ProHoster > Блог > Kev tswj hwm > OceanLotus: malware hloov tshiab rau macOS

OceanLotus: malware hloov tshiab rau macOS

Thaum Lub Peb Hlis 2019, tus qauv tshiab ntawm macOS malware los ntawm cyber pab pawg OceanLotus tau muab xa mus rau VirusTotal, qhov kev pabcuam scan online nrov. Cov ntaub ntawv rov qab ua haujlwm tau zoo ib yam li yav dhau los version ntawm macOS malware uas peb tau kawm, tab sis nws cov qauv tau hloov pauv thiab nws tau dhau los ua qhov nyuaj los tshawb nrhiav. Hmoov tsis zoo, peb nrhiav tsis tau ib lub dropper txuam nrog cov qauv no, yog li peb tseem tsis tau paub tus kab mob vector.

Peb nyuam qhuav luam tawm tshaj tawm txog OceanLotus thiab yuav ua li cas cov neeg khiav dej num tab tom sim muab kev ua siab ntev, ua kom cov lej ua tiav, thiab txo qis hneev taw ntawm Windows systems. Nws kuj tseem paub tias pawg cyber no tseem muaj cov khoom siv rau macOS. Cov ntawv tshaj tawm no qhia txog cov kev hloov pauv hauv qhov tshiab tshaj plaws ntawm cov malware rau macOS piv nrog rau yav dhau los version (piav qhia los ntawm Trend Micro), thiab tseem piav qhia txog yuav ua li cas koj tuaj yeem hloov kho qhov kev txiav txim siab ntawm cov hlua thaum tshawb xyuas siv IDA Hex-Rays API.

OceanLotus: malware hloov tshiab rau macOS

Анализ

Peb ntu tom ntej no piav qhia txog kev tsom xam ntawm tus qauv nrog SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2. Cov ntaub ntawv hu ua teeb nyem, ESET antivirus khoom kuaj pom nws li OSX/OceanLotus.D.

Anti-debugging thiab sandbox tiv thaiv

Zoo li tag nrho macOS OceanLotus binaries, tus qauv tau ntim nrog UPX, tab sis feem ntau cov khoom siv txheeb xyuas cov khoom tsis paub txog nws li ntawd. Qhov no yog tej zaum vim tias lawv feem ntau muaj qhov kos npe nyob ntawm qhov muaj "UPX" txoj hlua, ntxiv rau, Mach-O kos npe tsis tshua muaj thiab tsis hloov kho ntau zaus. Cov yam ntxwv no ua rau kev tshawb pom zoo li qub nyuaj. Interestingly, tom qab unpacking, lub ntsiab lus nkag yog nyob rau ntawm qhov pib ntawm seem __cfstring hauv ntu .TEXT. Tshooj lus no muaj cov cim chij raws li pom hauv daim duab hauv qab no.

OceanLotus: malware hloov tshiab rau macOS
Daim duab 1. MACH-O __cfstring seem attributes

Raws li pom nyob rau hauv daim duab 2, cov code qhov chaw nyob rau hauv seem __cfstring tso cai rau koj mus ntxias ib co disassembly cuab yeej los ntawm displaying code raws li cov hlua.

OceanLotus: malware hloov tshiab rau macOS
Daim duab 2. Backdoor code kuaj los ntawm IDA raws li cov ntaub ntawv

Thaum ua tiav, binary tsim cov xov ua ib qho kev tiv thaiv kev debugger uas nws lub hom phiaj yog los mus txuas ntxiv mus saib xyuas qhov muaj qhov debugger. Rau qhov dej no:

- Sim kom unhook tej debugger, hu ptrace с PT_DENY_ATTACH raws li qhov kev thov parameter
- Txheeb xyuas yog tias qee qhov chaw nres nkoj tshwj xeeb qhib los ntawm kev hu rau lub luag haujlwm task_get_exception_ports
- Txheeb xyuas yog tias qhov debugger txuas nrog, raws li qhia hauv daim duab hauv qab no, los ntawm kev txheeb xyuas qhov muaj tus chij P_TRACED nyob rau hauv cov txheej txheem tam sim no

