Friday 2 October 11:00 - 11:30, Red room
Dinesh Devadoss (K7 Computing)
The infamous Lazarus APT group, also known as Hidden Cobra, has been constantly upgrading its arsenal and techniques, even able to orchestrate a live-off-the-land attack just recently. In this campaign the group used a brand new fileless technique, a first in the Mac universe, attracting a lot of attention in the cybersecurity community.
The technique is actually very interesting. The Lazarus trojan loader component used MemoryBasedBundle which allows Mach-O code to be executed directly from memory rather than from a file on disk, thereby evading disk-based file object detections by Mac AV.
In this paper we will demystify this novel fileless technique, analysing how and why it works. In order to provide the context for increasing Lazarus sophistication, we will discuss their various campaigns that targeted crypto-currency exchanges and other financial institutions. In fact, it was the Union Crypto Trader app that was trojanised with the fileless component mentioned earlier. Lazrus’ level of commitment to impersonation is so great that its fake trading application installers were hosted on GitHub, and were signed to avoid raising any alarms. This use of open-source trading applications and trojanising them has become a hallmark of Lazarus’ strategy, and can be used to attribute attacks to it.
We will also cover Lazarus’ versatile development skill set using various techniques including the QT framework, C, objective-C, Swift, etc., thus enabling these threat actors to craft innovative Mac malware. We will dissect the sophisticated toolset of the Lazarus group to shed light on its Mac APT modus operandi, with an eye on predicting what its future attacks might look like, along with a discussion on countermeasures.
 |
Dinesh Devadoss Dinesh Devadoss, a threat researcher at K7 Threat Control Labs, considers himself to be a wanderer in the binary world. He graduated with a Bachelor's degree in computer science engineering, and his interests include malware analysis and forensics analysis in general. His passion (bordering on addiction) is to extensively research on malware targeting MacOS. |
Minhee Lee (Financial Security Institute)
Daegyu Kang (Financial Security Institute)