Navigating the LABYRINTH: An In-Depth Examination of Interactive Intrusions by a North Korean APT

Presented at Objective by the Sea version 6.0 (2023), Oct. 13, 2023, 2 p.m. (40 minutes).

LABYRINTH CHOLLIMA is a DPRK-nexus threat actor with a dual mission of cyber espionage and currency generation which has been tasked with many of North Korea's most high-profile operations. The 2014 hack of Sony Pictures Entertainment, the WannaCry outbreak in 2017, and the 3CX supply chain attack discovered by CrowdStrike in March of 2023 have all been attributed to this threat actor. \n\n Over the last several years, CrowdStrike has observed aggressive targeting of crypto-currency organizations by LABYRINTH CHOLLIMA as the North Korean economy has stuttered due to Western sanctions and a pandemic-fueled downturn. Over the same period, we’ve observed the macOS operating system growing in popularity and becoming more widely deployed in enterprise environments. This is particularly true in software development organizations, which feature heavily in the cryptocurrency FinTech companies targeted by LABYRINTH CHOLLIMA. \n\n Throughout this time, LABYRINTH CHOLLIMA has shown increasing expertise with the macOS platform and has continued to develop new tooling while refining their tradecraft across campaigns. \n\n This presentation will provide an in-depth look at the interactive macOS intrusions attributed to LABYRINTH CHOLLIMA, identified by CrowdStrike. We will delve deep into the adversary's innovative macOS tradecraft and will examine all stages of the attack life cycle including the advanced social engineering tactics used by the actor during initial access, the types of users being targeted, the custom multi-stage implants we've seen deployed, and the living-off-the-land techniques used for reconnaissance, persistence, and lateral movement once they've infiltrated a network. We’ll dissect what exactly a macOS interactive intrusion looks like through the exploration of custom tooling and techniques we've seen LABYRINTH CHOLLIMA leverage in real world operations.

Presenters:

• Greg Longo - Senior Intrusion Analyst at CrowdStrike
  Greg Longo is a Senior Intrusion Analyst hunting nation-state adversaries on the Falcon OverWatch team at CrowdStrike. He has an extensive background in digital forensics, threat and vulnerability management, and intrusion analysis having served in roles in both the public and private sector.
• Ben Wiley - Senior Intrusion Analyst at CrowdStrike
  Ben Wiley is a Senior Intrusion Analyst on the Falcon OverWatch team at CrowdStrike focused on hunting and tracking nation-state adversaries. Prior to joining CrowdStrike, Ben was a digital forensics and incident response consultant at Mandiant. \n\n In his free time, Ben likes to travel, be outside, and spend time with his wife and daughter.

Links:

• https://objectivebythesea.org/v6/talks.html#Speaker_20
• https://www.youtube.com/watch?v=ockSeCM-4sI

Similar Presentations:

• 32C3 (2015) / Lifting the Fog on Red Star OS: A deep dive into the surveillance features of North Korea's operating system
• Black Hat Europe 2020 Virtual / From Zero to Sixty: The Story of North Korea's Rapid Ascent to Becoming a Global Cyber Superpower
• VB2018 / The Hitchhiker's Guide to the North Korean malware galaxy