DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse

  /     /     /  
Publicated : 23/11/2024   Category : security


DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse


North Korean hackers break ground with new exploitation techniques for Windows and macOS.



This month, MITRE will be adding two sub-techniques to its ATT&CK database that have been widely exploited by North Korean threat actors.
The
first, not entirely new, sub-technique
involves
manipulation of Transparency, Consent, and Control (TCC)
, a security protocol that regulates application permissions on Apples macOS.
The other — called
phantom dynamic link library (DLL) hijacking
— is a lesser-known subset of DLL hijacking, where hackers take advantage of referenced but nonexistent DLL files in Windows.
Both TCC manipulation and phantom DLL hijacking have allowed North Korean hackers to gain privileged access into macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.
North Korea is opportunistic, says Marina Liang, threat intelligence engineer at Interpres Security. They have a dual purpose of espionage and also revenue generation, so theyre going to look to be where their targets are. And because macOS is increasing in popularity,
thats where they started to pivot
.
One way North Korean advanced persistent threats (APTs) have been breaching Macs lately is via TCC, an essential framework for controlling application permissions.
TCC has a user- and system-level database. The former is protected with permissions — a user would require Full Disk Access (FDA), or something similar — and the latter by System Integrity Protection (SIP), a feature first introduced with macOS Sierra. Theoretically, privileges and SIP are guards against malicious TCC access.
In practice, however, there are scenarios where each can be undermined. Administrators and security apps, for example, might require FDA to properly function. And there are times when users circumvent SIP.
When developers need flexibility on their machine, or theyre being blocked by the operating system, they might decrease those controls that Apple has in place to allow them to code and create software, Liang explains. Anecdotally, Ive seen that developers troubleshooting will try to figure out whats in place [on the system], and disable it to see if that solves their issue.
When SIP is switched off, or FDA on, attackers have a window to access the TCC database and grant themselves permissions without alerting the user.
There are a number of other ways to potentially get through TCC, too. For example, some sensitive directories such as /tmp fall outside of TCCs domain entirely. The Finder app has FDA enabled by default, and its not listed in the users Security & Privacy window, meaning that a user would have to be independently aware and manually revoke its permissions. Attackers can also use social engineering to direct users in disabling security controls.
A number of malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal. Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and
CloudMensis by APT37
(aka InkSquid, RedEyes, BadRAT, Reaper, or ScarCruft) doggedly tries to identify where SIP is disabled in order to load its own malicious database.
Dark Reading contacted Apple for a statement regarding TCC abuses and received no reply.
To block attackers taking advantage of TCC, the most important thing is keeping SIP enabled. Short of that, Liang highlights the need to know which apps have what permissions in your system. Its being aware of what youre granting permissions to. And then — obviously its easier said than done — exercising [the principle of] least privileged [access]. If certain apps dont necessarily need certain permissions to function, then remove them, she says.
Besides TCC vulnerabilities, APAC-area threat actors have been exploiting an even stranger flaw in Windows. For some reason, the operating system references a number of DLL files that dont actually exist.
There are a ton of them, Liang marvels. Maybe someone was working on a project to create specific DLLs for specific purposes, and maybe it got shelved, or they didnt have enough resources, or just forgot about it.
Dark Reading has reached out to Microsoft for clarification on this point.
To a hacker, a so-called phantom DLL file is like a blank canvas. They can simply create their own malicious DLLs with the same name, and write them to the same location, and theyll be loaded by the operating system with nobody the wiser.
The Lazarus Group and
APT 41
(aka Winnti, Barium, Double Dragon) have used this tactic with IKEEXT, a service necessary for authentication and key exchange within Internet protocol security. When IKEEXT triggers, it attempts to load the nonexistent wlbsctrl.dll. APT41 has also targeted other phantom DLLs like wbemcomn.dll, loaded by the Windows Management Instrumentation (WMI) provider host.
Until Windows rids itself of phantom DLLs, Liang highly recommends companies run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse