Navigating the LABYRINTH: An In-Depth Examination of Interactive Intrusions... - Greg Longo

foreign excellent um super excited to be here quick shout out to the cfp committee thanks for the opportunity uh to speak today uh and thank you to to all of you for making it back from lunch and uh choosing this track I see some fancy drinks the uh the the uh the bar is open so if you need to go grab a drink I can stall for a few minutes while uh why are you freshen up there so just a little bit about me um to start things off uh as she mentioned my name is Greg Longo I am a senior intrusion Analyst at crowdstrike I'm on the uh the Falcon OverWatch team uh spending time hunting nation state

adversaries uh I spent a considerable considerable amount of my time uh hunting kitten targets so I think Iran Nexus adversaries but about eight to ten months ago started to get into some more Mac OS analysis and uh the that work sort of drove me towards a different adversary which we'll talk about today um I thought this talk would be interesting because um as it pertains to to chalimas uh and lavender chalima they've been in the news uh quite a bit I'm sure you've seen some headlines recently um in regards to like 3cx uh supply chain breach um as well as uh a more recent attack at um at jumpcloud um but uh but before we get started I

just want to take a quick poll to see uh by a raise of hands um how many of you folks know that your organization deploys Macs across the Enterprise outside of just the security department handful okay um and how many Mac admins do we have out here in the audience today anybody excellent well okay so you can keep me honest as I'm going through this um So today we're going to talk about some uh some some case studies of uh lab instru Lima and some intrusions that we came across um quick agenda we'll go through who the adversary is just to set the stage talk a little bit about their tradecraft we'll give you some information on how

they target who they're targeting and then walk you through a day in the life and that'll kind of take you through the interactive piece of the intrusions that we've come across so laboratory Lima um as crowdstrike names them also called Lazarus group or hidden Cobra from the US government definitely one of the most prolific uh dprk actors that's out there they've been active since 2009 and they are ideally part of the bureau 121 of the reconnaissance General Bureau so reconnaissance General Bureau for those that aren't familiar is going to be the premier intelligence organization within North Korea in 2009 coincidentally is when they stood up Bureau 121 which is their their CNO organization and the folks that conduct

offensive cyber operations so since 2009 Labyrinth shulima has gone through this sort of Arc of uh operational remit they started off early on just doing destructive kinds of attacks uh think you know your wipers uh DDOS defacing websites things like that um by all standards now pretty amateurish but um I guess that's where everybody's got to start they gradually picked up your traditional intelligence collection Mission so they focused on Military targets across basically South Korea Japan the US and then they also started to delve into your more economic Espionage as well more recently um in tandem with their intelligence collection operations that they that they conduct they've also really um picked up the uh the currency

Generation stuff so uh if any of you went to the the crypto Bros talk that was in um track two uh just before lunch um you heard talk about apt-38 which is um a different uh chalima but also part of this whole effort to to generate currency for the uh for the regime is interesting because um they are um aside from the other organizations within Bureau 121 they are responsible for more some more of the the really high profile attacks so everybody's familiar with the the Sony hack in 2014 that was Labyrinth um wannacry 2017. that was also Labyrinth chalima as well so so these guys are are uh are known for some of these these bigger

attacks that they've carried out over the last 18 months um some of the the the intrusions that we've come across we've seen attacks in the financial technology media and Telecommunications verticals so um that's really where they're where they're targeting uh most recently in terms of some of the tradecraft they're really a well-resourced organization and we've been able to observe that given the fact that they've been able to take implant Frameworks and tools that they have that initially work on Windows adapt them to Linux adapt them to Mac OS and even go after mobile devices on the Android platform so clearly these guys uh they've got a broad range of operators as well as a well-resourced capability development

organization we've seen them very quickly evolve implants that they have from one platform to another platform so you know think about 2018 time frame is really when they started going after Mac devices um you know the the apple juice malware and and things like that um and then we've seen them rapidly evolve the implants that they have really from 2020 until now where we've seen multiple iterations adding new capabilities and new features into their into their implants recently foreign so again some more in targeting and this really gets to the currency generation aspect of the operations that they are conducting which is really where this uh um this efforts sort of headed um they've been able to steal a

