Mu Marichi 2019, mtundu watsopano wa pulogalamu yaumbanda ya macOS kuchokera ku gulu la cyber OceanLotus idakwezedwa ku VirusTotal, ntchito yotchuka yojambulira pa intaneti. Fayilo yoyeserera yakumbuyo ili ndi kuthekera kofanana ndi mtundu wakale wa pulogalamu yaumbanda ya macOS yomwe tidaphunzira, koma mawonekedwe ake asintha ndipo zakhala zovuta kuzizindikira. Tsoka ilo, sitinathe kupeza chotsitsa chokhudzana ndi chitsanzochi, kotero sitikudziwabe vector ya matenda.
Tasindikiza posachedwa ndi momwe ogwiritsira ntchito akuyesa kupereka kulimbikira, kufulumizitsa kachitidwe ka code, ndi kuchepetsa phazi pamakina a Windows. Zimadziwikanso kuti gulu la cyberli lilinso ndi gawo la macOS. Chotsatirachi chimafotokoza za kusintha kwa mtundu waposachedwa kwambiri wa pulogalamu yaumbanda ya macOS poyerekeza ndi mtundu wakale (), ndikulongosolanso momwe mungasinthire kumasulira kwa zingwe pakusanthula pogwiritsa ntchito IDA Hex-Rays API.
Kufufuza
Magawo atatu otsatirawa akufotokoza kusanthula kwachitsanzo chokhala ndi SHA-1 hashi E615632C9998E4D3E5ACD8851864ED09B02C77D2. Fayiloyo imatchedwa tochi, ESET antivayirasi mankhwala amazindikira ngati OSX/OceanLotus.D.
Anti-debugging ndi sandbox chitetezo
Monga ma binaries onse a macOS OceanLotus, chitsanzocho chimapakidwa ndi UPX, koma zida zambiri zozindikiritsa phukusi sizimazindikira. Izi mwina ndichifukwa chakuti nthawi zambiri amakhala ndi siginecha yodalira kukhalapo kwa chingwe cha "UPX", kuwonjezera apo, ma signature a Mach-O sakhala ofala ndipo samasinthidwa pafupipafupi. Izi zimapangitsa kuti kuzindikira kokhazikika kukhala kovuta. Chochititsa chidwi n'chakuti mutatha kumasula, malo olowera ali kumayambiriro kwa gawolo __cfstring mu gawo .TEXT. Gawoli lili ndi mawonekedwe a mbendera monga momwe zasonyezedwera pachithunzichi.
Chithunzi 1. MACH-O __cfstring magawo agawo
Monga momwe chithunzi 2, ma code ali mu gawoli __cfstring amakulolani kunyenga zida zina zosokoneza powonetsa ma code ngati zingwe.
Chithunzi 2. Khodi yakumbuyo yodziwika ndi IDA ngati data
Akaphedwa, binaryyo imapanga ulusi ngati anti-debugger yomwe cholinga chake ndikuwunika mosalekeza kupezeka kwa wochotsa. Kwa kuyenda uku:
- Amayesa kumasula debugger iliyonse, kuyimba ptrace с PT_DENY_ATTACH ngati pempho parameter
- Onani ngati madoko ena apadera ali otsegulidwa poyimba ntchito task_get_exception_ports
- Yang'anani ngati debugger ikugwirizana, monga momwe tawonetsera pa chithunzi pansipa, poyang'ana kukhalapo kwa mbendera P_TRACED mu ndondomeko yamakono
Chithunzi 3. Kuyang'ana kugwirizana kwa debugger pogwiritsa ntchito ntchito ya sysctl
Ngati woyang'anira akuwona kukhalapo kwa debugger, ntchitoyi imatchedwa exit. Kuphatikiza apo, chitsanzocho chimayang'ana chilengedwe poyendetsa malamulo awiri:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Chitsanzocho chimayang'ana mtengo wobwerera motsutsana ndi mndandanda wa zingwe zolimba kuchokera ku machitidwe odziwika bwino: acle, vmware, virtualbox kapena zofananira. Pomaliza, lamulo lotsatira limayang'ana ngati makinawo ndi amodzi mwa "MBP", "MBA", "MB", "MM", "IM", "MP" ndi "XS". Awa ndi ma code model system, mwachitsanzo, "MBP" amatanthauza MacBook Pro, "MBA" amatanthauza MacBook Air, etc.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Zowonjezera zazikulu
Ngakhale malamulo akumbuyo sanasinthe kuyambira kafukufuku wa Trend Micro, tidawona zosintha zina zingapo. Ma seva a C&C omwe amagwiritsidwa ntchito pachitsanzo ichi ndi atsopano ndipo adapangidwa pa 22.10.2018/XNUMX/XNUMX.
- Daff.faybilodeauauauauau [.]
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
Ulalo wazinthu zasinthidwa kukhala /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
Paketi yoyamba yotumizidwa ku seva ya C & C ili ndi zambiri zokhudza makina osungira, kuphatikizapo deta yonse yomwe yasonkhanitsidwa ndi malamulo omwe ali patebulo ili pansipa.
