2019 幎 XNUMX æããµã€ã㌠ã°ã«ãŒã OceanLotus ã® macOS ãã«ãŠã§ã¢ã®æ°ãããµã³ãã«ãã人æ°ã®ãããªã³ã©ã€ã³ ã¹ãã£ã³ ãµãŒãã¹ã§ãã VirusTotal ã«ã¢ããããŒããããŸããã ããã¯ãã¢å®è¡å¯èœãã¡ã€ã«ã¯ã調æ»å¯Ÿè±¡ãšãªã£ã以åã®ããŒãžã§ã³ã® macOS ãã«ãŠã§ã¢ãšåãæ©èœãåããŠããŸããããã®æ§é ãå€æŽãããŠãããæ€åºãããå°é£ã«ãªã£ãŠããŸãã æ®å¿µãªããããã®ãµã³ãã«ã«é¢é£ããã¹ãã€ããèŠã€ããããšãã§ããªãã£ããããææçµè·¯ã¯ãŸã ããããŸããã
æè¿åºçããŸãã
ã®åæ
次㮠1 ã€ã®ããŒãã§ã¯ãSHA-XNUMX ããã·ã¥ã䜿çšãããµã³ãã«ã®åæã«ã€ããŠèª¬æããŸãã E615632C9998E4D3E5ACD8851864ED09B02C77D2
ã ãã¡ã€ã«ã®åå㯠æäžé»ç¯ä»ã, ESET ãŠã€ã«ã¹å¯Ÿç補å㯠OSX/OceanLotus.D ãšããŠæ€åºããŸãã
ã¢ã³ããããã°ãšãµã³ãããã¯ã¹ä¿è·
ãã¹ãŠã® macOS OceanLotus ãã€ããªãšåæ§ããµã³ãã«ã¯ UPX ã§ããã±ãŒãžåãããŠããŸãããã»ãšãã©ã®ããã±ãŒãžã£èå¥ããŒã«ã¯ããã UPX ãšããŠèªèããŸããã ããã¯ããããããããã®çœ²åã®ã»ãšãã©ããUPXãæååã®ååšã«äŸåãã眲åãå«ãã§ããããšã«å ããMach-O 眲åã¯ããŸãäžè¬çã§ã¯ãªããé »ç¹ã«æŽæ°ãããªãããã§ãããšèããããŸãã ãã®æ©èœã«ãããéçãªæ€åºãå°é£ã«ãªããŸãã èå³æ·±ãããšã«ãé梱åŸã®ãšã³ã㪠ãã€ã³ãã¯ã»ã¯ã·ã§ã³ã®å
é ã«ãããŸãã __cfstring
ã»ã°ã¡ã³ãå
.TEXT
ã ãã®ã»ã¯ã·ã§ã³ã«ã¯ã次ã®å³ã«ç€ºããããªãã©ã°å±æ§ããããŸãã
å³ 1. MACH-O __cfstring ã»ã¯ã·ã§ã³ã®å±æ§
å³ 2 ã«ç€ºãããã«ãã»ã¯ã·ã§ã³å
ã®ã³ãŒãã®äœçœ®ã¯ __cfstring
ã³ãŒããæååãšããŠè¡šç€ºããããšã§ãäžéšã®éã¢ã»ã³ã㪠ããŒã«ãéšãããšãã§ããŸãã
å³ 2. IDA ã«ãã£ãŠããŒã¿ãšããŠæ€åºãããããã¯ã㢠ã³ãŒã
å®è¡ããããšããã€ããªã¯ã¢ã³ããããã¬ãšããŠã¹ã¬ãããäœæããŸãããã®å¯äžã®ç®çã¯ããããã¬ã®ååšãç¶ç¶çã«ãã§ãã¯ããããšã§ãã ãã®ãããŒã®å Žå:
â ãããã¬ã®ããã¯ã解é€ããããšããŸãã ptrace
Ñ PT_DENY_ATTACH
ãªã¯ãšã¹ããã©ã¡ãŒã¿ãšããŠ
- é¢æ°ãåŒã³åºããŠãããã€ãã®å°çšããŒããéããŠãããã©ããã確èªããŸã task_get_exception_ports
- äžå³ã«ç€ºãããã«ããã©ã°ã®æç¡ã確èªããããšã§ããããã¬ãæ¥ç¶ãããŠãããã©ããã確èªããŸãã P_TRACED
çŸåšã®ããã»ã¹ã§
å³ 3. sysctl é¢æ°ã䜿çšãããããã¬æ¥ç¶ã®ç¢ºèª
ãŠã©ããããã°ããããã¬ã®ååšãæ€åºãããšãé¢æ°ãåŒã³åºãããŸãã exit
