From ATT&CKcon 4.0
By Marina Liang
"LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.
This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database."
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Â
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
1. Marina Liang, Threat Researcher
Exploring the Labyrinth
Deep dive into the Lazarus Groupâs foray into macOS
1
2. Agenda
Follow me down the labyrinthâŚ
⢠Whoami
⢠Overview of Lazarus Group
⢠Foray into macOS
⢠New(ish) macOS techniques:
⢠TCC db
⢠Ad hoc signing
⢠Lazarus Group Mitre Heat Map
⢠Recommendations for Defenders
⢠Predictions
⢠Q&A
2
3. whoami
Marina Liang
⢠Independent Security Researcher - open to connecting ;)
⢠7 years in InfoSec with a focus on Windows + macOS
⢠EDR vendors: Carbon Black, Crowdstrike
⢠Background: Threat research, MDR, threat hunting, SecOps,
EDR, purple teaming, IR, detection engineering
⢠Active with Mitre ATT&CK community:
⢠Windows Phantom DLL Hijacking - NEW
⢠macOS TCC.db dumping (2) - NEW
⢠Hobbies: Dance, yoga, art, travel, eating
⢠LinkedIn: https://www.linkedin.com/in/marinaliang
3
4. Overview of Lazarus Group
Aka Labyrinth Chollima, HIDDEN COBRA, etc.
⢠https://attack.mitre.org/groups/G0032/
⢠Origin: DPRK (Democratic Peopleâs Republic of Korea)
⢠Active since at least 2009
⢠Breaches: Sony, WannaCry, 3CX, JumpCloud
⢠Targeted OS: Cross-platform - Windows, macOS, Linux, andâŚCloud!
⢠Motivation: Cyber espionage + currency generation
⢠Targeted Verticals: Various, aerospace & defense, recent emphasis on FinTech (crypto)
⢠Estimates of $2B in crypto-currency stolen
⢠Targeted Geography: Various, South Korea, Europe, US
4
6. Evolution of Social Engineering Tactics
Lazarus Group Demonstrates Targeted Social Engineering
https://www.malwarebytes.com/blog/news/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/
2019 - COVID Pandemic begin
s
⢠2020- Targeted AstraZenec
a
⢠possibly to gain insights into
COVID-19 for DPR
K
⢠Extortion or selling info for profit
2020-2021 - Targeting cyber
security researcher
s
⢠Fake security compan
y
⢠Posed as security recruiters/
researchers
2021-2022 - Operation
In(ter)ception
⢠Decoy PDF lures for job vacancies
at Coinbase and crypto.com
⢠Cyber espionage + currency
generation
2023: Continued job lure
s
⢠Recession themed?
⢠Fake recruiter advertising jobs for
a real or fake compan
y
⢠Sends them âinterview questionsâ
or âjob descriptionâ to prep
Social engineering themes change with existing geopolitical and
socioeconomic time
s
Platforms: LinkedIn, Twitter, WhatsApp, Slack, Telegram, Discord, Keybase
and email.
6
2019-2020 - Operation Dream Jo
b
⢠Targeted aerospace and defense,
primarily in Eastern Europe
⢠Cyber espionage
7. Lazarus Tools
If it ainât broke, donât fix it
Notable Tool and Strategy Reuse
:
⢠Cryptocurrency trading program and fake crypto company + website hosting malwar
e
⢠AppleJeus (numerous iterations) - fake installer and macOS malware for cryptocurrency exchange
⢠Persistence: Postinstall script installs malware as a launch daemon, extracting a hidden plist from the applicationâs /Resources directory.
⢠Requires a single command-line argument in order to execute - likely to bypass ED
R
⢠Signed but not with a Apple developer ID
https://objective-see.org/blog/blog_0x49.html
7
8. Lazarus Tools: MATA & Masquerading
Custom cross-platform remote access tool
MATANet or MATA Framework or DACLS was a custom tool
developed by Lazarus Group back around 2018. Though initially
developed for other OSâs, Lazarus has since pivoted to macOS.
⢠Various geographic targets: US, Poland, Germany, Turkey, Korea,
Japan and India, and counting
Masquerading
MATA Framework implants and variants pose as common apps:
⢠Adobe, Google Chrome, Oracle, fonts, Zoom, developer packages
(fiddler, ruby gems), PyPi packages, etc.