significant amount of cryptocurrency over the last four years and this whole uh currency generation effort is is really um intended or really came out of the sanctions that have been been constantly levied on North Korea as well as economic struggles that they've endured uh based on the you know the pandemic so from what I've read uh the pandemic really set them back um you know they suffer the largest economic loss they have in I think the last like 23 years something like that so they're really suffering for how do we bring money back into into the regime and take care of our folks uh across the the intrusions that we've seen at uh at cryptocurrency and uh

technology organizations uh they've been able to really tailor the the tools that they're using against the targets that they're going after so this kind of goes back to a bullet on the previous slide which was uh we see varying levels of complexity uh in their tradecraft and we've seen them use some very low sophistication stuff uh against targets that maybe don't really have that big of an impact um and if they're going after a larger Target something with a maybe a larger financial gain a more strategic interest we've seen them take a bit more due diligence in one how they're targeting how they're luring uh the victims and then basically how they deploy their implants so one of the things that they

they are fond of are these multi-stage implants so they'll they'll send droppers out to basically assess a system without sending second stage or third stage until they know that that's actually a system they want to be on and that's sort of what they do to kind of maintain their opsec in some of these more strategic environments that they're in really the primary goal for this currency generation again sort of alluded to in that crypto Bros talk they want to find these private keys anywhere they can find private keys for crypto wallets so they can then transfer those funds launder that money and then bring that into the to their economy so the landscape uh this talk is going

to focus specifically on uh their intrusions on Mac OS devices um again Mac OS has been pretty interesting we've seen a noticeable uptick in the deployment of Mac devices across Enterprise environments going back to 2021 Max accounted for 23 percent of the the Enterprise market share that's up five percent from from two years earlier so we see this drive of organizations letting users bring Macs in or deploying more Macs to folks in you know the software development Arena or even leadership positions so that's interesting because when we see who the chalimas are targeting Lavender in particular is going to be those individuals really software developers Engineers folks that have privileged access folks that might have or really

anybody that might have a a crypto wallet available to them is really who they're going after in this realm we've also seen a a constant evolution in Mac malware so similarly you know we saw chalimas go from Windows to Linux to Mac we're seeing malware take on the same trajectory right A lot of times the Mac malware that we've come across has been adapted from Windows and now we're seeing stuff that's specifically developed for the Mac platform because right uh as as the deployments increase in Enterprises they become more of a lucrative Target right which is why we haven't seen that in the past so we're seeing some things like this right a lot of new info Steelers are

coming out things that are again tailored directly for the Mac OS platform and then even what was in the news recently rust Bucket from jamf um again attributed to a cholema but that's stuff that's developed specifically for that platform because they're adapting their tools and their tradecraft for who they're targeting okay so we're going to talk a little bit about a day in the life of a of a dprk operator uh the time frame of these intrusions that we're going to go through and go through two examples that we have is uh basically late 2022 through early 2023 so these are a relatively recent intrusions that we've come across and this is where the adversaries deployed their metanet

implant metanet is uh just one of the tools that they use it's a um a plug-in based implant where the initial payload has some initial capability to fingerprint a system provide some information back to the adversary but then install additional plugins that give them more capabilities things like file system enumeration Process Management creating Network tunnels and network proxies and then most importantly archiving and excelling information so as we go through these intrusions we're going to show you as much of the interactive piece that we came across on these Mac devices but there is going to be an and I'll try and talk to it where we don't have visibility because something like xfill is going to be accomplished directly

through their implant and we're not going to be able to see that in terms of a host based artifact on the system but what we do see is maybe a file getting created out of nowhere and then it gets sucked off right so that's really the way the matinet implant works and I probably won't go into any more detail because I'm not a malware guy but but that's what we're going to talk about two examples like I said one in the financial sector and then one in the technology sector so across both of these intrusions the initial access was gained through some pretty elaborate social engineering that's really how Labyrinth chulima goes about getting initial access on the

systems and it's really their ability to conduct social engineering is actually quite impressive they will On The Low End send you know your typical uh phishing email with a malicious PDF that's a you know a job description or that sort of thing right really basic stuff all the way up to where we've seen them actually create fake companies they'll create a website for a fake company they'll create LinkedIn profiles for personas for employees that work at this fake company and then they'll even create fake applications so we've seen them create basically a fake crypto wallet that actually appears to semi-function and then has some backdoor functionality built into it so these guys go to pretty

