![Adhoc signing
Bypassing Gatekeeper
Lazarus has historically used unsigned or ad hoc signed binaries
• Observed ad hoc signing via command line directly on the target host:
CMD: codesign --force -s - [name of file or app]
• A hyphen for the identity makes it an ad hoc signature with no certificate.
Check the validity of an ad hoc signed executable with:
CMD: codesign -dv -r- UpdateAgent
19](https://image.slidesharecdn.com/liang-lazarusattackmliangfinal-231030003156-c239e419/85/Exploring-the-Labyrinth-Deep-dive-into-the-Lazarus-Group-s-foray-into-macOS-19-320.jpg)
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
- 1. Marina Liang, Threat Researcher Exploring the Labyrinth Deep dive into the Lazarus Group’s foray into macOS 1
- 2. Agenda Follow me down the labyrinth… • Whoami • Overview of Lazarus Group • Foray into macOS • New(ish) macOS techniques: • TCC db • Ad hoc signing • Lazarus Group Mitre Heat Map • Recommendations for Defenders • Predictions • Q&A 2
- 3. whoami Marina Liang • Independent Security Researcher - open to connecting ;) • 7 years in InfoSec with a focus on Windows + macOS • EDR vendors: Carbon Black, Crowdstrike • Background: Threat research, MDR, threat hunting, SecOps, EDR, purple teaming, IR, detection engineering • Active with Mitre ATT&CK community: • Windows Phantom DLL Hijacking - NEW • macOS TCC.db dumping (2) - NEW • Hobbies: Dance, yoga, art, travel, eating • LinkedIn: https://www.linkedin.com/in/marinaliang 3
- 4. Overview of Lazarus Group Aka Labyrinth Chollima, HIDDEN COBRA, etc. • https://attack.mitre.org/groups/G0032/ • Origin: DPRK (Democratic People’s Republic of Korea) • Active since at least 2009 • Breaches: Sony, WannaCry, 3CX, JumpCloud • Targeted OS: Cross-platform - Windows, macOS, Linux, and…Cloud! • Motivation: Cyber espionage + currency generation • Targeted Verticals: Various, aerospace & defense, recent emphasis on FinTech (crypto) • Estimates of $2B in crypto-currency stolen • Targeted Geography: Various, South Korea, Europe, US 4
- 5. LAZARUS GROUP: FORAY into macOS 5
- 6. Evolution of Social Engineering Tactics Lazarus Group Demonstrates Targeted Social Engineering https://www.malwarebytes.com/blog/news/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/ 2019 - COVID Pandemic begin s • 2020- Targeted AstraZenec a • possibly to gain insights into COVID-19 for DPR K • Extortion or selling info for profit 2020-2021 - Targeting cyber security researcher s • Fake security compan y • Posed as security recruiters/ researchers 2021-2022 - Operation In(ter)ception • Decoy PDF lures for job vacancies at Coinbase and crypto.com • Cyber espionage + currency generation 2023: Continued job lure s • Recession themed? • Fake recruiter advertising jobs for a real or fake compan y • Sends them “interview questions” or “job description” to prep Social engineering themes change with existing geopolitical and socioeconomic time s Platforms: LinkedIn, Twitter, WhatsApp, Slack, Telegram, Discord, Keybase and email. 6 2019-2020 - Operation Dream Jo b • Targeted aerospace and defense, primarily in Eastern Europe • Cyber espionage
- 7. Lazarus Tools If it ain’t broke, don’t fix it Notable Tool and Strategy Reuse : • Cryptocurrency trading program and fake crypto company + website hosting malwar e • AppleJeus (numerous iterations) - fake installer and macOS malware for cryptocurrency exchange • Persistence: Postinstall script installs malware as a launch daemon, extracting a hidden plist from the application’s /Resources directory. • Requires a single command-line argument in order to execute - likely to bypass ED R • Signed but not with a Apple developer ID https://objective-see.org/blog/blog_0x49.html 7
- 8. Lazarus Tools: MATA & Masquerading Custom cross-platform remote access tool MATANet or MATA Framework or DACLS was a custom tool developed by Lazarus Group back around 2018. Though initially developed for other OS’s, Lazarus has since pivoted to macOS. • Various geographic targets: US, Poland, Germany, Turkey, Korea, Japan and India, and counting Masquerading MATA Framework implants and variants pose as common apps: • Adobe, Google Chrome, Oracle, fonts, Zoom, developer packages (fiddler, ruby gems), PyPi packages, etc. • macOS and Linux variants leverage plugins https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ 8
- 9. Evolution of MATA: macOS Custom cross-platform remote access tool https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ April 2018: MATA first seen in the wild - Windows and Linux - reported by 360 Netlab 2020-2022: VMware Threat Analysis Unit (TAU) scans the internet for MATA C2 servers, resulting in 121 active servers uncovered, with numbers declining. 2023: Developer package Masquerading: • Fake install.rb in /Library/Ruby/ Gems/ 2.6.0/extensions/ • Fake Bundler Ruby gem bundler.rb in / Library/Ruby/Gems/2.6.0/extensions/ • .rb files do not reside in / extensions/ 9 2020:First observed macOS variant on VT - Trojanized 2FA APP based on an open- source 2FA app, MinaOTP • Impersonating developer files “Contents/ Resources/Base.lproj/” • Fake SubMenu.nib (Mac executable file) Note: There are not a ton of MATA macOS samples out there, so happy to collaborate to augment this timeline.