⢠macOS and Linux variants leverage plugins
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/
8
9. Evolution of MATA: macOS
Custom cross-platform remote access tool
https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/
April 2018: MATA first seen
in the wild
- Windows and Linux
- reported by 360 Netlab
2020-2022: VMware Threat Analysis
Unit (TAU) scans the internet for
MATA C2 servers, resulting in 121
active servers uncovered, with
numbers declining.
2023: Developer package Masquerading:
⢠Fake install.rb in /Library/Ruby/ Gems/
2.6.0/extensions/
⢠Fake Bundler Ruby gem bundler.rb in /
Library/Ruby/Gems/2.6.0/extensions/
⢠.rb files do not reside in /
extensions/
9
2020:First observed macOS variant on VT
- Trojanized 2FA APP based on an open-
source 2FA app, MinaOTP
⢠Impersonating developer files âContents/
Resources/Base.lproj/â
⢠Fake SubMenu.nib (Mac executable file)
Note: There are not a ton of MATA macOS samples out there, so happy to collaborate to augment this timeline.
10. macOS RMM tools
*macOS admins collectively cringe*
JumpCloud supply chain attack 2023
- Targeted customers in the cryptocurrency industry
- Lazarus Group uses JumpCloud to deploy ruby scripts and drop Mach-O executables and malware onto victim hosts
- Access to existing infrastructureâŚ
Why use JumpCloud?
- Permissions: Admin tools like Jamf and JumpCloud run with the required privileges to execute scripts and enumerate sensitive files
- Easy to blend in
- Noisy - difficult to tune out âwhat is normalâ
â https://www.mandiant.com/resources/blog/north-korea-supply-chain
â https://jumpcloud.com/blog/security-update-june-20-incident-details-and-remediation
10
12. Primer on TCC.db
Transparency, Consent, Control (TCC)
TCC framework: Security and privacy controls to prevent applications from being
able to access sensitive data without user permission
⢠Permissions include: full disk, camera, contacts and microphone acces
s
⢠If an application tries to access files protected by TCC without authorization, the
operation is denied.
Location:
â˘global: (/Library/Application Support/com.apple.TCC/TCC.db)
â˘user: ($HOME/Library/Application Support/com.apple.TCC/
TCC.db)
â˘If you are an admin, if you grant yourself FDA, you grant all users (even non-
admins) the ability to read all other usersâ data on the disk, including your own
.
⢠As reported in CVE-2020-9771: A disk can be mounted and read by non-
admin user
s
⢠If an actor copies malware over to the app bundle that already has TCC
permissions with the right access, that app will execute
12
https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/
13. TCC.db - what could go wrong?
Lazarus Group dumps the TCC.db
If an actor gains write access to the TCC.db, they could grant themselves TCC entitlements without alerting the user.
System Integrity Protection (SIP) is supposed to mitigate this, BUT terminal could already have FDA enabled
.
Lazarus dumps the Transparency, Consent and Control (TCC) database
.
⢠The output of this dump would present a gold mine of possible applications to exploit:
⢠What has FDA
?
⢠What apps are allowed to access which service
s
⢠Any code-signing requirement data (csreq
)
CMD: /bin/bash -c sqlite3 /Library/Application Support/com.apple.TCC/TCC.db '.dump accessâ
Some EDR/NGAV block this already, so Lazarus is likely to pivot
âŚ
If Lazarus is blocked, itâs possible they could use SELECT instead of DUMP
:
â˘sudo sqlite3 /Library/Application Support/com.apple.TCC/TCC.db âSELECT client, allowed FROM
access where service == âkTCCServiceSystemPolicyAllFilesââ | grep â1â$
13
14. Threat Hunting for TCC.db Mischief
Experiment #1 with VTâŚ
⢠Query:(type:dmg or type:macho) and behavior:".dump accessâ - No hits :(
⢠Query: behaviour_processes:âbash -c sqlite3â - Also no hits⌠:( :(
⢠Cast a wide net: behaviour_processes:âTCC.db" - JACKPOT - 29 hits, approximately 40% confirmed malware
17. Threat Hunting for TCC.db mischief
Experiment #1 with VTâŚ
Takeaways from VT hunting
⢠macOS malware authors including Lazarus have been exploiting the TCC.db
for a couple of years (Bundlore, Cloudmensis, XCSSET malware)
⢠Copying, dumping, writing to/inserting
⢠Lazarus likely decoupling malware from commands to perform TCC.db
operations (HOK, signature evasion)
⢠Not many apps should be interacting with the TCC.db - detection opp!
