Introduction
As the macOS desktop user base continues to grow year over year, and Windows remains a mainstay, adversaries are growing more adept in their strategies to become more versatile cross-platform. As macOS malware grows in popularity, Windows exploits remain another vector of choice for threat actors.
Interpres Security Threat Intelligence Engineer Marina Liang dove specifically into the activities of APAC-based adversaries, such as Lazarus Group, APT37, and APT41, and what she found were insights into prominent malware campaign techniques, which are included in the upcoming MITRE ATT&CK April 2024 Update.
Marina’s reports delve into the evolving landscape of cyber threats, focusing on Windows Phantom DLL Hijacking and manipulating the Transparency, Consent, and Control (TCC) framework database, created to enhance user security and privacy on macOS devices. Adversaries in all cases were connected to Democratic People’s Republic of Korea (DPRK) and the APAC region, with the dual purpose of cyber espionage and nation-state financing.
Windows Phantom DLL Hijacking
To the chagrin of Windows security practitioners everywhere, the Windows operating system references a surprising number of DLL files that do not exist. Thus, phantom DLL hijacking occurs when the adversary names their malicious DLL to match the non-existent file and writes it to the specified location of one of these referenced missing files. This DLL is then loaded when the OS executes the code that references that file, resulting in possible privilege escalation, persistence, malicious execution, etc.
There are a ton of “phantom” DLLs that exist, and undoubtedly, some remain to be discovered and exploited. Marina’s report focuses on two examples: IKEEXT and WMIprvse.exe. It delves into the Windows DLL hijack behavior leveraged by the DPRK-sponsored Lazarus Group as well as the Chinese state-sponsored group, APT41. Both groups appear to have the dual purpose of cyber espionage and nation-state financing.
TCC Abuse in the Wild
The TCC framework is a mechanism on macOS meant to ensure security and privacy for users through limitation and control of application access to certain features and areas. This includes sensitive data such as location services, calendar, contacts, photos, microphone, camera, accessibility, full disk access, desktop, documents, and more.
The TCC is partially exposed to the user via prompts to allow or deny an application access to those protected areas, but there are also permissions that are essentially invisible to the user. The implementation and limitations of the TCC have introduced various avenues for adversaries to abuse the TCC database(s) including writing to, dumping, copying, or supplying an actor-controlled database.
TCC abuse has been observed in a few malware campaigns over the years. Notably, XCSSET leveraged several zero days to bypass TCC and gain access to sensitive features by exploiting a list of hardcoded apps with the correct permissions. Bundlore, a famous macOS adware, has also been observed abusing TCC through modifying or copying the TCC database.
TCC abuse has also expanded to include state-sponsored threats. The DPRK has routinely targeted macOS in recent years with lucrative cryptocurrency-financing events via social engineering. APT37 (aka ScarCruft, InkySquid, Ricochet Chollima, etc.) in their CloudMensis campaign, attempted to insert and/or replace permissions in the TCC database, and the Lazarus Group has been observed dumping the access table in the TCC database.
Links:
Check out Marina Liangs full reports on the Lazarus Group’s campaigns on Transparency, Consent, and Control (TCC) Database Manipulation and Windows Phantom DLL Hijacking for more information and recommendations for threat intelligence teams.