Great Lengths to establish credibility of themselves as they're targeting these users and we tend to see a lot of targeting over LinkedIn is a pretty common method for them to reach out to uh to these individuals and then what they'll even do is take conversations from LinkedIn and move them over to say Skype or telegram or some other social media platform or other platform to communicate directly with the uh with the victim to get them to either download software or take an application or or that sort of thing and that's really intended to obviously get around any sort of Enterprise security devices or technology that might get in the way of like you know filtering things out on

on the way in that that sort of thing most recently and this is uh sort of interesting we've actually seen them engage directly via text message with a victim too so these guys really go out of their way to to establish themselves and connect with their with their targets okay so intrusion number one cryptocurrency organization let's talk about their the installation and some initial reconnaissance that that was conducted so the user that they targeted um they got them um we believe it was the uh Skype phishing that they got this user to download a malicious application called payroll system it was actually a a Mac application that they delivered to them the user executed it and when they

executed this application or tried to open this application basically what it did was spawn a bash shell and then reached out using curl to grab the second stage implant and then obviously made that made that executable so what payroll system did was effectively run these run these commands just string together using the NS task class within the within the OS so it's interesting we've got you know I've got two commands there listed next to bash but we've got three commands up top and that's that last one right so that's their Safari agent that's their implant so that gets executed at the end of you know running this payroll system application so basically what happens is Safari

agent automatically executes and then what that's going to do spawn another bash shell and run some initial reconnaissance right so we can see them just enumerate the user's directory using your basic LS command and then um the the third line down it's kind of interesting so we see them actually looking for some hidden file in that user's directory really didn't make sense when we initially saw them saw them do that but it makes sense later on because what they're doing is effectively looking to see if their implant already exists on this host and then swvers which is basically the the command to gather information about the the operating system gives you the the build the name things like that so they

know where they've landed so we've got some initial information they've done some initial Recon obviously they want to establish persistence so if you take their Safari agent and they run a few more commands that we're able to see because it's going to Shell out so they write two files using their implant they write this hidden file aws-cli and npm-audit so a couple things that are interesting about those files right one they're purportedly they try and make them blend into the environment right so the AWS CLI looks legit if you were to see that name npm audit also looks legit npm being that packet repository um so those file names sort of look like they could belong however uh at the root

of a user's directory isn't typically where you're going to find executable files like that um and they're hidden files too so you know a couple of those things stand out they they basically execute those uh those files as a Daemon to uh to get them running and then they start doing some more reconnaissance of the file system so they look in this uh this postgresql directory and they find a place where they want to land another another binary for them so they take their npm audit and then they move that over and they name it psql tool so if you guys are probably familiar with the postgres there is a psql uh binary that exists that's legit but

not a psql tool binary again attempting to blend into their environment so they move it over and then they write this plist file so a plist file which we'll talk about in a minute is basically it's a property list file it's what uh it's what Mac uses um to um since it's an XML file to capture information about daemons and processes that they want to execute they take a look at that plist make sure it looks okay and this is what it looks like so a couple interesting things to point out from here that might be a bit of an eye chart apologize but what you'll notice about halfway down the screen there's a label key basically it's going to tell

launch D what to call this if someone were to query the system to say you know what what launch agents or launch daemons do I have running you're going to see the name of it right there again intended to sort of blend into the environment um they've got launch only once set as true which uh it didn't really make sense to us why they're doing that but it could be trying to avoid detection basically what that's going to do is that's going to say run this once um if if the process dies don't try and restart it um the program that's also very important so that's what's actually going to be executed so there you can see the line