OceanLotus: malware hloov tshiab rau macOS
Daim duab 3. Txheeb xyuas qhov kev sib txuas debugger siv sysctl muaj nuj nqi

Yog tias tus saib xyuas pom tias muaj qhov debugger, lub luag haujlwm hu ua exit. Tsis tas li ntawd, tus qauv ces kuaj xyuas ib puag ncig los ntawm kev khiav ob qho lus txib:

ioreg -l | grep -e "Manufacturer" и sysctl hw.model

Cov qauv tom qab ntawd txheeb xyuas tus nqi xa rov qab rau cov npe nyuaj-coded ntawm cov hlua los ntawm cov tshuab virtualization paub: ua acle, vmware, virtualbox los yog sib npaug. Thaum kawg, cov lus txib tom ntej yuav xyuas seb lub tshuab yog ib qho ntawm cov hauv qab no "MBP", "MBA", "MB", "MM", "IM", "MP" thiab "XS". Cov no yog cov qauv qauv, piv txwv li, "MBP" txhais tau tias MacBook Pro, "MBA" txhais tau tias MacBook Cua, thiab lwm yam.

system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}

Main ntxiv

Thaum cov lus txib rov qab tsis tau hloov pauv txij li Trend Micro txoj kev tshawb fawb, peb tau pom qee qhov kev hloov kho. Cov C&C servers siv hauv cov qauv no yog qhov tshiab thiab tau tsim rau 22.10.2018/XNUMX/XNUMX.

- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com

Cov peev txheej URL tau hloov mus rau /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
Thawj pob ntawv xa mus rau C&C server muaj cov ntaub ntawv ntau ntxiv txog lub tshuab ua haujlwm, suav nrog tag nrho cov ntaub ntawv sau los ntawm cov lus txib hauv qab no.

OceanLotus: malware hloov tshiab rau macOS

Ntxiv rau qhov kev hloov pauv no, tus qauv tsis siv lub tsev qiv ntawv rau kev lim dej hauv network libcurl, tab sis ib lub tsev qiv ntawv sab nraud. Txhawm rau pom nws, lub nraub qaum sim decrypt txhua cov ntaub ntawv hauv cov npe tam sim no siv AES-256-CBC nrog tus yuam sij gFjMXBgyXWULmVVVzyxy, padded nrog xoom. Txhua cov ntaub ntawv yog decrypted thiab khaws cia li /tmp/store, thiab ib qho kev sim mus thauj nws raws li lub tsev qiv ntawv yog tsim los siv cov haujlwm dlopen. Thaum ib qho kev sim decryption ua rau kev hu ua tiav dlopen, lub backdoor extracts exported zog Boriry и ChadylonV, uas yog lub luag haujlwm rau kev sib txuas lus hauv network nrog lub server. Peb tsis muaj lub dropper lossis lwm cov ntaub ntawv los ntawm tus qauv qhov chaw qub, yog li peb tsis tuaj yeem txheeb xyuas lub tsev qiv ntawv no. Ntxiv mus, vim hais tias cov khoom yog encrypted, YARA txoj cai raws li cov hlua no yuav tsis phim cov ntaub ntawv nyob rau hauv disk.

Raws li tau piav nyob rau hauv tsab xov xwm saum toj no, nws tsim tus neeg siv ID. Tus ID no yog MD5 hash ntawm tus nqi rov qab ntawm ib qho ntawm cov lus txib hauv qab no:

- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}' (tau txais MAC chaw nyob)
- pab neeg tsis paub ("x1ex72x0a"), uas yog siv hauv cov qauv dhau los

Ua ntej hashing, "0" lossis "1" yog ntxiv rau tus nqi rov qab los qhia txog cov cai hauv paus. Qhov no tus neeg siv ID khaws cia rau hauv /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, yog tias cov cai khiav hauv paus lossis hauv ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML nyob rau hauv tag nrho lwm yam. Cov ntaub ntawv feem ntau yog muab zais siv cov haujlwm _chflags, nws timestamp hloov pauv siv cov lus txib touch –t nrog tus nqi random.

