A cikin Maris 2019, an ɗora sabon samfurin macOS malware daga rukunin yanar gizo na OceanLotus zuwa VirusTotal, sanannen sabis ɗin binciken kan layi. Fayil ɗin da za a iya aiwatarwa na bayan gida yana da damar iri ɗaya da sigar baya ta macOS malware da muka yi nazari, amma tsarinsa ya canza kuma ya zama da wahala a gano shi. Abin takaici, ba mu sami damar samun digo mai alaƙa da wannan samfurin ba, don haka har yanzu ba mu san ƙwayar cutar ba.
Mun buga kwanan nan da kuma yadda masu aiki ke ƙoƙarin samar da dagewa, hanzarta aiwatar da lambobin, da kuma rage sawun ƙafa akan tsarin Windows. Hakanan an san cewa wannan rukunin yanar gizo shima yana da bangaren macOS. Wannan sakon yana ba da cikakken bayani game da canje-canje a cikin sabuwar sigar malware don macOS idan aka kwatanta da sigar da ta gabata (), da kuma bayyana yadda za ku iya sarrafa sarrafa decryption na kirtani yayin bincike ta amfani da IDA Hex-Rays API.
Анализ
Sassan guda uku na gaba sun bayyana nazarin samfurin tare da hash SHA-1 E615632C9998E4D3E5ACD8851864ED09B02C77D2. Ana kiran fayil ɗin walƙiya, ESET riga-kafi kayayyakin gano shi a matsayin OSX/OceanLotus.D.
Anti-debugging da kariyar akwatin sandbox
Kamar duk binaries na macOS OceanLotus, samfurin yana kunshe da UPX, amma yawancin kayan aikin tantancewa ba su gane shi kamar haka ba. Wannan yana yiwuwa saboda galibi suna ɗauke da sa hannu wanda ya dogara da kasancewar kirtani "UPX", ƙari, sa hannun Mach-O ba su da yawa kuma ba a sabunta su akai-akai. Wannan fasalin yana sa gano a tsaye yana da wahala. Abin sha'awa, bayan cire kayan, wurin shiga yana a farkon sashin __cfstring a cikin kashi .TEXT. Wannan sashe yana da halayen tuta kamar yadda aka nuna a hoton da ke ƙasa.
Hoto 1. MACH-O __cfstring sashe halayen
Kamar yadda aka nuna a hoto na 2, wuraren lambar a cikin sashin __cfstring yana ba ku damar yaudarar wasu kayan aikin rarraba ta hanyar nuna lamba azaman kirtani.
Hoto 2. Lambar baya ta IDA ta gano azaman bayanai
Da zarar an kashe shi, binary yana ƙirƙirar zaren azaman anti-debugger wanda kawai manufarsa ita ce ci gaba da bincika kasancewar mai gyara. Don wannan kwarara:
- Yana ƙoƙarin cire duk wani mai gyara kuskure, kira ptrace с PT_DENY_ATTACH a matsayin siga na buƙata
- Yana bincika idan wasu keɓaɓɓun tashoshin jiragen ruwa suna buɗe ta hanyar kiran aiki task_get_exception_ports
- Yana bincika idan an haɗa mai cirewa, kamar yadda aka nuna a hoton da ke ƙasa, ta hanyar duba kasancewar tuta P_TRACED a halin yanzu
Hoto 3. Duban haɗin da aka lalata ta amfani da aikin sysctl
Idan mai sa ido ya gano gaban mai cirewa, ana kiran aikin exit. Bugu da ƙari, samfurin sannan yana duba yanayin ta hanyar aiwatar da umarni biyu:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Samfurin sannan yana duba ƙimar dawowa akan jerin igiyoyi masu wuyar ƙirƙira daga sanannun tsarin ƙira: acle, vmware, akwatin saƙo ko daidaici. A ƙarshe, umarni na gaba yana bincika idan na'urar tana ɗaya daga cikin "MBP", "MBA", "MB", "MM", "IM", "MP" da "XS". Waɗannan lambobin ƙirar tsarin ne, misali, “MBP” na nufin MacBook Pro, “MBA” na nufin MacBook Air, da sauransu.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Babban ƙari
Yayin da umarnin bayan gida bai canza ba tun binciken Trend Micro, mun lura da wasu ƴan gyare-gyare. Sabis na C&C da aka yi amfani da su a cikin wannan samfurin sababbi ne kuma an ƙirƙira su a ranar 22.10.2018/XNUMX/XNUMX.
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
URL ɗin albarkatun ya canza zuwa /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
Fakitin farko da aka aika zuwa uwar garken C&C ya ƙunshi ƙarin bayani game da na'ura mai ɗaukar hoto, gami da duk bayanan da aka tattara ta umarni a cikin tebur ɗin da ke ƙasa.
