In March 2019, a new macOS malware sample from the OceanLotus cybergroup was uploaded to VirusTotal, a popular online scanning service. The backdoor executable file has the same capabilities as the previous version of the macOS malware we studied, but its structure has changed and it has become more difficult to detect. Unfortunately, we could not find a dropper associated with this sample, so we do not yet know the vector of infection.
We recently published and how operators are trying to ensure persistence, speed up code execution, and minimize footprints on Windows systems. It is also known that this cyber group also has a component for macOS. This post details the changes in the latest version of the macOS malware compared to the previous version () and how parsing can automate string decoding using the IDA Hex-Rays API.
Analysis
The following three parts describe the analysis of a sample with a SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2. The file is called flashlightd, ESET antivirus products detect it as OSX/OceanLotus.D.
Anti-debugging and sandbox protection
Like all OceanLotus macOS binaries, the sample is packaged with UPX, but most packager identification tools do not recognize it as such. Probably because they mostly contain a signature that depends on the presence of the "UPX" string, in addition, Mach-O signatures are less common and not updated as often. This feature makes static detection difficult. Interestingly, after unpacking, the entry point is at the beginning of the partition __cfstring in the segment .TEXT. This section has flag attributes as shown in the figure below.
Figure 1. MACH-O __cfstring section attributes
As shown in Figure 2, the code locations in the section __cfstring allows some disassembly tools to be fooled by displaying code as strings.
Figure 2. The backdoor code is defined by IDA as data
Once run, the binary creates a thread as a debugging protection whose sole purpose is to constantly check for the presence of a debugger. For this flow:
- Tries to unhook any debugger by calling ptrace с PT_DENY_ATTACH as a request parameter
- Checks if some exclusive ports are open by calling the function task_get_exception_ports
- Checks if a debugger is connected, as shown in the figure below, by checking for the presence of a flag P_TRACED in the current process
Figure 3. Checking the connection of the debugger using the sysctl function
If the watchdog detects the presence of a debugger, the function is called exit. In addition, the sample then checks the environment by executing two commands:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
The sample then checks the return value against a hard-coded list of strings from known virtualization systems: acle, vmware, virtualbox or parallels. Finally, the following command checks if the machine is one of the following “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” and “XS”. These are system model codes, for example, “MBP” means MacBook Pro, “MBA” means MacBook Air, etc.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Main additions
While the backdoor commands haven't changed since Trend Micro's research, we've noticed a few other modifications. The C&C servers used in this sample are fairly new, having been created on 22.10.2018/XNUMX/XNUMX.
— daff.faybilodeau[.]com
— sarc.onteagleroad[.]com
— au.charlineopkesston[.]com
Resource URL changed to /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
The first packet sent to the C&C server contains more information about the host machine, including all the data collected by the commands in the table below.
In addition, configuration changes, the sample uses a non-library for network filtering , but an external library. To find it, the backdoor tries to decrypt every file in the current directory using AES-256-CBC with the key gFjMXBgyXWULmVVVzyxy, padded with zeros. Each file is decrypted and saved as /tmp/store, and an attempt to load it as a library was made using the function . When a decryption attempt results in a successful call dlopen, the backdoor retrieves the exported functions Boriry и ChadylonV, which, apparently, are responsible for network communication with the server. We don't have the dropper or other files from the original sample location, so we can't parse this library. Moreover, since the component is encrypted, a YARA rule based on these strings will not match the file found on disk.
As described in the above article, it creates clientID. This identifier is the MD5 hash of the return value of one of the following commands:
— ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
— ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
— ifconfig en0 | awk '/ether /{print $2}' (get MAC address)
- unknown team ("x1ex72x0a"), which is used in previous samples
Before hashing, the character "0" or "1" is added to the return value, indicating the presence of root privileges. This clientID stored in /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, if the code is run as root, or in ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML in all other cases. The file is usually hidden with the function , its timestamp is changed with the command touch –t with a random value.
String decryption
As in the previous options, the strings are encrypted using AES-256-CBC (hexadecimal key: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 padded with zeros, and IV filled with zeros) by means of the function . The key has changed from previous versions, but since the group still uses the same string encryption algorithm, decryption can be automated. In addition to this post, we are releasing an IDA script that uses the Hex-Rays API to decrypt strings present in a binary file. This script may help in the future analysis of OceanLotus and the analysis of existing samples that we have not been able to obtain yet. The script is based on a generic method for getting arguments passed to a function. In addition, it looks for parameter assignments. The method can be reused to get a list of function arguments and then pass it to a callback.
Knowing the Function Prototype decrypt, the script finds all cross-references to this function, all arguments, then decodes the data and puts plain text inside the comment at the address of the cross-reference. For the script to work properly, it must be set to the custom alphabet used by the base64 decode function, and a global variable must be defined to contain the length of the key (in this case a DWORD, see Figure 4).
Figure 4. Defining the key_len global variable
In the Function window, you can right-click the decryption function and click Extract and Decode Arguments. The script should place the decrypted lines in comments, as shown in Figure 5.
Figure 5. Deciphered text placed in comments
This way, the decrypted strings are conveniently placed together in the IDA window. xrefs for this function, as shown in Figure 6.
Figure 6. Xrefs to f_decrypt functions
The final version of the script can be found at .
Hack and predictor Aviator
As already mentioned, OceanLotus is constantly improving and updating their toolset. This time, the cybergroup has perfected the malware to target Mac users. The code hasn't changed much, but since many Mac users ignore security products, protecting malware from detection is of secondary importance.
ESET products have already detected this file at the time of investigation. Because the network library used for C&C communication is now encrypted on disk, the exact network protocol used by the attackers is not yet known.
Indicators of compromise
Indicators of compromise as well as MITER ATT&CK attributes are also available on .
Source: habr.com