Muna Kurume 2019, sampu nyowani yeMacOS malware kubva kucyber boka OceanLotus yakaiswa kuVirusTotal, yakakurumbira online scanning sevhisi. Iyo faira rebackdoor rinogoneka rine hunyanzvi hwakafanana neyakapfuura vhezheni yeMacOS malware yatakadzidza, asi chimiro chayo chachinja uye zvave kunetsa kuona. Nehurombo, hatina kukwanisa kuwana anodonhedza akabatana nesample iyi, saka hatisati taziva hutachiona hwehutachiona.
Isu takangoburitsa
Analysis
Zvikamu zvitatu zvinotevera zvinotsanangura kuongororwa kwemuenzaniso une SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2
. Iyo faira inonzi flashlightd, ESET antivirus zvigadzirwa zvinozviona seOSX/OceanLotus.D.
Anti-debugging uye sandbox kuchengetedza
Kufanana neese macOS OceanLotus mabhinari, sampuli yakarongedzerwa neUPX, asi akawanda emapakeji ekuzivikanwa maturusi haazvizive saizvozvo. Izvi zvinodaro nekuti ivo kazhinji vane siginecha inoenderana nekuvapo kwe "UPX" tambo, nekuwedzera, Mach-O siginecha haanyanye kuwanda uye haana kuvandudzwa kazhinji. Iyi ficha inoita kuti kuona kwakaoma kunetse. Zvinofadza, mushure mekusunungura, nzvimbo yekupinda iri pakutanga kwechikamu __cfstring
muchikamu .TEXT
. Ichi chikamu chine mureza sezvakaratidzwa pamufananidzo uri pazasi.
Mufananidzo 1. MACH-O __cfstring chikamu maitiro
Sezvinoratidzwa muMufananidzo 2, nzvimbo dzekodhi muchikamu __cfstring
inobvumidza iwe kunyengedza mamwe maturusi ekusassembly nekuratidza kodhi setambo.
Mufananidzo 2. Backdoor code yakaonekwa neIDA se data
Kana yangoitwa, iyo bhinari inogadzira shinda senge anti-debugger ine chinangwa chega chekutarisa kuvepo kwedebugger. Nokuda kwekuyerera uku:
-Edza kusunungura chero debugger, kufona ptrace
с PT_DENY_ATTACH
sechikumbiro parameter
- Inotarisa kana mamwe madoko ega akavhurika nekufona basa task_get_exception_ports
- Inotarisa kana debugger yakabatana, sezvinoratidzwa mumufananidzo uri pasi apa, nekutarisa kuvapo kwemureza P_TRACED
mukuita kwazvino
Mufananidzo 3. Kutarisa debugger yekubatanidza uchishandisa sysctl basa
Kana iyo watchdog ikaona kuvepo kwedebugger, basa racho rinonzi exit
. Pamusoro pezvo, muenzaniso wacho unobva watarisa nharaunda nekumhanyisa mirairo miviri:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Muenzaniso wacho unobva watarisa kukosha kwekudzoka uchipokana neakaomeswa-coded runyorwa rwetambo kubva kunozivikanwa virtualization system: acle, vmware, virtualbox kana zvakafanana. Chekupedzisira, murairo unotevera unotarisa kana muchina uri mumwe weanotevera “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” uye “XS”. Aya ndiwo macode emodhi system, semuenzaniso, "MBP" zvinoreva MacBook Pro, "MBA" zvinoreva MacBook Air, nezvimwe.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Basic kuwedzera
Nepo iyo yekumashure mirairo isati yachinja kubva patsvagiridzo yeTrend Micro, takaona mamwe magadzirirwo mashoma. Iwo maseva eC&C anoshandiswa mumuenzaniso uyu ari matsva uye akagadzirwa musi wa22.10.2018/XNUMX/XNUMX.
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
Iyo URL yekushandisa yachinja kuita /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35
.
Yekutanga pakiti yakatumirwa kuC&C server ine rumwe ruzivo nezve muchina wekugamuchira, kusanganisira data rese rakaunganidzwa nemirairo iri patafura pazasi.
