Ka Hlakubele 2019, sampole e ncha ea malware a macOS ho tsoa sehlopheng sa cyber OceanLotus e kentsoe ho VirusTotal, ts'ebeletso e tsebahalang ea ho lekola marang-rang. Faele e ka sebetsoang e ka morao e na le bokhoni bo ts'oanang le mofuta o fetileng oa malware a macOS ao re ithutileng ona, empa sebopeho sa ona se fetohile mme ho thata ho e lemoha. Ka bomalimabe, ha rea khona ho fumana lerotholi le amanang le sampole ena, kahoo ha re e-so tsebe vector ea ts'oaetso.
Re sa tsoa phatlalatsa
Analysis
Likarolo tse tharo tse latelang li hlalosa tlhahlobo ea sampole e nang le SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2
. Faele e bitsoa kgantshitse, Lihlahisoa tsa antivirus tsa ESET li e lemoha e le OSX/OceanLotus.D.
Anti-debugging le tšireletso ea sandbox
Joalo ka li-binaries tsohle tsa macOS OceanLotus, sampole e pakiloe ka UPX, empa lisebelisoa tse ngata tsa boitsebahatso ba sephutheloana ha li e elelloe joalo. Mohlomong ke hobane hangata li na le signature e itšetlehileng ka boteng ba mohala oa "UPX", ho feta moo, li-signature tsa Mach-O ha li tloaelehe ebile ha li ntlafatsoe khafetsa. Ts'ebetso ena e etsa hore ho be thata ho lemoha ka mokhoa o tsitsitseng. Hoa thahasellisa hore ka mor'a ho phutholla, sebaka sa ho kena se qalong ea karolo __cfstring
karolong .TEXT
. Karolo ena e na le litšoaneleho tsa lifolakha joalo ka ha ho bonts'itsoe setšoantšong se ka tlase.
Setšoantšo sa 1. MACH-O __cfstring likarolo tsa karolo
Joalokaha ho bontšitsoe setšoantšong sa 2, libaka tsa khoutu karolong __cfstring
e o lumella ho qhekella lisebelisoa tse ling tsa ho qhaqha ka ho hlahisa khoutu e le likhoele.
Setšoantšo sa 2. Khoutu e ka morao e fumanoe ke IDA e le data
Ha e se e phethiloe, binary e etsa khoele e le anti-debugger eo sepheo sa eona e leng ho lula e lekola boteng ba debugger. Bakeng sa phallo ena:
- E leka ho hlakola debugger efe kapa efe, e letsa ptrace
с PT_DENY_ATTACH
joalo ka paramente ea kopo
- Lekola hore na likou tse ling tse ikhethileng li butsoe ka ho letsetsa ts'ebetso task_get_exception_ports
- E hlahloba hore na debugger e hokahane, joalokaha ho bontšitsoe setšoantšong se ka tlase, ka ho hlahloba boteng ba folakha P_TRACED
ts'ebetsong ea hajoale
Setšoantšo sa 3. Ho hlahloba khokahanyo ea debugger ho sebelisa mosebetsi oa sysctl
Haeba molebeli a lemoha boteng ba debugger, mosebetsi o bitsoa exit
. Ho feta moo, mohlala o hlahloba tikoloho ka ho sebelisa litaelo tse peli:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Joale sampole e lekola boleng ba ho khutla khahlano le lethathamo le thata la likhoele tse tsoang lits'ebetsong tse tsebahalang tsa virtualization: acle, vmware, lebokose kapa lintho tse tšoanang. Qetellong, taelo e latelang e hlahloba hore na mochine ke o mong oa tse latelang “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” le “XS”. Tsena ke likhoutu tsa mohlala oa sistimi, mohlala, "MBP" e bolela MacBook Pro, "MBA" e bolela MacBook Air, jj.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Keketso tse ka sehloohong
Le ha litaelo tsa backdoor li so fetohe ho tloha lipatlisisong tsa Trend Micro, re hlokometse liphetoho tse ling tse 'maloa. Li-server tsa C&C tse sebelisitsoeng sampoleng ena li ncha ebile li entsoe ka 22.10.2018/XNUMX/XNUMX.
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
URL ea lisebelisoa e fetohile ho /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35
.
Pakete ea pele e rometsoeng ho seva sa C & C e na le boitsebiso bo eketsehileng mabapi le mochine o amohelang baeti, ho kenyelletsa le lintlha tsohle tse bokelitsoeng ke litaelo tse tafoleng e ka tlase.