where they're executing vsql tool which is their implant so a little bit about Mac OS persistence there's a number of ways to establish persistence on Mac agents and launch daemons are one of the the more common methods you'll see out there so launch D is basically your your system manager it's the first thing that gets started right after the kernel starts up so it usually has PID one and then what that will do is it will start any launch daemons that are going to be applied system-wide so launch daemons apply to any system any user that logs into the system and will be running every time that system boots you also launch agents which are specific to individual users

so launch agents won't actually be started until a particular user where that launch agent is associated logs into the system these things exist uh in various places across the operating system so you have apple provided daemons and and agents those are going to be in system Library launch statements and launch agents and those are going to be protected there's those are protected by the uh by the by Sip and the file system you've got root level ones that are provided typically by Third parties and app and software that that you'll install again at the root of library and then you've got user-defined launch agents and those are obviously in the users Library launch agents directory

all right so going back to what the adversary is doing in terms of reconnaissance and exfiltration so using the Safari agent this is where a bit of the the exfiltration gets um gets fuzzy for us we see them run a few commands netstat PS basically check to see is there implant running um do you know do they have what they need they run the dscl command so dscl is the direct directory Services command line utility I think um think of like your net group um you know those kinds of reconnaissance tools on our activities on Windows and so what they've done is they've dumped a whole bunch of information from the user's profile straight into this uh this hidden file

in the temp directory and that's effectively what we saw them uh X filling um once they were done running these Recon commands okay so we'll jump into intrusion two again let's talk about installation so this one's a bit more interesting because uh we didn't actually see where this one came from we presume again um you know probably a social engineering Vector in but where we initially saw execution was through the through a malicious uh jamf script so the technology organization used jamf to manage manage their their Mac endpoints and within one of the scripts that got executed we saw it actually looked like a legit script that was modified by the actor to add a few extra commands at the

end so that when you know when the script got run it would do some some extra things for them so we've got this uh the shell script that runs and basically what they do again is they run curl to pull down their second stage from uh from their own infrastructure set that executable and then launch it again as a Daemon similar to you know the last intrusion that we talked about and other intrusions that we've seen um they named this this implant jamfd which at first glance you're going to look at that and say yep sure we use Jam so jamfd um it's a Daemon that makes sense but again running at a slash temp isn't

where you'd expect to see that running from so again they want to establish persistence so they execute jamfd jamfd is going to actually write another binary and this is something interesting that we've seen Labyrinth chalima do and we're not sure if it's different operators that are coming in or if they're just testing different ttps but we've seen them write multiple copies of their implant they'll write an implant they'll run it they'll stop it they'll remove it they'll write another copy put it somewhere else run it and so it's not really clear what they're trying to achieve by doing that but you'll see in this scenario where they run multiple variations of their implant so they write another implant called

Adobe agent they write it it's sitting there they spawn a bash shell and they use their their launch Daemon persistence mechanism again so they write this plist file um and then they use launch control so launch control is basically the command line utility to interface with the launch D service manager so they use launch control load load that P list and effectively what that's going to do is it's going to take what's in that P list and that program argument if you recall and it's going to execute that so this is what the PLS looks like this time you can see again middle of the screen there's a label com.adobe.armdc blah blah blah that's what launch D is going to recognize as

the the service and then you can see they're running the program uh user local bin Adobe agent which is where they stash their implant this time so now Adobe agent runs thankfully Adobe agent it's going to Shell out as well and we're going to see some additional reconnaissance and what you'll notice and you probably know from if any of you who are using Max is a lot of these commands a lot of them carry over from Linux right given the the underpinnings of Mac OS and then some of them are unique so running you name who am I if config get some Network information then they run their SW verse again to see what system they're on they run that

netstat command again right and this is something interesting so whenever we see them run that netstat command if you happen to pick up on that in you know a few slides ago they like that annotation for some reason netstat anvp TCP is what they tend to always run so you see we see something like that and that kind of Clues Us in like you know this you know who is the target where are we seeing this what context are we seeing it in and that could be interesting this time they enumerate some um some sensitive files in the user's directory so looking at their zshell history file to see maybe what that that user's been