ã ããã«ããµã³ãã«ã¯æ¬¡ã® XNUMX ã€ã®ã³ãã³ããå®è¡ããŠç°å¢ããã§ãã¯ããŸãã
ioreg -l | grep -e "Manufacturer" О sysctl hw.model
次ã«ããµã³ãã«ã¯ãæ¢ç¥ã®ä»®æ³åã·ã¹ãã ããã®ããŒãã³ãŒãã£ã³ã°ãããæååãªã¹ããšç §åããŠæ»ãå€ããã§ãã¯ããŸãã ã¢ã¯ã«, ãŽã€ãšã ãŠã§ã¢, ã®virtualbox ãŸã㯠é¡äŒŒã æåŸã«ã次ã®ã³ãã³ãã¯ããã·ã³ããMBPãããMBAãããMBãããMMãããIMãããMPããããã³ãXSãã®ããããã§ãããã©ããã確èªããŸãã ãããã¯ã·ã¹ãã ã¢ãã« ã³ãŒãã§ããããšãã°ããMBPã㯠MacBook Pro ãæå³ãããMBAã㯠MacBook Air ãæå³ããŸãã
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
åºæ¬çãªè¿œå
ããã¯ã㢠ã³ãã³ãã¯ãã¬ã³ããã€ã¯ãã®èª¿æ»ä»¥æ¥å€æŽãããŠããŸããããä»ã«ãããã€ãã®å€æŽãå ããããŠããããšã«æ°ä»ããŸããã ãã®ãµã³ãã«ã§äœ¿çšãããŠãã C&C ãµãŒããŒã¯ããªãæ°ããã22.10.2018 幎 XNUMX æ XNUMX æ¥ã«äœæãããŸããã
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
ãªãœãŒã¹ã® URL ã次ã®ããã«å€æŽãããŸããã /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35
.
C&C ãµãŒããŒã«éä¿¡ãããæåã®ãã±ããã«ã¯ã以äžã®è¡šã®ã³ãã³ãã«ãã£ãŠåéããããã¹ãŠã®ããŒã¿ãå«ãããã¹ã ãã·ã³ã«é¢ãã詳现æ
å ±ãå«ãŸããŠããŸãã
ãã®æ§æå€æŽã«å ããŠããµã³ãã«ã§ã¯ãããã¯ãŒã¯ ãã£ã«ã¿ãªã³ã°çšã®ã©ã€ãã©ãªã¯äœ¿çšãããŠããŸããã gFjMXBgyXWULmVVVzyxy
ããŒããåã蟌ãŸããŸãã åãã¡ã€ã«ã¯åŸ©å·åããã次ã®ããã«ä¿åãããŸãã /tmp/store
ãé¢æ°ã䜿çšããŠãããã©ã€ãã©ãªãšããŠããŒãããããšããŸã dlopen
ãããã¯ãã¢ã¯ãšã¯ã¹ããŒããããé¢æ°ãæœåºããŸã Boriry
О ChadylonV
ããµãŒããŒãšã®ãããã¯ãŒã¯éä¿¡ãæ
åœããŠããããã§ãã ãµã³ãã«ã®å
ã®å Žæã«ãããããŒããã®ä»ã®ãã¡ã€ã«ããªãããããã®ã©ã€ãã©ãªã解æã§ããŸããã ããã«ãã³ã³ããŒãã³ãã¯æå·åãããŠããããããããã®æååã«åºã¥ã YARA ã«ãŒã«ã¯ãã£ã¹ã¯äžã«ãããã¡ã€ã«ãšäžèŽããŸããã
äžèšã®èšäºã§èª¬æããããã«ã ã¯ã©ã€ã¢ã³ãIDã ãã® ID ã¯ã次ã®ããããã®ã³ãã³ãã®æ»ãå€ã® MD5 ããã·ã¥ã§ãã
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}'
(MACã¢ãã¬ã¹ãååŸ)
- æªç¥ã®ããŒã ("x1ex72x0a
")ãåã®ãµã³ãã«ã§äœ¿çšãããŠããŸã
