Mac Me MORE Money!! Exploitation of Mac in Targetted Attacks

Dinesh Devadoss, Kaarthik R Muthukrishnan/K7 Computing

Of late, cybercriminals have shifted their focus onto financial institutions, especially cryptocurrency exchanges. This would give a higher ‘Return-on-Investment’ than sticking to the increasingly “out-of-fashion” approach of illegal cryptomining or e-pickpocketing of wallets. Now, it is usually the Windows side of a malware story that gets told, but let`s shift the vantage point to the Mac side. Since the usage of Mac has increased in a corporate environment, cybercriminals have been incentivized to upgrade their arsenals to leverage a Mac setting.

This paper presents two detailed case studies of two threat groups that lie at different points in the cybercriminal spectrum. One is a state-sponsored group, Lazarus, and the other is a little less documented and self-sustained threat actor group. In our lab we have dubbed the latter ‘EduSmoke’ (aliases HYDSEVEN and CRYPTO-3), because of its spear-phish emails claiming to come from universities and an artefact in its binaries. Both of these groups have used Mac implants in their attack TTPs, and both have targeted financial institutions in Japan, the US and Poland, amongst others.

Lazarus group, infamous for the 2016 Bangladesh bank robbery, are ever on the lookout for pulling off heists. In 2019, it has already targeted several cryptocurrency exchanges. This paper focuses on various phases of its current kill chain, dissecting the weaponized documents and the espionage functionality of the Mac binaries. The Mac implants have been created using a cross platform development framework named ‘Qt’. We will reveal how the code within the binaries matches the coding pattern from Lazarus’ previous attacks.

In our second case study, we delve into EduSmoke’s recent targeting of Coinbase, a cryptocurrency exchange, by exploiting two zero-days in Firefox (CVE-2019-11707 and CVE-2019-11708) as the initial infection vector. These tactics combined with a well-choreographed spear-phishing maneuver have allowed ‘EduSmoke’ to remain under the radar for quite some time. This paper would discuss EduSmoke’s TTPs, covering extensive analysis of its dropped backdoor binaries (OSX.Netwire and OSX.Mokes), which exfiltrate user data and are designed to support multiple platforms (Mac, Windows and Linux). We will also cover an interesting overlap of the command and control infrastructure that led us to trace the group’s activities back to at least 2016.

These case studies provide great insight, thereby enabling us to formulate effective counter measures against such sophisticated adversaries. We shall even explore detection methodologies based on the IOCs that we have discovered.

November 7 at 14:00 - 14:30, Stage A

Dinesh Devadoss: Dinesh Devadoss is a Threat Researcher at K7 Computing`s Threat Control Lab. He graduated with a Bachelor`s degree in Computer Science Engineering. He specialises in forensics, malware analysis and reversing malware written for Windows and MacOS.

Kaarthik R Muthukrishnan: Kaarthik is a Senior Threat Researcher at K7 Computing`s Threat Control Lab. He graduated in 2007 with a Master`s degree in Computer Applications. He began his career as a Threat Research Analyst at Technosoft Corporation in 2008. Kaarthik joined K7 Computing`s Threat Control Lab in December 2010. Kaarthik has authored a paper for VB 2017, co-authored a paper for AVAR 2013 and one for AVAR 2018. He occasionally blogs on the K7 Computing blog site. Apart from security, Kaarthik is passionate about photography.