North Korea

North Korea ATM Hack

North Korea ATM Hack

The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide:

This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme­ — referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”

The level of detail is impressive, as seems to be common in CISA’s alerts and analysis reports.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

The malware isn’t entirely fileless. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light earlier this week, only two out of 57 antivirus products detected it as suspicious. On Friday, according to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it.

Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:

  • move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
  • set it to be owned by root
  • create a /Library/UnionCrypto directory
  • move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
  • set it to be executable
  • execute this binary (/Library/UnionCrypto/unioncryptoupdater)

The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly.

Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. Another piece of Mac malware, dubbed AppleJeus, did the same thing.

Another trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars’ worth of cryptocurrencies from exchanges in an attempt to fund the country’s nuclear weapons development programs.

Begin in-memory infection

It is around this point in the infection chain that the fileless execution starts. The infected Mac begins contacting a server at hxxps://unioncrypto[.]vip/update to check for a second-stage payload. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac.

“As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).”

Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. Given the theme of cryptocurrency in the file and domain names—and North Korean hackers’ preoccupation with stealing digital coin—it’s a decent bet the follow-on infection is used to access wallets or similar assets.

When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncrypto[.]vip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. By Friday, the domain was no longer responding to pings.

Patrick Wardle

While fileless infections are a further indication that Lazarus is growing increasingly more adept at developing stealthy malware, AppleJeus.c, as Wardle has dubbed the recently discovered malware, is still easy for alert users to detect. That’s because it’s not signed by an Apple-trusted developer, a shortcoming that causes macOS to display the warning to the right.

As is typical when applications are installed, macOS also requires users to enter their Mac password. This isn’t automatically a tip-off that something suspicious is happening, but it does prevent the first stage from being installed through drive-bys or other surreptitious methods.

It’s unlikely anyone outside of a cryptocurrency exchange would be targeted by this malware. Those who want to check can look for the existence of (1) /Library/LaunchDaemons/vip.unioncrypto.plist and (2) the running process or binary /Library/UnionCrypto/unioncryptoupdater.

Developer faces prison time for giving blockchain talk in North Korea

A white dude with seriously thick hair.

Enlarge / Virgil Griffith.

The prominent hacker and Ethereum developer Virgil Griffith was arrested by the US government Friday after he spoke at an April conference on blockchain technologies in North Korea. The US government considers his presentation to be a transfer of technology—and therefore a violation of US sanctions.

But Griffith’s defenders, including Ethereum founder Vitalik Buterin, describe the arrest as a massive overreaction. Griffith worked for the Ethereum Foundation, and Buterin called him a friend.

“I don’t think what Virgil did gave the DPRK [Democratic People’s Republic of Korea] any kind of real help in doing anything bad,” Buterin tweeted on Sunday. “He delivered a presentation based on publicly available info about open source software.”

But federal prosecutors argue that Griffith, a US citizen residing in Singapore, knew full well that his trip violated US sanction laws. They say he sought approval for the trip from the US State Department, and his request was denied. Griffith made the trip anyway, traveling through China to evade US travel restrictions.

In a charging document, an FBI agent wrote that Griffith “discussed how blockchain and cryptocurrency technology could be used by the DPRK to launder money and evade sanctions, and how the DPRK could use these technologies to achieve independence from the global banking system.”

Griffith made little effort to hide his travel plans. He tweeted out a photo of his travel documents and voluntarily talked to the FBI after his trip. He even allowed the authorities to inspect his cell phone.

The feds say Griffith’s electronic communications show a clear intention to violate US sanctions laws. When a friend asked why the North Korean regime was interested in cryptocurrency, he wrote: “probably avoiding sanctions… who knows.”

Later, he told a friend of his plan to help send 1 unit of cryptocurrency (presumably ether) between South and North Korea. The friend asked “Isn’t that violating sanctions?” Griffith replied “it is,” according to the US government.

“Minor public-relations disasters”

Griffith was a well-known figure in the hacking world for more than a decade before this year’s trip to North Korea. He was featured by The New York Times in a 2008 article that focused on his creation of WikiScanner—software that helped uncover people and organizations making surreptitious changes to Wikipedia.

He told the Times that he aspires to “create minor public-relations disasters for companies and organizations I dislike.”

In 2003, Griffith was sued by education-software maker Blackboard to stop him from presenting research on security flaws in Blackboard’s software. A 2006 paper demonstrated how easy it was to guess people’s mothers’ maiden names from public records—highlighting the downside of using this information to authenticate consumers.

According to his LinkedIn page, Griffith received a Ph.D. in computation and neural systems in 2014. Since then, he has been involved in a variety of cryptocurrency projects. He has been a research scientist at the Ethereum Foundation since 2016.