled off in the past are, like, only a single digit number of millions, right? So there's sort of, for me, it's like, Are they actually going to be paying millions of dollars for two exploits to then, like, maybe not even make their money back? Like, I'm not sure that makes a ton of sense, just thinking about how much they prioritize revenue generation.
Sherrod DeGrippo: So what you're saying is that if I propose North Korea, Citrine Sleet, is buying 0 days on an underground market or, you know, from another nation, another nation state, they're buying 0 days, your view is that's unlikely because they're kind of cheap and don't have a lot of money.
Greg Schloemer: Yeah.
Sherrod DeGrippo: Okay.
Greg Schloemer: To be clear, I have no, like, actual evidence to answer that question factually.
Sherrod DeGrippo: Well, no. I mean --
Greg Schloemer: That's just kind of the vibe, you know?
Sherrod DeGrippo: Yeah, no, vibes are very important. Believe me, I love a vibe. No, but I think, like, when you talk about threat actor motivation, whether it's motivation of an entire regime, or it's motivation of a specific threat actor group, or it's motivation of a specific individual within a threat actor group, the truth is we can never really know what's, like, in their heart, right? Like, you don't know how they truly feel and what's really moving them to do things. It could be feeding their family. It could be, you know, personal pride. It could be they're just bored. It could be they love solving puzzles. You never really know, and I think that's why it's fun to kind of say what might be. So, do you have another theory?
Threat Intelligence Researcher: I mean, I would assume, you know, it's a suppressed nation, so out of suppression comes a lot of opportunity to try to overcome that type of regime. So, like we talked about a little bit earlier, individuals who are attempting to, like you say, feed your family and make a life for themselves can possibly, you know, find solace in operating as what we would consider a bad guy. I don't think that's completely unheard of.
Sherrod DeGrippo: So something I spoke with our colleague Tom Gallagher, who is VP of Engineering over at the Microsoft Security Response Center, was this bug collision potential reality. Which there is a possibility there that the same vulnerability is independently discovered by two separate threat actor groups, or one shared the knowledge of that vulnerability to multiple actors. I have never heard, I mean, obviously it seems plausible that a bug collision of this type could happen, where it's independently discovered by two separate groups. I think it's also possible that one researcher sold or gave this vulnerability to multiple groups. Have you seen this bug collision situation before? Any context on,, like, how common this might be?
Greg Schloemer: I really don't know, but honestly, that seems kind of unlikely, right? Like, what are the odds that two completely independent entities stumble upon the same vuln in the same time frame? I'm sure it can happen. I'd be curious to hear, like, Tom or someone from MSRC who spends more time in the vuln space. Yeah, I don't know. That just, that seems, probability-wise, that seems pretty unlikely. But, I mean, hey, maybe.
Threat Intelligence Researcher: Yeah, I assume it might be a case of one of the threat actors sharing knowledge of this vulnerability maybe with another threat actor, and it just becomes part of that rumor mill, potentially. But I agree, I think it would be really highly unlikely to independently discover a zero day at the exact same time. >> Vulns are flying fast and furious, and we all are intel people and don't really work with [laughter]. So hey, if you have, like, if you're a bug hunter, if you have lots of vulnerability knowledge, send us a tweet and let us know what you think about the possibility of this bug collision situation that honestly has been burning up social media ever since we posted this blog. People have really dug in on this bug collision possibility. It really is almost, like, it's like a murder mystery. It's like a whodunit, how did this work? So again, rootkits, very retro, very 10 years ago at this point. They have a rootkit called FudModule. Tell me about this rootkit. Yeah, so the FudModule rootkit is a malware that specifically targets kernel access while evading detections. And there's other threat actors that have been observed using this rootkit, and Diamond Slate is one of them. They used it since October of 2021. Diamond Sleet is known for conducting supply chain compromises, and they've also exploited the TeamCity server. So as you can see, a lot of these North Korean threat actors are using very similar TTPs, and I can understand why some security researchers may track them as that one umbrella of Lazarus Group. But, yeah, everybody's doing basically very similar things.
Sherrod DeGrippo: I also saw that there was some research cited by Avast that found FudModule 2.0, which I really like that FudModule just by itself needed some updates and they gave it a new version, 2.0.
Threat Intelligence Researcher: Yeah, so that includes, I'm just reading, now reading the report, FudModule 2.0 includes the malicious loaders and the late-stage remote access Trojan.
Sherrod DeGrippo: Well, that was a fascinating look into Citrine Sleet's recent leveraging of zero days and chaining vulnerabilities, and rootkits and updated FudModules. Thank you so much for joining me, and I hope we'll hear more about North Korea threat actors as we find new things to report on.
Greg Schloemer: Thanks so much, Sherrod.
Threat Intelligence Researcher: Thank you. [ Music ]
Sherrod DeGrippo: Thanks for listening to "The Microsoft Threat Intelligence Podcast". We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]