executing um looking at looking for SSH keys that they can use so again trying to find Avenues to to harvest credentials uh possibly engage in lateral movement things like that they run their dscl command interestingly they run it once it doesn't work the operator had typo so they run it again and then redirect their output again to another hidden file in slash temp so we can kind of see some of their their ttps replaying over and over in this sense so now they go about persistence again apparently in this case so Adobe agent writes another implant another another file they name it something different they locate it in another place on the file system and they make that executable now they

run their new implant again and it yells out and they uh update their um their plist file to now use um a different uh a different implant so they move Adobe agent to this other file called com.adobe armdc jobless Daemon so you remember before they actually had a PLS file with that name um so now they've moved Adobe agent there using this other implant right and we're not sure if they're trying to do that again to blend in um maybe they were concerned that the previous one would have stood out under scrutiny things like that so um so they take they take upon themselves to establish this other persistence this one's a bit more interesting so

peel is hijacking again they run their their implant and we'll step through this one because um there's a few lines to it so just after creating the previous plist renaming their implant you know to something else and persisting they now move their jobless helper uh executable to or excuse me they take uh SM jobless helper which is a legitimate binary and they move it to jobless help so they rename that take legit binary move it over they look for it it's good they set their binary to executable and then they load their plist file again so think the previous slide where they had that P list that P list was legit and going to execute the jobless

helper binary now it's going to execute their implant they decide to unload that and they take jobless helper which is their implant and they move it to jobless helper underscore then they take jobless help right which was a legit binary that they set aside and they moved that back to SM jobless helper again not sure if they're thinking um you know basically what what that binary does I believe is checks when you run an adobe a piece of adobe software checks to make sure it's legit licensed that sort of thing so maybe they thought hey if someone goes to fire up a piece of adobe software and this thing tries to run they may question it they may

look into it they may find us so let's move that one back so they move that back so now jobless helper is the legit binary and their implant is named jobless helper underscore so now they look at another service legit service on the on the system uh legit executable this Adobe GC client AGS service so they take that one AGS service and they move it to AGS Services okay so they take again the legit binary set it aside to something else now they move their SM jobless helper underscore which again is their implant file move that over to AGS service so they've effectively taken that legit binary and replaced it with their implant file at this time right and now

we see them look to see make sure it's there it's good um they they modify the permissions a little bit and then they load the AGS service P list so that AGS service P list is actually a legit P list right which when the system starts up because it's a launch Daemon is going to launch that legit AGS service so now what they've done is they've taken that legit P list and they've just put their binary you know in in place of where that executable should load so what this looks like to me is uh what I call pl-list hijacking and they can they executed all these commands in less than five minutes so they kind of knew where they were going

what they were looking at um it felt a bit like they were fumbling around a little bit but um but that's where they landed and that's that's where they left things in terms of persistence so some of the analysis hurdles that we come across when looking at these uh that like mac platforms right is that a lot of the activity can be very low footprint and when you have low footprint activity uh especially on a Mac which is an extremely noisy operating system it can be sometimes difficult to determine how much of this is admin activity how much of is it legit user activity what's really an actor so you really need to understand what the system should be doing

understand that Baseline and have a general understanding of of the executables and what you're running on your Macs to know what what should stand out again there's a lot of use of native binaries which we're all very familiar with the living off the land clearly that's something that that Labyrinth chalima takes advantage of makes use of when they're doing their reconnaissance and things like that we saw that they've tailored a number of their files to blend into the environment so you combine low footprint activity with a lot of files that you may not be familiar with with names that look legit for services that should be there all this stuff sort of complicates the analysis that you're going through

process lineage is a very difficult thing from an EDR perspective on Mac and it's important because you know if you see reconnaissance commands being run but you don't understand what the parent process is or you see a parent process and you don't understand who the grandparent is those can those things can all challenge your the context that you're trying to develop around the activity that you're seeing and then system irregularities again I mentioned Mac OS is a very noisy operating system I also pointed out that there are these places where you put launch agents and launch daemons things where third-party applications should put them places where users can put them but really you could do whatever you