Txiav cov hlua

Raws li cov kev xaiv yav dhau los, cov hlua tau encrypted siv AES-256-CBC (tus yuam sij hexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 padded nrog xoom, thiab IV puv nrog xoom) los ntawm kev ua haujlwm CCCrypt. Tus yuam sij tau hloov pauv los ntawm cov ntawv dhau los, tab sis txij li thaum pab pawg tseem siv tib txoj hlua encryption algorithm, decryption tuaj yeem ua haujlwm tau. Ntxiv rau qhov tshaj tawm no, peb tab tom tso ib tsab ntawv IDA uas siv Hex-Rays API los txiav txim siab cov hlua tam sim no hauv cov ntaub ntawv binary. Tsab ntawv no tuaj yeem pab nrog kev txheeb xyuas yav tom ntej ntawm OceanLotus thiab kev tshuaj xyuas ntawm cov qauv uas twb muaj lawm uas peb tseem tsis tau tau txais. Tsab ntawv yog ua raws li txoj hauv kev thoob ntiaj teb rau kev txais cov lus sib cav dhau mus rau qhov ua haujlwm. Tsis tas li ntawd, nws saib cov haujlwm parameter. Cov txheej txheem tuaj yeem rov qab siv tau kom tau txais cov npe ntawm cov lus sib cav thiab tom qab ntawd dhau mus rau kev hu rov qab.

Paub txog cov qauv qauv decrypt, tsab ntawv pom tag nrho cov ntawv hla kev siv rau qhov kev ua haujlwm no, tag nrho cov lus sib cav, tom qab ntawd decrypts cov ntaub ntawv thiab tso cov ntawv dawb hauv cov lus tawm ntawm qhov chaw nyob tus ntoo khaub lig. Rau tsab ntawv ua haujlwm kom raug, nws yuav tsum tau teem rau cov tsiaj ntawv kev cai siv los ntawm base64 decoding muaj nuj nqi, thiab lub ntiaj teb hloov pauv yuav tsum tau txhais muaj qhov ntev ntawm tus yuam sij (qhov no yog DWORD, saib daim duab 4).

OceanLotus: malware hloov tshiab rau macOS
Daim duab 4. Lub ntsiab lus ntawm lub ntiaj teb hloov pauv key_len

Nyob rau hauv lub qhov rais muaj nuj nqi, koj muaj cai-nias lub decryption muaj nuj nqi thiab nias "Extract thiab decrypt lus." Tsab ntawv yuav tsum tso cov kab decrypted hauv cov lus, raws li pom hauv daim duab 5.

OceanLotus: malware hloov tshiab rau macOS
Daim duab 5. Cov ntawv decrypted tau muab tso rau hauv cov lus

Txoj kev no cov hlua decrypted tau yooj yim muab tso ua ke hauv IDA qhov rai xrefs ua rau qhov ua haujlwm no raws li pom hauv daim duab 6.

OceanLotus: malware hloov tshiab rau macOS
Daim duab 6. Xrefs rau f_decrypt muaj nuj nqi

Cov ntawv kawg tuaj yeem pom ntawm Github chaw cia khoom.

xaus

Raws li twb tau hais lawm, OceanLotus tseem niaj hnub txhim kho thiab hloov kho nws cov cuab yeej cuab tam. Lub sijhawm no, pawg cyber tau txhim kho cov malware ua haujlwm nrog cov neeg siv Mac. Cov cai tsis tau hloov pauv ntau, tab sis txij li ntau tus neeg siv Mac tsis quav ntsej cov khoom lag luam, kev tiv thaiv malware los ntawm kev tshawb pom yog qhov tseem ceeb thib ob.

ESET cov khoom twb tau kuaj pom cov ntaub ntawv no thaum lub sijhawm tshawb fawb. Vim tias lub tsev qiv ntawv network siv rau C&C kev sib txuas lus tam sim no tau muab zais rau ntawm disk, qhov tseeb network raws tu qauv siv los ntawm cov neeg tawm tsam tseem tsis tau paub.

Qhov taw qhia ntawm kev sib haum xeeb

Qhov taw qhia ntawm kev sib haum xeeb nrog rau MITER ATT&CK tus cwj pwm kuj muaj nyob rau GitHub.

Tau qhov twg los: www.hab.com

Ntxiv ib saib