Ntle le phetoho ena ea tlhophiso, sampole ha e sebelise laebrari ho sefa marang-rang gFjMXBgyXWULmVVVzyxy
, e kentsoeng ka li-zero. E mong le e faele decrypted le bolokoa e le /tmp/store
, 'me boiteko ba ho e kenya e le laebrari bo etsoa ho sebelisoa ts'ebetso dlopen
, the backdoor extracts exported functions Boriry
и ChadylonV
, tseo ho bonahalang li ikarabella bakeng sa puisano ea marang-rang le seva. Ha re na dropper kapa lifaele tse ling tse tsoang sebakeng sa mantlha sa sampole, ka hona, ha re khone ho hlalosa laeborari ena. Ho feta moo, kaha karolo e ngotsoe ka mokhoa o patiloeng, molao oa YARA o thehiloeng holim'a likhoele tsena o ke ke oa lumellana le faele e fumanoang ho disk.
Joalokaha ho hlalositsoe sehloohong se ka holimo, se bōpa clientID. ID ena ke MD5 hash ea boleng ba ho khutla ho e 'ngoe ea litaelo tse latelang:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}'
(fumana aterese ea MAC)
- sehlopha se sa tsejoeng ("x1ex72x0a
"), e sebelisoang lisampong tse fetileng
Pele ho hashing, "0" kapa "1" e eketsoa boleng ba ho khutlisa ho bontša litokelo tsa motso. Sena clientID bolokoa ka /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
, haeba khoutu e tsamaisoa joalo ka motso kapa ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML maemong a mang kaofela. Hangata faele e patiloe ho sebelisoa ts'ebetso touch –t
ka boleng bo sa reroang.
Decoding likhoele
Joalo ka likhetho tse fetileng, likhoele li patiloe ho sebelisoa AES-256-CBC (senotlolo sa hexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92
e nang le li-zero, 'me IV e tlatsitsoe ka li-zero) ka ts'ebetso
Ho tseba prototype ea ts'ebetso hlakola, mongolo o fumana litšupiso tsohle tse amanang le ts'ebetso ena, likhang tsohle, ebe o hlakola data ebe o beha mongolo o hlakileng ka har'a maikutlo atereseng ea litšupiso. E le hore mongolo o sebetse ka nepo, o tlameha ho hlophisoa ho latela alfabeta ea tloaelo e sebelisoang ke mosebetsi oa ho khetholla base64, 'me phetoho ea lefats'e e tlameha ho hlalosoa e nang le bolelele ba senotlolo (tabeng ena DWORD, sheba setšoantšo sa 4).
Setšoantšo sa 4. Tlhaloso ea phetoho ea lefats'e key_len
Fesetereng ea "Function", u ka tobetsa konopo ea "decryption" ka ho le letona ebe u tobetsa "Ntša le ho hlakola likhang." Script e lokela ho beha mela e sirelelitsoeng maikutlong, joalo ka ha ho bonts'itsoe ho Setšoantšo sa 5.
Setšoantšo sa 5. Mongolo o sirelelitsoeng o behiloe litlhalosong
Ka tsela ena likhoele tse sirelelitsoeng li beoa hammoho ka har'a fensetere ea IDA xrefs bakeng sa mosebetsi ona joalokaha ho bontšitsoe setšoantšong sa 6.
Setšoantšo sa 6. Xrefs to f_decrypt function
Script ea ho qetela e ka fumanoa ho
fihlela qeto e
Joalokaha ho se ho boletsoe, OceanLotus e lula e ntlafatsa le ho nchafatsa lisebelisoa tsa eona. Lekhetlong lena, sehlopha sa cyber se ntlafalitse malware ho sebetsa le basebelisi ba Mac. Khoutu ha e so fetohe haholo, empa kaha basebelisi ba bangata ba Mac ba iphapanyetsa lihlahisoa tsa ts'ireletso, ho sireletsa malware hore e se ke ea bonoa ke ntho ea bohlokoa haholo.
Lihlahisoa tsa ESET li ne li se li ntse li fumana faele ena nakong ea lipatlisiso. Hobane laeborari ea marang-rang e sebelisoang bakeng sa puisano ea C&C e se e kentsoe ka har'a disk, protocol e nepahetseng ea marang-rang e sebelisoang ke bahlaseli ha e e-so tsejoe.
Lipontšo tsa ho sekisetsa
Lipontšo tsa ho inehela hammoho le litšoaneleho tsa MITER ATT&CK li fumaneha hape ho
Source: www.habr.com