Pamusoro pekuchinja uku kwekugadzirisa, sampuli haishandisi raibhurari yekusefa network gFjMXBgyXWULmVVVzyxy
, yakaputirwa nemazero. Imwe neimwe faira yakavharwa uye inochengetwa se /tmp/store
, uye kuedza kuiisa seraibhurari kunoitwa uchishandisa basa racho dlopen
, iyo backdoor inoburitsa kunze mabasa Boriry
и ChadylonV
, izvo zvinoita senge zvine chekuita netiweki kutaurirana neserver. Hatina chinodonhedza kana mamwe mafaera kubva kunzvimbo yekutanga yemuenzaniso, saka hatikwanise kupfuudza raibhurari ino. Uyezve, sezvo chikamu chacho chakavharidzirwa, mutemo weYARA wakavakirwa patambo idzi hauenderane nefaira rinowanikwa padhisiki.
Sezvakatsanangurwa munyaya iri pamusoro, inogadzira clientID. Iyi ID ndiyo MD5 hashi yemutengo wekudzoka weimwe yemirairo inotevera:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}'
(tora kero yeMAC)
- timu isingazivikanwe ("x1ex72x0a
"), iyo inoshandiswa mumasampuli apfuura
Pamberi pehashing, "0" kana "1" inowedzerwa kumutengo wekudzoka kuratidza ropafadzo dzemidzi. Izvi clientID yakachengetwa mukati /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
, kana kodhi ichiitwa semudzi kana mu ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML mune dzimwe nyaya dzose. Iyo faira inowanzovanzwa uchishandisa basa touch –t
ine mutengo wakasarudzika.
Decoding tambo
Sezvinoita sarudzo dzakapfuura, tambo dzakavharirwa uchishandisa AES-256-CBC (hexadecimal kiyi: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92
yakaputirwa nemaziro, uye IV yakazadzwa ne zero) kuburikidza nebasa
Kuziva basa prototype bvisa, iyo script inowana ese mareferensi ebasa iri, nharo dzese, obva abvisa data uye anoisa mavara akajeka mukati memhinduro pane kero yereferensi. Kuti script ishande nemazvo, inofanirwa kuiswa kune yakasarudzika alphabet inoshandiswa nebase64 decoding function, uye shanduko yepasi rose inofanirwa kutsanangurwa ine kureba kwekiyi (panyaya iyi DWORD, ona Mufananidzo 4).
Mufananidzo 4. Tsanangudzo yeglobal variable key_len
Mufafitera reBasa, unogona kudzvanya-kurudyi decryption basa uye tinya "Bvisa uye decrypt nharo." Iyo script inofanira kuisa mitsara yakavharwa mumashoko, sezvakaratidzwa muFigure 5.
Mufananidzo 5. Chinyorwa chakasvibiswa chakaiswa mumashoko
Nenzira iyi tambo dzakadzikiswa dzinoiswa zviri nyore pamwechete muhwindo reIDA xrefs nokuda kwebasa iri sezvinoratidzwa mumufananidzo 6.
Mufananidzo 6. Xrefs ku f_decrypt basa
Iyo yekupedzisira script inogona kuwanikwa pa
mhedziso
Sezvatotaurwa, OceanLotus inogara ichivandudza nekuvandudza kit yayo yekushandisa. Panguva ino, boka recyber rakavandudza iyo malware kuti ishande nevashandisi veMac. Iyo kodhi haina kuchinja zvakanyanya, asi sezvo vazhinji vashandisi veMac vachifuratira zvigadzirwa zvekuchengetedza, kuchengetedza malware kubva pakuonekwa ndiko kwechipiri kukosha.
Zvigadzirwa zveESET zvaive zvatoona iyi faira panguva yekutsvagisa. Nekuti raibhurari yenetiweki inoshandiswa kuC&C kutaurirana ikozvino yakavharirwa padhisiki, iyo chaiyo network protocol inoshandiswa nevanorwisa haisati yazivikanwa.
Zviratidzo zvekukanganisa
Zviratidzo zvekukanganisika pamwe neMITER ATT&CK hunhu huripowo pa
Source: www.habr.com