Muna Kurume 2019, sampu nyowani yeMacOS malware kubva kucyber boka OceanLotus yakaiswa kuVirusTotal, yakakurumbira online scanning sevhisi. Iyo faira rebackdoor rinogoneka rine hunyanzvi hwakafanana neyakapfuura vhezheni yeMacOS malware yatakadzidza, asi chimiro chayo chachinja uye zvave kunetsa kuona. Nehurombo, hatina kukwanisa kuwana anodonhedza akabatana nesample iyi, saka hatisati taziva hutachiona hwehutachiona.
Isu takangoburitsa uye kuti vashandisi vari kuedza sei kupa kushingirira, kukurumidza kuita kodhi, uye kuderedza tsoka paWindows system. Zvinozivikanwa zvakare kuti iri cyber boka zvakare rine chikamu che macOS. Iyi posvo inotsanangura shanduko mushanduro nyowani yemalware yeMacOS mukuenzanisa neyakare vhezheni (), uye zvakare inotsanangura maitiro aungaita otomatiki decryption yetambo panguva yekuongorora uchishandisa IDA Hex-Rays API.
Analysis
Zvikamu zvitatu zvinotevera zvinotsanangura kuongororwa kwemuenzaniso une SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2. Iyo faira inonzi flashlightd, ESET antivirus zvigadzirwa zvinozviona seOSX/OceanLotus.D.
Anti-debugging uye sandbox kuchengetedza
Kufanana neese macOS OceanLotus mabhinari, sampuli yakarongedzerwa neUPX, asi akawanda emapakeji ekuzivikanwa maturusi haazvizive saizvozvo. Izvi zvinodaro nekuti ivo kazhinji vane siginecha inoenderana nekuvapo kwe "UPX" tambo, nekuwedzera, Mach-O siginecha haanyanye kuwanda uye haana kuvandudzwa kazhinji. Iyi ficha inoita kuti kuona kwakaoma kunetse. Zvinofadza, mushure mekusunungura, nzvimbo yekupinda iri pakutanga kwechikamu __cfstring muchikamu .TEXT. Ichi chikamu chine mureza sezvakaratidzwa pamufananidzo uri pazasi.
Mufananidzo 1. MACH-O __cfstring chikamu maitiro
Sezvinoratidzwa muMufananidzo 2, nzvimbo dzekodhi muchikamu __cfstring inobvumidza iwe kunyengedza mamwe maturusi ekusassembly nekuratidza kodhi setambo.
Mufananidzo 2. Backdoor code yakaonekwa neIDA se data
Kana yangoitwa, iyo bhinari inogadzira shinda senge anti-debugger ine chinangwa chega chekutarisa kuvepo kwedebugger. Nokuda kwekuyerera uku:
-Edza kusunungura chero debugger, kufona ptrace с PT_DENY_ATTACH sechikumbiro parameter
- Inotarisa kana mamwe madoko ega akavhurika nekufona basa task_get_exception_ports
- Inotarisa kana debugger yakabatana, sezvinoratidzwa mumufananidzo uri pasi apa, nekutarisa kuvapo kwemureza P_TRACED mukuita kwazvino
Mufananidzo 3. Kutarisa debugger yekubatanidza uchishandisa sysctl basa
Kana iyo watchdog ikaona kuvepo kwedebugger, basa racho rinonzi exit. Pamusoro pezvo, muenzaniso wacho unobva watarisa nharaunda nekumhanyisa mirairo miviri:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Muenzaniso wacho unobva watarisa kukosha kwekudzoka uchipokana neakaomeswa-coded runyorwa rwetambo kubva kunozivikanwa virtualization system: acle, vmware, virtualbox kana zvakafanana. Chekupedzisira, murairo unotevera unotarisa kana muchina uri mumwe weanotevera “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” uye “XS”. Aya ndiwo macode emodhi system, semuenzaniso, "MBP" zvinoreva MacBook Pro, "MBA" zvinoreva MacBook Air, nezvimwe.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Basic kuwedzera
Nepo iyo yekumashure mirairo isati yachinja kubva patsvagiridzo yeTrend Micro, takaona mamwe magadzirirwo mashoma. Iwo maseva eC&C anoshandiswa mumuenzaniso uyu ari matsva uye akagadzirwa musi wa22.10.2018/XNUMX/XNUMX.
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
Iyo URL yekushandisa yachinja kuita /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
Yekutanga pakiti yakatumirwa kuC&C server ine rumwe ruzivo nezve muchina wekugamuchira, kusanganisira data rese rakaunganidzwa nemirairo iri patafura pazasi.
