Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:Win32/ForestTiger.B!dha is a backdoor trojan used by the state-sponsored Diamond Sleet group. This trojan was deployed in conjunction with CVE-2023-42793, which is an authentication bypass vulnerability in JetBrains TeamCity.
Conduct a thorough investigation of the network to identify any other compromised systems, as this is indicative of an APT attack.
Threat behavior
After the attacker gains an initial foothold through CVE-2023-42793, they download the backdoor trojan ForestTiger to the following locations:
%ProgramData%\Forest64.exe
%ProgramData%\4800-84DC-063A6A41C5C
Once Forest64.exe is launched, it decrypts the encrypted configuration file 4800-84DC-063A6A41C5C to access the necessary parameters for command and control (C2).
ForestTiger then creates a scheduled task named Windows TeamCity Settings User Interface to ensure persistence.
ForestTiger can also be used for extracting LSASS credentials.
Prevention
Ensure that JetBrains TeamCity is fully patched to prevent exploitation.
Another smart move is to run regular scans with Microsoft Defender. It helps spot and deal with any potential threats, making sure your system stays secure.
Trojan tools more often attack enterprises than individuals. Following the mitigation steps below can help prevent hack tool attacks (use this for enterprise consumer):
Keep backups so you can recover data affected by trojans and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Turn on tamper protection features to prevent attackers from stopping security services.
Devices infected by ForestTiger manifest the following symptoms:
Creation of a scheduled task named Windows TeamCity Settings User Interface.
Presence of the file %ProgramData%\Forest64.exe.
Presence of the file %ProgramData%\4800-84DC-063A6A41C5C.
