Thaum Lub Peb Hlis 2019, tus qauv tshiab ntawm macOS malware los ntawm cyber pab pawg OceanLotus tau muab xa mus rau VirusTotal, qhov kev pabcuam scan online nrov. Cov ntaub ntawv rov qab ua haujlwm tau zoo ib yam li yav dhau los version ntawm macOS malware uas peb tau kawm, tab sis nws cov qauv tau hloov pauv thiab nws tau dhau los ua qhov nyuaj los tshawb nrhiav. Hmoov tsis zoo, peb nrhiav tsis tau ib lub dropper txuam nrog cov qauv no, yog li peb tseem tsis tau paub tus kab mob vector.
Peb nyuam qhuav luam tawm
Анализ
Peb ntu tom ntej no piav qhia txog kev tsom xam ntawm tus qauv nrog SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2
. Cov ntaub ntawv hu ua teeb nyem, ESET antivirus khoom kuaj pom nws li OSX/OceanLotus.D.
Anti-debugging thiab sandbox tiv thaiv
Zoo li tag nrho macOS OceanLotus binaries, tus qauv tau ntim nrog UPX, tab sis feem ntau cov khoom siv txheeb xyuas cov khoom tsis paub txog nws li ntawd. Qhov no yog tej zaum vim tias lawv feem ntau muaj qhov kos npe nyob ntawm qhov muaj "UPX" txoj hlua, ntxiv rau, Mach-O kos npe tsis tshua muaj thiab tsis hloov kho ntau zaus. Cov yam ntxwv no ua rau kev tshawb pom zoo li qub nyuaj. Interestingly, tom qab unpacking, lub ntsiab lus nkag yog nyob rau ntawm qhov pib ntawm seem __cfstring
hauv ntu .TEXT
. Tshooj lus no muaj cov cim chij raws li pom hauv daim duab hauv qab no.
Daim duab 1. MACH-O __cfstring seem attributes
Raws li pom nyob rau hauv daim duab 2, cov code qhov chaw nyob rau hauv seem __cfstring
tso cai rau koj mus ntxias ib co disassembly cuab yeej los ntawm displaying code raws li cov hlua.
Daim duab 2. Backdoor code kuaj los ntawm IDA raws li cov ntaub ntawv
Thaum ua tiav, binary tsim cov xov ua ib qho kev tiv thaiv kev debugger uas nws lub hom phiaj yog los mus txuas ntxiv mus saib xyuas qhov muaj qhov debugger. Rau qhov dej no:
- Sim kom unhook tej debugger, hu ptrace
с PT_DENY_ATTACH
raws li qhov kev thov parameter
- Txheeb xyuas yog tias qee qhov chaw nres nkoj tshwj xeeb qhib los ntawm kev hu rau lub luag haujlwm task_get_exception_ports
- Txheeb xyuas yog tias qhov debugger txuas nrog, raws li qhia hauv daim duab hauv qab no, los ntawm kev txheeb xyuas qhov muaj tus chij P_TRACED
nyob rau hauv cov txheej txheem tam sim no
Daim duab 3. Txheeb xyuas qhov kev sib txuas debugger siv sysctl muaj nuj nqi
Yog tias tus saib xyuas pom tias muaj qhov debugger, lub luag haujlwm hu ua exit
. Tsis tas li ntawd, tus qauv ces kuaj xyuas ib puag ncig los ntawm kev khiav ob qho lus txib:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Cov qauv tom qab ntawd txheeb xyuas tus nqi xa rov qab rau cov npe nyuaj-coded ntawm cov hlua los ntawm cov tshuab virtualization paub: ua acle, vmware, virtualbox los yog sib npaug. Thaum kawg, cov lus txib tom ntej yuav xyuas seb lub tshuab yog ib qho ntawm cov hauv qab no "MBP", "MBA", "MB", "MM", "IM", "MP" thiab "XS". Cov no yog cov qauv qauv, piv txwv li, "MBP" txhais tau tias MacBook Pro, "MBA" txhais tau tias MacBook Cua, thiab lwm yam.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Main ntxiv
Thaum cov lus txib rov qab tsis tau hloov pauv txij li Trend Micro txoj kev tshawb fawb, peb tau pom qee qhov kev hloov kho. Cov C&C servers siv hauv cov qauv no yog qhov tshiab thiab tau tsim rau 22.10.2018/XNUMX/XNUMX.
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
Cov peev txheej URL tau hloov mus rau /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35
.
Thawj pob ntawv xa mus rau C&C server muaj cov ntaub ntawv ntau ntxiv txog lub tshuab ua haujlwm, suav nrog tag nrho cov ntaub ntawv sau los ntawm cov lus txib hauv qab no.