- 10. macOS RMM tools *macOS admins collectively cringe* JumpCloud supply chain attack 2023 - Targeted customers in the cryptocurrency industry - Lazarus Group uses JumpCloud to deploy ruby scripts and drop Mach-O executables and malware onto victim hosts - Access to existing infrastructure… Why use JumpCloud? - Permissions: Admin tools like Jamf and JumpCloud run with the required privileges to execute scripts and enumerate sensitive files - Easy to blend in - Noisy - difficult to tune out “what is normal” ⁃ https://www.mandiant.com/resources/blog/north-korea-supply-chain ⁃ https://jumpcloud.com/blog/security-update-june-20-incident-details-and-remediation 10
- 11. LAZARUS GROUP: RECENT TTPs 11
- 12. Primer on TCC.db Transparency, Consent, Control (TCC) TCC framework: Security and privacy controls to prevent applications from being able to access sensitive data without user permission • Permissions include: full disk, camera, contacts and microphone acces s • If an application tries to access files protected by TCC without authorization, the operation is denied. Location: •global: (/Library/Application Support/com.apple.TCC/TCC.db) •user: ($HOME/Library/Application Support/com.apple.TCC/ TCC.db) •If you are an admin, if you grant yourself FDA, you grant all users (even non- admins) the ability to read all other users’ data on the disk, including your own . • As reported in CVE-2020-9771: A disk can be mounted and read by non- admin user s • If an actor copies malware over to the app bundle that already has TCC permissions with the right access, that app will execute 12 https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/
- 13. TCC.db - what could go wrong? Lazarus Group dumps the TCC.db If an actor gains write access to the TCC.db, they could grant themselves TCC entitlements without alerting the user. System Integrity Protection (SIP) is supposed to mitigate this, BUT terminal could already have FDA enabled . Lazarus dumps the Transparency, Consent and Control (TCC) database . • The output of this dump would present a gold mine of possible applications to exploit: • What has FDA ? • What apps are allowed to access which service s • Any code-signing requirement data (csreq ) CMD: /bin/bash -c sqlite3 /Library/Application Support/com.apple.TCC/TCC.db '.dump access’ Some EDR/NGAV block this already, so Lazarus is likely to pivot … If Lazarus is blocked, it’s possible they could use SELECT instead of DUMP : •sudo sqlite3 /Library/Application Support/com.apple.TCC/TCC.db “SELECT client, allowed FROM access where service == ‘kTCCServiceSystemPolicyAllFiles’” | grep ‘1’$ 13
- 14. Threat Hunting for TCC.db Mischief Experiment #1 with VT… • Query:(type:dmg or type:macho) and behavior:".dump access” - No hits :( • Query: behaviour_processes:”bash -c sqlite3” - Also no hits… :( :( • Cast a wide net: behaviour_processes:”TCC.db" - JACKPOT - 29 hits, approximately 40% confirmed malware
- 15. Lazarus CloudMensis Campaign Threat Hunting for TCC.db Mischief
- 16. Threat Hunting for TCC.db Mischief Bundlore copies the TCC.db too!