want right and so you're going to find things scattered across the file system you're going to find files where you don't believe there should be files executables where normally executables don't reside so again it can be very challenging to understand what does normal look like when you've got this variety of activity on on the systems that that doesn't really make sense okay and I'll leave you with a pretty bland and unimpressive conclusion slide so obviously the threat landscape is evolving right we're seeing a lot more effort and resources being devoted to the Mac platform and again we're tying that to the fact that we're seeing more and more Enterprises deploy Max again particularly in departments where you've

got software developers or system administrators folks with privileged access as well as leadership positions in the organization so as Max continue to make their way into the Enterprise this is a trend that's going to continue where users are gonna or not users excuse me adversaries are going to devote more and more effort to to targeting those systems and then a generic people process technology so like how do you defend if you are deploying Max how do you defend the fleet of Macs that you have out there um do you have analysts that understand and can analyze intrusion activity on a Mac do you have the technology deployed to those devices where you can actually gain the visibility of what's happening

on the endpoint um and uh you know do you have a process in place for you know again conducting that analysis performing response remediation all those kinds of activities so these all sort of you know the challenges with with Max play against the organization and so these are going to be important things to keep in mind heading off into the future pending any questions uh that's all I had oh excellent hands yes sir

let's see

that's interesting probably a bit out of my wheelhouse to be able to comment on on their relationship um what I can say is um uh you know we have come across Chinese apt uh intrusions on Mac OS going back to again like uh 2017 2018 time frame it's hard to say if they're sharing any of that stuff with the North Koreans um but uh yeah I would it would be pure speculation at this point and I probably probably couldn't give you a good answer

foreign out of curiosity any recent insights oh thank you much better so any insights in terms of have you seen North Korean attributed threat actors using past the hash exploits uh well I'm I'm not going to comment on anything outside of the Mac systems because that's where I spent my time so um what what I will say though is that again Lavender chalima is extremely capable um they are well resourced um and outside of Labyrinth chalima we have we as in crowdstrike right have a handful of other chalimas uh named adversaries and those are folks that I haven't spent a whole lot of time looking at uh in any great detail but my guess would be they have those

capabilities and can use them when they want thank you once again that was a great walkthrough thank you thanks

I have a question about the Adobe so when after they um changed the name of the original program add an s or an underscore um and then they use their implant change it to the uh true name right they don't delete the original program they leave it there and does that kind of leave a fingerprint that they've been there and do you have any ideas of why they wouldn't take out like final step of removing that yeah legitimate program yeah it definitely does and um you know as I mentioned uh with that SM jobless helper uh executable that they removed and then replaced maybe because they didn't want to get detected at the same time this

this AGS AGS service or whatever it was right has now been set aside so if that goes to execute um you know theoretically they you know uh uh an administrator or somebody who's looking May determine that like hey this isn't working the way it should um I think that is an artifact that they left behind I don't really know why they did that I don't know if it's a sort of evolving tradecraft that they have again we've seen them we've we've seen them start targeting Max in 2018 so they've had some time to you know to understand how to operate on a system but we also recognize that they have different levels of operators we've seen different

um uh behaviors across different Mac intrusions so what that tells us is they may have a group that maybe really understands what they're doing and another group that doesn't quite have the same Playbook so to answer your question yep leaving that uh that legit binary that has been renamed leaving that on the system is definitely something that could that could it is a giveaway for them I I have a follow-up real quick sure um so it look looks like that you know a lot of this is automated right they got they basically copy and paste a lot of their batch script and stuff like that is there also a possibility that they're leaving it behind

um for a later version of their malware to test if the program starts to run incorrectly due to patching or something it can switch later so if they keep it there for the moment they can take away until it calls back for an update of their own malware is that possible have you ever seen anything like that we have not we have not seen anything like that I would say probably anything's within the realm of possibility for these guys um we've also heard um anecdotally that um so obviously they've got um a very prominent currency generation Mission um we've also heard that maybe they are um partly initial access uh operations where they're going to get in they're

going to Recon a system they're going to excel stuff that they need and then it could be say a silent chalima or a Stardust chulima or another chalima that will come in on the back end and use the access that they already have to then carry out additional actions on objective right so leaving behind implants may be something that they intend to do for that reason or it could just be sloppy on their part