Ntxiv rau qhov kev hloov pauv no, tus qauv tsis siv lub tsev qiv ntawv rau kev lim dej hauv network gFjMXBgyXWULmVVVzyxy
, padded nrog xoom. Txhua cov ntaub ntawv yog decrypted thiab khaws cia li /tmp/store
, thiab ib qho kev sim mus thauj nws raws li lub tsev qiv ntawv yog tsim los siv cov haujlwm dlopen
, lub backdoor extracts exported zog Boriry
и ChadylonV
, uas yog lub luag haujlwm rau kev sib txuas lus hauv network nrog lub server. Peb tsis muaj lub dropper lossis lwm cov ntaub ntawv los ntawm tus qauv qhov chaw qub, yog li peb tsis tuaj yeem txheeb xyuas lub tsev qiv ntawv no. Ntxiv mus, vim hais tias cov khoom yog encrypted, YARA txoj cai raws li cov hlua no yuav tsis phim cov ntaub ntawv nyob rau hauv disk.
Raws li tau piav nyob rau hauv tsab xov xwm saum toj no, nws tsim tus neeg siv ID. Tus ID no yog MD5 hash ntawm tus nqi rov qab ntawm ib qho ntawm cov lus txib hauv qab no:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}'
(tau txais MAC chaw nyob)
- pab neeg tsis paub ("x1ex72x0a
"), uas yog siv hauv cov qauv dhau los
Ua ntej hashing, "0" lossis "1" yog ntxiv rau tus nqi rov qab los qhia txog cov cai hauv paus. Qhov no tus neeg siv ID khaws cia rau hauv /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
, yog tias cov cai khiav hauv paus lossis hauv ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML nyob rau hauv tag nrho lwm yam. Cov ntaub ntawv feem ntau yog muab zais siv cov haujlwm touch –t
nrog tus nqi random.
Txiav cov hlua
Raws li cov kev xaiv yav dhau los, cov hlua tau encrypted siv AES-256-CBC (tus yuam sij hexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92
padded nrog xoom, thiab IV puv nrog xoom) los ntawm kev ua haujlwm
Paub txog cov qauv qauv decrypt, tsab ntawv pom tag nrho cov ntawv hla kev siv rau qhov kev ua haujlwm no, tag nrho cov lus sib cav, tom qab ntawd decrypts cov ntaub ntawv thiab tso cov ntawv dawb hauv cov lus tawm ntawm qhov chaw nyob tus ntoo khaub lig. Rau tsab ntawv ua haujlwm kom raug, nws yuav tsum tau teem rau cov tsiaj ntawv kev cai siv los ntawm base64 decoding muaj nuj nqi, thiab lub ntiaj teb hloov pauv yuav tsum tau txhais muaj qhov ntev ntawm tus yuam sij (qhov no yog DWORD, saib daim duab 4).
Daim duab 4. Lub ntsiab lus ntawm lub ntiaj teb hloov pauv key_len
Nyob rau hauv lub qhov rais muaj nuj nqi, koj muaj cai-nias lub decryption muaj nuj nqi thiab nias "Extract thiab decrypt lus." Tsab ntawv yuav tsum tso cov kab decrypted hauv cov lus, raws li pom hauv daim duab 5.
Daim duab 5. Cov ntawv decrypted tau muab tso rau hauv cov lus
Txoj kev no cov hlua decrypted tau yooj yim muab tso ua ke hauv IDA qhov rai xrefs ua rau qhov ua haujlwm no raws li pom hauv daim duab 6.
Daim duab 6. Xrefs rau f_decrypt muaj nuj nqi
Cov ntawv kawg tuaj yeem pom ntawm
xaus
Raws li twb tau hais lawm, OceanLotus tseem niaj hnub txhim kho thiab hloov kho nws cov cuab yeej cuab tam. Lub sijhawm no, pawg cyber tau txhim kho cov malware ua haujlwm nrog cov neeg siv Mac. Cov cai tsis tau hloov pauv ntau, tab sis txij li ntau tus neeg siv Mac tsis quav ntsej cov khoom lag luam, kev tiv thaiv malware los ntawm kev tshawb pom yog qhov tseem ceeb thib ob.
ESET cov khoom twb tau kuaj pom cov ntaub ntawv no thaum lub sijhawm tshawb fawb. Vim tias lub tsev qiv ntawv network siv rau C&C kev sib txuas lus tam sim no tau muab zais rau ntawm disk, qhov tseeb network raws tu qauv siv los ntawm cov neeg tawm tsam tseem tsis tau paub.
Qhov taw qhia ntawm kev sib haum xeeb
Qhov taw qhia ntawm kev sib haum xeeb nrog rau MITER ATT&CK tus cwj pwm kuj muaj nyob rau
Tau qhov twg los: www.hab.com