This month, MITER will add to its ATT&CK database two sub-techniques that have been widely exploited by North Korean threat actors.
THE first, not entirely new, sub-technique involves manipulation of transparency, consensus and control (TCC)a security protocol that governs application permissions on Apple’s macOS.
The other one… called “Ghost” dynamic link library (DLL) hijacking. — is a lesser-known subset of DLL hijacking, in which hackers exploit referenced but non-existent DLL files in Windows.
Both TCC manipulation and phantom DLL hijacking allowed North Korean hackers to gain privileged access to the macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.
TCC manipulation
“North Korea is opportunistic,” says Marina Liang, a threat intelligence engineer at Interpres Security. “They have the dual purpose of spying and also revenue generation, so they will try to achieve their goals. And as macOS is becoming more and more popular, that’s where they started filming.”
One way North Korean advanced persistent threats (APTs) have recently breached Macs is through TCC, an essential framework for controlling application permissions.
TCC has a user- and system-level database. The former is protected with permissions (a user would require Full Disk Access (FDA) or something similar – and the latter by System Integrity Protection (SIP), a feature first introduced with macOS Sierra. In theory, privileges and SIP are protections against malicious TCC access.
In practice, however, there are scenarios where each of them can be compromised. Administrators and security apps, for example, may require the FDA to function properly. And there are times when users bypass SIP.
“When developers need flexibility on their machine, or are blocked by the operating system, they may reduce the controls that Apple has in place to allow them to code and create software,” Liang explains. “Anecdotally, I’ve seen that troubleshooting developers will try to figure out what’s going on [on the system]and disable it to see if that fixes the problem.”
When SIP is disabled or FDA is enabled, attackers have a window to access the TCC database and grant themselves permissions without notifying the user.
There are also many other ways to potentially overcome TCC. For example, some sensitive directories such as /tmp are completely outside of TCC’s domain. The Finder app has FDA enabled by default and is not listed in the user’s Security & Privacy window, meaning a user would have to independently be aware and manually revoke their permissions. Attackers can also use social engineering to direct users to disable security controls.
Numerous malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS trojans registered on VirusTotal. Liang identified the malware from the Lazarus group, which attempts to download the access table from the TCC database and CloudMensis by APT37 (also known as InkSquid, RedEyes, BadRAT, Reaper or ScarCruft) stubbornly tries to identify where SIP is disabled to load its malicious database.
Dark Reading reached out to Apple for a statement regarding TCC abuse and did not receive a response.
To prevent attackers from exploiting TCC, the most important thing is to keep SIP enabled. Aside from that, Liang highlights the need to know which apps have which permissions on your system. “It’s being aware of what you’re granting permission for. And then – obviously easier said than done – practicing [the principle of] less privileged [access]. If some apps don’t necessarily need certain permissions to work, remove them,” he says.
Ghost DLL hijacking
In addition to the TCC vulnerabilities, threat actors in APAC have exploited an even stranger flaw in Windows. For some reason, the operating system references a number of DLL files that don’t actually exist.
“There are a lot of them,” Liang marvels. “Maybe someone was working on a project to create specific DLLs for specific purposes and maybe it got shelved, or they didn’t have enough resources, or they just forgot about it.”
Dark Reading has contacted Microsoft for clarification on this point.
For a hacker, a so-called “ghost” DLL file is like a blank canvas. They can simply create their own malicious DLLs with the same name and write them to the same location and they will be loaded by the operating system without anyone noticing.
The Lazzaro Group e APT41 (aka Winnti, Barium, Double Dragon) used this tactic with IKEEXT, a service required for authentication and key exchange as part of Internet Protocol security. When IKEEXT activates, it tries to load the non-existent “wlbsctrl.dll” file. APT41 also targeted other ghost DLLs such as “wbemcomn.dll”, loaded by the Windows Management Instrumentation (WMI) provider host.
Until Windows gets rid of ghost DLLs, Liang strongly recommends that companies run monitoring solutions, implement proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.