Greg Lesnewich

Surveying Similarities in MacOS Components used in North Korean CryptoHeists

While many state-aligned threats have dipped their toes into MacOS Malware, North Korea has invested serious time and effort into compromising that operating system. Their operations in MacOS environments include both espionage and financial gain. MacOS malware analysis is an exciting space, but most blogs on the subject deal with functionality and capability, rather than how to find more similar samples. Analysts are forced to rely on string searching, based on disassembler output or a strings dump; comparatively, executables for Windows have “easy” pivots such as import hashing or rich headers, to find additional samples without much effort. This talk will introduce some of those easy pivots for Macho files, using North Korean samples as an initial case study; along the way, attendees will get a tour of the North Korean clusters using Macho samples, how those clusters intersect, how their families relate to one another, and be shown how some simple pivots can link a group’s families together.

Greg Lesnewich is a Senior Threat Researcher at Proofpoint, focused on hunting, detecting, and disrupting malicious activity linked to North Korea. Greg has a background in threat intelligence, incident response, and managed detection, previously working at Recorded Future, Leidos, and NCFTA, with experience in developing methods of tracking espionage and state-sponsored activity. Greg enjoys the topics of weird forensic artifacts, measuring malware similarity, YARA, and infrastructure tracking.