DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
This month, MITRE will be adding two sub-techniques to its ATT&CK database that have been widely exploited by North Korean threat actors.
The first, not entirely new, sub-technique involves manipulation of Transparency, Consent, and Control (TCC), a security protocol that regulates application permissions on Apple’s macOS.
The other — called “phantom” dynamic link library (DLL) hijacking — is a lesser-known subset of DLL hijacking, where hackers take advantage of referenced but nonexistent DLL files in Windows.
Both TCC manipulation and phantom DLL hijacking have allowed North Korean hackers to gain privileged access into macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.
TCC Manipulation
“North Korea is opportunistic,” says Marina Liang, threat intelligence engineer at Interpres Security. “They have a dual purpose of espionage and also revenue generation, so they’re going to look to be where their targets are. And because macOS is increasing in popularity, that’s where they started to pivot.”
One way North Korean advanced persistent threats (APTs) have been breaching Macs lately is via TCC, an essential framework for controlling application permissions.
TCC has a user- and system-level database. The former is protected with permissions — a user would require Full Disk Access (FDA), or something similar — and the latter by System Integrity Protection (SIP), a feature first introduced with macOS Sierra. Theoretically, privileges and SIP are guards against malicious TCC access.
In practice, however, there are scenarios where each can be undermined. Administrators and security apps, for example, might require FDA to properly function. And there are times when users circumvent SIP.
“When developers need flexibility on their machine, or they’re being blocked by the operating system, they might decrease those controls that Apple has in place to allow them to code and create software,” Liang explains. “Anecdotally, I’ve seen that developers troubleshooting will try to figure out what’s in place [on the system], and disable it to see if that solves their issue.”
When SIP is switched off, or FDA on, attackers have a window to access the TCC database and grant themselves permissions without alerting the user.
There are a number of other ways to potentially get through TCC, too. For example, some sensitive directories such as /tmp fall outside of TCC’s domain entirely. The Finder app has FDA enabled by default, and it’s not listed in the user’s Security & Privacy window, meaning that a user would have to be independently aware and manually revoke its permissions. Attackers can also use social engineering to direct users in disabling security controls.
A number of malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal. Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and CloudMensis by APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, or ScarCruft) doggedly tries to identify where SIP is disabled in order to load its own malicious database.
Dark Reading contacted Apple for a statement regarding TCC abuses and received no reply.
To block attackers taking advantage of TCC, the most important thing is keeping SIP enabled. Short of that, Liang highlights the need to know which apps have what permissions in your system. “It’s being aware of what you’re granting permissions to. And then — obviously it’s easier said than done — exercising [the principle of] least privileged [access]. If certain apps don’t necessarily need certain permissions to function, then remove them,” she says.
Phantom DLL Hijacking
Besides TCC vulnerabilities, APAC-area threat actors have been exploiting an even stranger flaw in Windows. For some reason, the operating system references a number of DLL files that don’t actually exist.
“There are a ton of them,” Liang marvels. “Maybe someone was working on a project to create specific DLLs for specific purposes, and maybe it got shelved, or they didn’t have enough resources, or just forgot about it.”
Dark Reading has reached out to Microsoft for clarification on this point.
To a hacker, a so-called “phantom” DLL file is like a blank canvas. They can simply create their own malicious DLLs with the same name, and write them to the same location, and they’ll be loaded by the operating system with nobody the wiser.
The Lazarus Group and APT 41 (aka Winnti, Barium, Double Dragon) have used this tactic with IKEEXT, a service necessary for authentication and key exchange within Internet protocol security. When IKEEXT triggers, it attempts to load the nonexistent “wlbsctrl.dll.” APT41 has also targeted other phantom DLLs like “wbemcomn.dll,” loaded by the Windows Management Instrumentation (WMI) provider host.
Until Windows rids itself of phantom DLLs, Liang highly recommends companies run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.