Pamusoro pekuchinja uku kwekugadzirisa, sampuli haishandisi raibhurari yekusefa network , asi raibhurari yokunze. Kuti uiwane, iyo yekuseri inoedza kubvisa faira rega rega mudhairekitori razvino uchishandisa AES-256-CBC ine kiyi. gFjMXBgyXWULmVVVzyxy, yakaputirwa nemazero. Imwe neimwe faira yakavharwa uye inochengetwa se /tmp/store, uye kuedza kuiisa seraibhurari kunoitwa uchishandisa basa racho . Kana kuyedza decryption kuchikonzera kufona kwakabudirira dlopen, iyo backdoor inoburitsa kunze mabasa Boriry и ChadylonV, izvo zvinoita senge zvine chekuita netiweki kutaurirana neserver. Hatina chinodonhedza kana mamwe mafaera kubva kunzvimbo yekutanga yemuenzaniso, saka hatikwanise kupfuudza raibhurari ino. Uyezve, sezvo chikamu chacho chakavharidzirwa, mutemo weYARA wakavakirwa patambo idzi hauenderane nefaira rinowanikwa padhisiki.
Sezvakatsanangurwa munyaya iri pamusoro, inogadzira clientID. Iyi ID ndiyo MD5 hashi yemutengo wekudzoka weimwe yemirairo inotevera:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}' (tora kero yeMAC)
- timu isingazivikanwe ("x1ex72x0a"), iyo inoshandiswa mumasampuli apfuura
Pamberi pehashing, "0" kana "1" inowedzerwa kumutengo wekudzoka kuratidza ropafadzo dzemidzi. Izvi clientID yakachengetwa mukati /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, kana kodhi ichiitwa semudzi kana mu ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML mune dzimwe nyaya dzose. Iyo faira inowanzovanzwa uchishandisa basa , timestamp yayo inoshandurwa uchishandisa murairo touch –t ine mutengo wakasarudzika.
Decoding tambo
Sezvinoita sarudzo dzakapfuura, tambo dzakavharirwa uchishandisa AES-256-CBC (hexadecimal kiyi: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 yakaputirwa nemaziro, uye IV yakazadzwa ne zero) kuburikidza nebasa . Kiyi yachinja kubva mushanduro dzakapfuura, asi sezvo boka richiri kushandisa imwechete tambo encryption algorithm, decryption inogona otomatiki. Pamusoro peichi positi, tiri kuburitsa chinyorwa cheIDA chinoshandisa iyo Hex-Rays API kutsikisa tambo dziripo mubhinari faira. Ichi chinyorwa chinogona kubatsira nekuongorora kweramangwana kweOceanLotus uye ongororo yemasampuli aripo atisati takwanisa kuwana. Manyorero akavakirwa panzira yepasirese yekugamuchira nharo dzinopfuudzwa kune basa. Pamusoro pezvo, inotarisa kumusoro parameter migove. Iyo nzira inogona kushandiswa zvakare kuwana rondedzero yebasa nharo uye woipfuudza kune callback.
Kuziva basa prototype bvisa, iyo script inowana ese mareferensi ebasa iri, nharo dzese, obva abvisa data uye anoisa mavara akajeka mukati memhinduro pane kero yereferensi. Kuti script ishande nemazvo, inofanirwa kuiswa kune yakasarudzika alphabet inoshandiswa nebase64 decoding function, uye shanduko yepasi rose inofanirwa kutsanangurwa ine kureba kwekiyi (panyaya iyi DWORD, ona Mufananidzo 4).
Mufananidzo 4. Tsanangudzo yeglobal variable key_len
Mufafitera reBasa, unogona kudzvanya-kurudyi decryption basa uye tinya "Bvisa uye decrypt nharo." Iyo script inofanira kuisa mitsara yakavharwa mumashoko, sezvakaratidzwa muFigure 5.
Mufananidzo 5. Chinyorwa chakasvibiswa chakaiswa mumashoko
Nenzira iyi tambo dzakadzikiswa dzinoiswa zviri nyore pamwechete muhwindo reIDA xrefs nokuda kwebasa iri sezvinoratidzwa mumufananidzo 6.
Mufananidzo 6. Xrefs ku f_decrypt basa
Iyo yekupedzisira script inogona kuwanikwa pa .
mhedziso
Sezvatotaurwa, OceanLotus inogara ichivandudza nekuvandudza kit yayo yekushandisa. Panguva ino, boka recyber rakavandudza iyo malware kuti ishande nevashandisi veMac. Iyo kodhi haina kuchinja zvakanyanya, asi sezvo vazhinji vashandisi veMac vachifuratira zvigadzirwa zvekuchengetedza, kuchengetedza malware kubva pakuonekwa ndiko kwechipiri kukosha.
Zvigadzirwa zveESET zvaive zvatoona iyi faira panguva yekutsvagisa. Nekuti raibhurari yenetiweki inoshandiswa kuC&C kutaurirana ikozvino yakavharirwa padhisiki, iyo chaiyo network protocol inoshandiswa nevanorwisa haisati yazivikanwa.
Zviratidzo zvekukanganisa
Zviratidzo zvekukanganisika pamwe neMITER ATT&CK hunhu huripowo pa .
Source: www.habr.com