DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse

DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse

April 11, 2024 at 06:05PM

MITRE will add two sub-techniques to ATT&CK database, exploited by North Korean threat actors. TCC manipulation involves Apple macOS application permissions. “Phantom” DLL hijacking exploits nonexistent DLLs in Windows. These techniques allow hackers to gain privileged access and perform espionage. It’s crucial to keep SIP enabled and monitor DLL loading in Windows.

Based on the meeting notes, the key takeaways are:

1. MITRE will be adding two new sub-techniques to its ATT&CK database that have been exploited by North Korean threat actors: TCC manipulation on Apple’s macOS and “phantom” DLL hijacking in Windows.

2. TCC manipulation involves exploiting the Transparency, Consent, and Control (TCC) security protocol on macOS, allowing attackers to gain privileged access by circumventing system protections like Full Disk Access (FDA) and System Integrity Protection (SIP).

3. Various malware tools have been designed to exploit TCC, and it is crucial to keep SIP enabled and be mindful of app permissions to defend against TCC abuses.

4. Phantom DLL hijacking takes advantage of nonexistent DLL files referenced by Windows, allowing hackers to create and load their own malicious DLLs with the same names, potentially compromising critical services like IKEEXT.

5. To mitigate the risk of phantom DLL hijacking, it is recommended to run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs on Windows Server.

These are the main points distilled from the meeting notes. Let me know if there is anything else I can assist you with.

Full Article