- 17. Threat Hunting for TCC.db mischief Experiment #1 with VT… Takeaways from VT hunting • macOS malware authors including Lazarus have been exploiting the TCC.db for a couple of years (Bundlore, Cloudmensis, XCSSET malware) • Copying, dumping, writing to/inserting • Lazarus likely decoupling malware from commands to perform TCC.db operations (HOK, signature evasion) • Not many apps should be interacting with the TCC.db - detection opp!
- 18. Adhoc Signing Signing without actual certificates ⁃ Intel and Apple silicon architectures handle code signing requirements differently ⁃ M1 Macs are the first apple computers restricted from running unsigned code “New in macOS 11 on Apple Silicon Mac computers, and starting in next macOS Big Sur 11 beta, the operating system will enforce that any executable must be signed with a valid signature before it’s allowed to run.” HOWEVER “There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker. This new behavior doesn’t change the long- established policy that our users and developers can run arbitrary code on their Macs, and is designed to simplify the execution policies on Apple silicon Mac computers and enable the system to better detect code modifications.” Additionally… “This new policy doesn’t apply to translated x86 binaries running under Rosetta, nor does it apply to macOS 11 running on Intel platforms” - Apple in WWDC 2020 https://developer.apple.com/documentation/security/seccodesignatureflags/1397793-adhoc https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/ 18
- 19. Adhoc signing Bypassing Gatekeeper Lazarus has historically used unsigned or ad hoc signed binaries • Observed ad hoc signing via command line directly on the target host: CMD: codesign --force -s - [name of file or app] • A hyphen for the identity makes it an ad hoc signature with no certificate. Check the validity of an ad hoc signed executable with: CMD: codesign -dv -r- UpdateAgent 19
- 20. Threat Hunting for adhoc signed files Experiment #2 with VT Some Mixed Takeaways: • VT search does not delineate ad hoc signed and only classifies as not signed • Lots of mach-O files are unsigned • Lots of crypto-related mach-O files are unsigned • Yara rule is probably better bet here
- 21. Previously observed adhoc signed samples Operation In(ter)ception: These binaries are universal Mach-Os and can run on Intel or M1 Apple silicon machines. They are signed with an adhoc signature, meaning that they will bypass Apple’s Gatekeeper without a recognized developer identity. 21
- 22. Recent adhoc Signed Malware: Rustbucket Multiple variants in 2023 - indicates continuous innovation • Malware written in Rust isn’t very commo n • In May 2023, a second RustBucket variant was observed targeting macOS users . • In June 2023, a third variant included new persistence capabilities. 22
- 23. Mitre Mapping - Lazarus Group x macOS A synopsis of the TTPs covered today (in green) • Note1: TCC dumping and writing are not currently released (future ATT&CK version)! • Note2: Adhoc signing may arguably be a separate technique - new submission pending! 23
- 24. Predictions for Lazarus They’re not going anywhere… •Lazarus will continue to evade analysis •Chunking malware into multiple stages •Leverage command line to evade file-based signatures • RUSTBUCKET malware will continue to evolve •Social engineering via LinkedIn will increase with likely recession in 2024 •Lazarus will continue their crypto and crypto-adjacent industry targeting (gaming) •Exploitation of commercial macOS admin tools will continue •Bypassing or disabling macOS security features will continue •Pay attention to WWDC 23, 24, 25, etc. • Lazarus will pivot if blocked from TCC.db dumping 24
- 25. Recommendations for Blue Teamers Keep Calm and Enable Default macOS protections • Gatekeeper and SIP should be on by default for macOS. • Monitor for disabling of Gatekeeper and SIP, and implement automated re-enabling of these protections. • Security practitioners can automate via spctl and csrutil to re-enable Gatekeeper and SIP, respectively. • Pay special attention if you are in the crypto/crypto adjacent industry • Audit for shadow IT, especially unsanctioned macOS RMM tools • Baseline your environment • Deploy EDR everywhere • Least privilege always applies: Be judicious in what you grant permissions to. 25
- 26. Special Thank You to: Couldn’t have done it without…. • The macOS cyber community <3 • Mitre for having me :) 26