ããã·ã¥ããåã«ãroot æš©éã瀺ãããã«ã0ããŸãã¯ã1ããæ»ãå€ã«è¿œå ãããŸãã ãã ã¯ã©ã€ã¢ã³ãID ã«ä¿åãããŠãã /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
ãã³ãŒãã root ãšããŠå®è¡ãããå ŽåããŸãã¯ä»ã®ãã¹ãŠã®å Žå㯠~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML ã§å®è¡ãããå Žåã éåžžããã¡ã€ã«ã¯é¢æ°ã䜿çšããŠé衚瀺ã«ãªããŸãã touch ât
ã©ã³ãã ãªå€ã䜿çšããŸãã
æååã®ãã³ãŒã
åã®ãªãã·ã§ã³ãšåæ§ã«ãæåå㯠AES-256-CBC (XNUMX é²ããŒ: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92
ãŒãã§åããããIV ã¯ãŒãã§åããããŸãïŒé¢æ°ãä»ããŠ
é¢æ°ãããã¿ã€ããç¥ã 埩å·åãå®è¡ãããšãã¹ã¯ãªããã¯ãã®é¢æ°ãžã®ãã¹ãŠã®çžäºåç §ãšãã¹ãŠã®åŒæ°ãèŠã€ããŠãããŒã¿ã埩å·åããçžäºåç §ã¢ãã¬ã¹ã®ã³ã¡ã³ãå ã«ãã¬ãŒã³ ããã¹ããé 眮ããŸãã ã¹ã¯ãªãããæ£ããåäœããã«ã¯ãbase64 ãã³ãŒãé¢æ°ã§äœ¿çšãããã«ã¹ã¿ã ã¢ã«ãã¡ãããã«èšå®ããããŒã®é·ããå«ãã°ããŒãã«å€æ°ãå®çŸ©ããå¿ èŠããããŸã (ãã®å Žå㯠DWORDãå³ 4 ãåç §)ã
å³ 4. ã°ããŒãã«å€æ° key_len ã®å®çŸ©
[é¢æ°] ãŠã£ã³ããŠã§åŸ©å·åé¢æ°ãå³ã¯ãªãã¯ãã[åŒæ°ã®æœåºãšåŸ©å·å] ãã¯ãªãã¯ããŸãã å³ 5 ã«ç€ºãããã«ãã¹ã¯ãªããã¯åŸ©å·åãããè¡ãã³ã¡ã³ãå ã«é 眮ããå¿ èŠããããŸãã
å³ 5. 埩å·åãããããã¹ããã³ã¡ã³ãã«é
眮ããã
ãã®ããã«ããŠã埩å·åãããæååã IDA ãŠã£ã³ããŠã«ãŸãšããŠé 眮ãããã®ã䟿å©ã§ãã å€éšåç § ãã®é¢æ°ã®å Žåã¯ãå³ 6 ã«ç€ºãããã«ãªããŸãã
å³ 6. f_decrypt é¢æ°ãžã®å€éšåç
§
æçµçãªã¹ã¯ãªããã¯æ¬¡ã®å Žæã«ãããŸãã
åºå
ãã§ã«è¿°ã¹ãããã«ãOceanLotus ã¯ããŒã«ããããåžžã«æ¹åããæŽæ°ããŠããŸãã ä»åããµã€ããŒã°ã«ãŒãã¯ãã®ãã«ãŠã§ã¢ãMacãŠãŒã¶ãŒåãã«æ¹è¯ããã ã³ãŒãã¯ããŸãå€ãã£ãŠããŸããããå€ãã® Mac ãŠãŒã¶ãŒã¯ã»ãã¥ãªãã£è£œåãç¡èŠããŠããããããã«ãŠã§ã¢ãæ€åºããä¿è·ããããšã¯äºã®æ¬¡ã§ãã
ESET 補åã¯èª¿æ»æç¹ã§ãã§ã«ãã®ãã¡ã€ã«ãæ€åºããŠããŸããã C&C éä¿¡ã«äœ¿çšããããããã¯ãŒã¯ ã©ã€ãã©ãªã¯ãã£ã¹ã¯äžã§æå·åãããŠãããããæ»æè ã䜿çšããæ£ç¢ºãªãããã¯ãŒã¯ ãããã³ã«ã¯ãŸã äžæã§ãã
äŸµå ¥ã®çè·¡
䟵害ã®å
åãš MITRE ATT&CK å±æ§ãã次ã®å Žæã§å©çšã§ããŸãã
åºæïŒ habr.com