I love the questions it's good question hey thank you um have you seen anything specific to Mac OS in terms of covering tracks or anti-forensics that these groups are using uh in terms of anti-forensics um I would have to say no we have we have not uh not in the traditional sense like we've seen on Windows and Linux systems um in terms of clearing logs or replacing log files or anything like that they haven't gone to any Great Lengths that we've seen um one thing that I will say is that a lot of the implants that these guys are using provide the ability to run commands through the implant and provide the ability to Shell out as we've seen

and so when they run commands natively via their implant those are things that we don't have visibility of so there's I'll make a general caveat that um that I know there are commands that they are running there's things that they're doing that we just don't see and we know that based on the activity like if we were to basically timeline all of the Hands-On activity that we're seeing there are gaps in it and there are things that sort of appear out of nowhere that we understand from our malware folks you know the implants have the capability to execute commands and do certain things so we have to sort of make an analytical leap and say

um you know hey this you know they run these commands and all of a sudden a zip file appears we're going to say that they're using their implant to Archive because we don't see them running anything else to to create a zip file so whether they're doing any anti-forensics with their implant I can't really I can't really say for sure but but on the command line we have not seen anything traditional uh anti-forensics just uh I had a uh two questions for you uh the first part is uh I'm not sure if you're familiar with the circle CI breach from earlier this year or I guess a tail end last year it sounds like what

you're describing here basically a developer workstation was breached it was a Mac OS they used access on there to steal credentials and so on I'm curious if you think that may have the Fingerprints of uh a North Korean apt and and then my second part of the question is I'd really love to run some purple team exercises on these are there some resources available where I can kind of like download and and the same information they presented here today thank you I I guess I would answer the first question with yes um and the second question um so Circle CI yet there's definitely some Fingerprints of lab in the chilima um in the activity that we saw

um and what we've seen from the data and the reports that have been released on Circle CI in terms of Open Source resources um I don't know of any offhand one of the reasons that I wanted to do this presentation was because again Chileans have been in the news but a lot of what I've been reading have been hey here's an implant or here's a malicious file and here's kind of what it does as opposed to what does the adversary look like uh when they're on the keyboard what are the commands that they're running how are they running them that sort of thing so in terms of recreating stuff maybe we could talk offline after this but I don't know of

any good repositories of the the Hands-On component of this that's out there yeah there's a there was a question of I'm sorry you've been very patient in terms of

yep so um I guess short answer is no because um so uh maybe I should have mentioned at the outset all of the stuff that we've got is from our sensor and um we don't see we can see x-fill basically up to the point where we believe it leaves the system so um you know laboratoryma is known to reuse infrastructure so the c2s the domains that they're using they are they will go to Great Lengths to establish some opsec up front right where they say you know here's a dropper let me give you stage one see if that's a system I want to be on before I drop stage two or straight stage three and burn those those

binaries but once they do that then they don't really care that they've been found right to go back to the other gentleman's question they leave stuff behind um they reuse years later the same infrastructure and so I feel like once they've once they've landed on a Target um at that point they don't care if the finger gets pointed back to them um so so we don't really see exactly where that X fill is going um what I can say is that in terms of the metanet implant that we've seen the metanet implant has gone through Evolutions um and improvements and the different variations that we've seen we've seen the x-fill from that implant be consistent in the artifacts that it

leaves on the host which has been beneficial to us from a hunting perspective but that's really that's really as far as we can go to say what consistencies are there and have ax fill yeah um due to time constraint Greg will take uh the rest of the questions offline thank you Greg that was great thank you thank you everybody thank you