Kuphatikiza pa kusintha kosinthaku, chitsanzocho sichigwiritsa ntchito laibulale yosefera maukonde , koma laibulale yakunja. Kuti muyipeze, yakumbuyo imayesa kubisa fayilo iliyonse yomwe ili m'ndandanda wamakono pogwiritsa ntchito AES-256-CBC ndi kiyi. gFjMXBgyXWULmVVVzyxy, yodzaza ndi ziro. Fayilo iliyonse imatsitsidwa ndikusungidwa ngati /tmp/store, ndipo kuyesa kuyiyika ngati laibulale kumapangidwa pogwiritsa ntchito ntchitoyi . Pamene kuyesa kubisa kumabweretsa kuyimba kopambana dlopen, ndi backdoor akupanga ntchito kunja Boriry и ChadylonV, omwe mwachiwonekere ali ndi udindo wolumikizana ndi ma netiweki ndi seva. Tilibe chotsitsa kapena mafayilo ena ochokera komwe chitsanzocho chidachokera, chifukwa chake sitingadutse laibulaleyi. Komanso, popeza chigawocho ndi chobisidwa, lamulo la YARA lotengera zingwezi silingafanane ndi fayilo yomwe imapezeka pa disk.
Monga tafotokozera m'nkhani yomwe ili pamwambayi, imapanga clientID. ID iyi ndi MD5 hash ya mtengo wobwerera wa limodzi mwa malamulo awa:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}' (tenga adilesi ya MAC)
- timu yosadziwika ("x1ex72x0a"), yomwe imagwiritsidwa ntchito mu zitsanzo zam'mbuyomu
Musanayambe hashing, "0" kapena "1" amawonjezedwa ku mtengo wobwezera kuti asonyeze mwayi wa mizu. Izi clientID zosungidwa mu /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, ngati code ikuyendetsedwa ngati mizu kapena ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML muzochitika zina zonse. Fayilo nthawi zambiri imabisika pogwiritsa ntchito ntchitoyi , chizindikiro chake chanthawi chimasinthidwa pogwiritsa ntchito lamulo touch –t ndi mtengo wachisawawa.
Decoding zingwe
Monga zosankha zam'mbuyomu, zingwezo zimasungidwa pogwiritsa ntchito AES-256-CBC (kiyi ya hexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 yodzaza ndi ziro, ndi IV yodzazidwa ndi ziro) kudzera mu ntchitoyi . Mfungulo yasintha kuchokera kumitundu yam'mbuyomu, koma popeza gululi likugwiritsabe ntchito njira yofananira yachingwe, decryption imatha kukhala yokha. Kuphatikiza pa positiyi, tikutulutsa script ya IDA yomwe imagwiritsa ntchito Hex-Rays API kumasulira zingwe zomwe zili mufayilo ya binary. Zolemba izi zitha kuthandizira kusanthula kwamtsogolo kwa OceanLotus ndikuwunika zitsanzo zomwe zidalipo zomwe sitinathe kuzipeza. Zolemba zimatengera njira yapadziko lonse lapansi yolandirira mfundo zomwe zaperekedwa ku ntchito. Kuphatikiza apo, imayang'ana ntchito za parameter. Njirayi ingagwiritsidwenso ntchito kuti mupeze mndandanda wa mikangano yogwira ntchito ndikuyipereka ku callback.
Kudziwa ntchito prototype decrypt, script imapeza maumboni onse okhudzana ndi ntchitoyi, mikangano yonse, kenako imachotsa deta ndikuyika malemba omveka bwino mkati mwa ndemanga pa adiresi yofanana. Kuti script igwire bwino ntchito, iyenera kukhazikitsidwa ku zilembo zomwe zimagwiritsidwa ntchito ndi base64 decoding function, ndipo kusintha kwapadziko lonse kuyenera kufotokozedwa komwe kuli ndi kutalika kwa kiyi (panthawiyi DWORD, onani Chithunzi 4).
Chithunzi 4. Tanthauzo la global variable key_len
Pazenera la Ntchito, mutha kudina kumanja kwa decryption ndikudina "Chotsani ndikuchotsa zotsutsana." Cholembacho chiyenera kuyika mizere yotsekedwa mu ndemanga, monga momwe tawonetsera pa Chithunzi 5.
Chithunzi 5. Zolemba zowonongeka zimayikidwa mu ndemanga
Mwanjira iyi zingwe zojambulidwa zimayikidwa palimodzi pawindo la IDA xrefs za ntchitoyi monga momwe zasonyezedwera pa Chithunzi 6.
Chithunzi 6. Xrefs to f_decrypt function
Zolemba zomaliza zitha kupezeka pa .
Pomaliza
Monga tanenera kale, OceanLotus ikusintha nthawi zonse ndikukonzanso zida zake. Nthawi ino, gulu la cyber lasintha pulogalamu yaumbanda kuti igwire ntchito ndi ogwiritsa ntchito a Mac. Khodiyo sinasinthe kwambiri, koma popeza ogwiritsa ntchito ambiri a Mac amanyalanyaza zotetezedwa, kuteteza pulogalamu yaumbanda kuti zisadziwike ndikofunikira.
Zogulitsa za ESET zinali zikuwona kale fayiloyi panthawi yofufuza. Chifukwa laibulale ya netiweki yomwe imagwiritsidwa ntchito polumikizirana ndi C&C tsopano yasungidwa pa disk, ndondomeko yeniyeni ya netiweki yomwe owukirawo amagwiritsa ntchito sinadziwikebe.
Zizindikiro zakunyengerera
Zizindikiro za kunyengerera komanso mawonekedwe a MITER ATT&CK amapezekanso pa .
Source: www.habr.com