18. Adhoc Signing
Signing without actual certificates
â Intel and Apple silicon architectures handle code signing requirements differently
â M1 Macs are the first apple computers restricted from running unsigned code
âNew in macOS 11 on Apple Silicon Mac computers, and starting in next macOS
Big Sur 11 beta, the operating system will enforce that any executable must be
signed with a valid signature before itâs allowed to run.â
HOWEVER
âThere isnât a specific identity requirement for this signature: a simple ad-hoc
signature issued locally is sufficient, which includes signatures which are now
generated automatically by the linker. This new behavior doesnât change the long-
established policy that our users and developers can run arbitrary code on their
Macs, and is designed to simplify the execution policies on Apple silicon Mac
computers and enable the system to better detect code modifications.â
AdditionallyâŚ
âThis new policy doesnât apply to translated x86 binaries running under Rosetta,
nor does it apply to macOS 11 running on Intel platformsâ
- Apple in WWDC 2020 https://developer.apple.com/documentation/security/seccodesignatureflags/1397793-adhoc
https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS
https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/
18
19. Adhoc signing
Bypassing Gatekeeper
Lazarus has historically used unsigned or ad hoc signed binaries
⢠Observed ad hoc signing via command line directly on the target host:
CMD: codesign --force -s - [name of file or app]
⢠A hyphen for the identity makes it an ad hoc signature with no certificate.
Check the validity of an ad hoc signed executable with:
CMD: codesign -dv -r- UpdateAgent
19
20. Threat Hunting for adhoc signed files
Experiment #2 with VT
Some Mixed Takeaways:
⢠VT search does not delineate ad
hoc signed and only classifies as
not signed
⢠Lots of mach-O files are unsigned
⢠Lots of crypto-related mach-O files
are unsigned
⢠Yara rule is probably better bet here
21. Previously observed adhoc signed samples
Operation In(ter)ception: These binaries are universal Mach-Os and can run on Intel or M1 Apple silicon machines. They are
signed with an adhoc signature, meaning that they will bypass Appleâs Gatekeeper without a recognized developer identity.
21
22. Recent adhoc Signed Malware: Rustbucket
Multiple variants in 2023 - indicates continuous innovation
⢠Malware written in Rust isnât very commo
n
⢠In May 2023, a second RustBucket variant was observed targeting macOS users
.
⢠In June 2023, a third variant included new persistence capabilities.
22
23. Mitre Mapping - Lazarus Group x macOS
A synopsis of the TTPs covered today (in green)
⢠Note1: TCC dumping and writing are not currently released (future ATT&CK version)!
⢠Note2: Adhoc signing may arguably be a separate technique - new submission pending!
23
24. Predictions for Lazarus
Theyâre not going anywhereâŚ
â˘Lazarus will continue to evade analysis
â˘Chunking malware into multiple stages
â˘Leverage command line to evade file-based signatures
⢠RUSTBUCKET malware will continue to evolve
â˘Social engineering via LinkedIn will increase with likely recession in 2024
â˘Lazarus will continue their crypto and crypto-adjacent industry targeting (gaming)
â˘Exploitation of commercial macOS admin tools will continue
â˘Bypassing or disabling macOS security features will continue
â˘Pay attention to WWDC 23, 24, 25, etc.
⢠Lazarus will pivot if blocked from TCC.db dumping
24
25. Recommendations for Blue Teamers
Keep Calm and Enable Default macOS protections
⢠Gatekeeper and SIP should be on by default for macOS.
⢠Monitor for disabling of Gatekeeper and SIP, and implement automated re-enabling
of these protections.
⢠Security practitioners can automate via spctl and csrutil to re-enable
Gatekeeper and SIP, respectively.
⢠Pay special attention if you are in the crypto/crypto adjacent industry
⢠Audit for shadow IT, especially unsanctioned macOS RMM tools
⢠Baseline your environment
⢠Deploy EDR everywhere
⢠Least privilege always applies: Be judicious in what you grant permissions to.
25
26. Special Thank You to:
Couldnât have done it withoutâŚ.
⢠The macOS cyber community <3
⢠Mitre for having me :)
26