Baya ga wannan canjin yanayin, samfurin baya amfani da ɗakin karatu don tace cibiyar sadarwa , amma ɗakin karatu na waje. Don nemo shi, ƙofar baya tana ƙoƙarin ɓoye kowane fayil a cikin kundin adireshi na yanzu ta amfani da AES-256-CBC tare da maɓallin. gFjMXBgyXWULmVVVzyxy, padded da sifili. Ana warware kowane fayil kuma an adana shi azaman /tmp/store, kuma an yi ƙoƙarin loda shi azaman ɗakin karatu ta amfani da aikin . Lokacin da yunƙurin ɓoye bayanan ya haifar da nasara kira dlopen, Ƙofar baya tana fitar da ayyukan da aka fitar Boriry и ChadylonV, waɗanda a fili suke da alhakin sadarwar cibiyar sadarwa tare da uwar garken. Ba mu da dropper ko wasu fayiloli daga ainihin wurin samfurin, don haka ba za mu iya tantance wannan ɗakin karatu ba. Bugu da ƙari, tun da ɓoyayyen ɓangaren, dokar YARA bisa waɗannan kirtani ba za ta yi daidai da fayil ɗin da aka samo akan faifai ba.
Kamar yadda aka bayyana a cikin labarin da ke sama, yana ƙirƙira clientID. Wannan ID shine zaton MD5 na ƙimar dawowar ɗayan umarni masu zuwa:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}' (samu adireshin MAC)
- ba a sani ba tawagar ("x1ex72x0a"), wanda aka yi amfani da shi a cikin samfurori na baya
Kafin hashing, ana ƙara "0" ko "1" zuwa ƙimar dawowa don nuna tushen gata. Wannan clientID adana a /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, idan lambar tana aiki azaman tushen ko a ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML a duk sauran lokuta. Yawancin lokaci ana ɓoye fayil ɗin ta amfani da aikin , ana canza tambarin sa ta amfani da umarnin touch –t tare da kimar bazuwar.
Ƙididdigar igiyoyi
Kamar yadda yake tare da zaɓuɓɓukan da suka gabata, ana rufaffen kirtani ta amfani da AES-256-CBC (maɓallin hexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 padded da sifili, kuma IV cike da sifili) ta hanyar aikin . Maɓallin ya canza daga nau'ikan da suka gabata, amma tunda har yanzu ƙungiyar tana amfani da algorithm na ɓoye kirtani iri ɗaya, za'a iya sarrafa ɓoyayyen ɓoyewa ta atomatik. Baya ga wannan sakon, muna sakin rubutun IDA wanda ke amfani da Hex-Rays API don yanke kirtani da ke cikin fayil ɗin binary. Wannan rubutun na iya taimakawa tare da nazarin OceanLotus na gaba da kuma nazarin samfuran da ba mu samu ba tukuna. Rubutun ya dogara ne akan hanyar duniya don karɓar muhawara da aka wuce zuwa aiki. Bugu da ƙari, yana duba ayyukan siga. Za'a iya sake amfani da hanyar don samun jeri na gardama na aiki sannan a wuce da ita zuwa dawo da kira.
Sanin samfurin aikin decrypt, Rubutun ya samo duk bayanan da ke kan wannan aikin, duk gardama, sa'an nan kuma ya ɓoye bayanan kuma ya sanya rubutu a fili cikin sharhi a adireshin giciye. Don rubutun ya yi aiki daidai, dole ne a saita shi zuwa haruffan al'ada da aikin yankewa na base64 ke amfani da shi, kuma dole ne a ayyana maɓalli na duniya mai ɗauke da tsawon maɓalli (a wannan yanayin DWORD, duba Hoto 4).
Hoto 4. Ma'anar maɓalli mai mahimmanci na duniya
A cikin taga Aiki, zaku iya danna-dama aikin decryption kuma danna "Cire kuma yanke muhawara." Rubutun ya kamata ya sanya layukan da aka yanke a cikin sharhi, kamar yadda aka nuna a hoto na 5.
Hoto 5. An sanya rubutun da aka ɓoye a cikin sharhi
Ta wannan hanyar ana sanya igiyoyin da aka ɓoye cikin dacewa tare a cikin taga IDA xrefs don wannan aikin kamar yadda aka nuna a hoto na 6.
Hoto 6. Xrefs zuwa aikin f_decrypt
Ana iya samun rubutun ƙarshe a .
ƙarshe
Kamar yadda aka riga aka ambata, OceanLotus koyaushe yana haɓakawa da haɓaka kayan aikin sa. A wannan karon, rukunin yanar gizon ya inganta malware don yin aiki tare da masu amfani da Mac. Lambar ba ta canza da yawa ba, amma tunda yawancin masu amfani da Mac suna watsi da samfuran tsaro, kare malware daga ganowa yana da mahimmanci na biyu.
Kayayyakin ESET sun riga sun gano wannan fayil ɗin a lokacin bincike. Saboda ɗakin karatu na cibiyar sadarwa da ake amfani da shi don sadarwar C&C yanzu an ɓoye shi akan faifai, har yanzu ba a san ainihin ƙa'idar hanyar sadarwar da maharan ke amfani da su ba.
Manuniya na yin sulhu
Ana samun alamun sasantawa da kuma halayen MITER ATT&CK akan .
source: www.habr.com