NgoMatshi ka-2019, isampulu entsha ye-malware ye-macOS evela kwiqela le-cyber i-OceanLotus yalayishwa kwi-VirusTotal, inkonzo edumileyo yokuskena kwi-intanethi. Ifayile ye-backdoor ephunyezwayo inamandla afanayo njengenguqulo yangaphambili ye-malware ye-macOS esiyifundileyo, kodwa isakhiwo sayo sitshintshile kwaye kuye kwaba nzima ngakumbi ukubhaqa. Ngelishwa, asikwazanga ukufumana i-dropper ehambelana nale sampuli, ke asikayazi i-vector yosulelo.
Sisanda kupapasha
Uhlalutyo
Amacandelo amathathu alandelayo achaza uhlalutyo lwesampulu nge-SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2
. Ifayile ibizwa ngokuba ilayitiwe, iimveliso ze-antivirus ze-ESET zibhaqa njenge-OSX/OceanLotus.D.
I-Anti-debugging kunye nokhuseleko lwebhokisi yesanti
Njengazo zonke iibhinari ze-OceanLotus zeMacOS, isampulu ipakishwe nge-UPX, kodwa uninzi lwezixhobo zokuchongwa komfaki-mpahla aziyiboni ngolo hlobo. Oku mhlawumbi ngenxa yokuba ininzi iqulethe utyikityo oluxhomekeke kubukho bomtya we "UPX", ukongeza, iisignesha zeMach-O aziqhelekanga kwaye azihlaziywa rhoqo. Olu phawu lwenza ubhaqo olumileyo lubenzima. Kuyathakazelisa ukuba emva kokukhupha, indawo yokungena isekuqaleni kwecandelo __cfstring
kwicandelo .TEXT
. Eli candelo lineempawu zeflegi njengoko kubonisiwe kumfanekiso ongezantsi.
Umzobo 1. MACH-O __cfstring iimpawu zecandelo
Njengoko kubonisiwe kuMfanekiso 2, iindawo zekhowudi kwicandelo __cfstring
ikuvumela ukuba uqhathe ezinye izixhobo zokuqhawula ngokubonisa ikhowudi njengemitya.
Umzobo 2. Ikhowudi yangasemva ifunyenwe yi-IDA njengedatha
Xa sele iphunyeziwe, ibini yenza intambo njenge-anti-debugger enjongo yayo ikukuphela kokukhangela ubukho bomlungisi. Ngolu qukuqelo:
-Izama ukususa nayiphi na i-debugger, ukufowuna ptrace
с PT_DENY_ATTACH
njengeparameter yesicelo
- Ijonga ukuba ezinye izibuko ezikhethekileyo zivuliwe ngokubiza umsebenzi task_get_exception_ports
- Ijonga ukuba i-debugger ixhunyiwe, njengoko kubonisiwe kumfanekiso ongezantsi, ngokujonga ubukho beflegi P_TRACED
kwinkqubo yangoku
Umzobo 3. Ukukhangela uxhulumaniso lwe-debugger usebenzisa umsebenzi we-sysctl
Ukuba i-watchdog ibona ubukho be-debugger, umsebenzi ubizwa ngokuba exit
. Ukongeza, isampuli emva koko ijonga imeko-bume ngokuqhuba imiyalelo emibini:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Isampulu emva koko ijonga ixabiso lembuyekezo ngokuchasene noluhlu oluqinileyo lwemitya evela kwiinkqubo ezaziwayo zokubonwa: acle, vmware, ibhokisi ebonakalayo okanye ngokufanayo. Okokugqibela, umyalelo olandelayo ukhangela ukuba umatshini yenye yezi zilandelayo “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” kunye “XS”. Ezi ziikhowudi zemodeli yenkqubo, umzekelo, "MBP" ithetha iMacBook Pro, "MBA" ithetha iMacBook Air, njl.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Izongezo eziphambili
Ngelixa imiyalelo ye-backdoor ayitshintshanga ukusukela kuphando lwe-Trend Micro, siye saqaphela ezinye iinguqulelo ezimbalwa. Iiseva zeC & C ezisetyenziswe kule sampuli zintsha kwaye zenziwe nge-22.10.2018/XNUMX/XNUMX.
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
I-URL yomthombo itshintshile yaba /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35
.
Ipakethi yokuqala ethunyelwe kwi-C & C iseva iqulethe ulwazi oluninzi malunga nomshini wokubamba, kubandakanywa yonke idatha eqokelelwe yimiyalelo kwitheyibhile engezantsi.
Ukongeza kolu tshintsho loqwalaselo, isampuli ayisebenzisi ithala leencwadi lokucoca inethiwekhi gFjMXBgyXWULmVVVzyxy
, efakwe ooziro. Ifayile nganye ikhutshiwe kwaye igcinwe njenge /tmp/store
, kunye nokuzama ukuyilayisha njengethala leencwadi kwenziwa ngokusebenzisa umsebenzi dlopen
, i-backdoor extracts imisebenzi ethunyelwe ngaphandle Boriry
и ChadylonV
, ezibonakala zinoxanduva lonxibelelwano lwenethiwekhi kunye nomncedisi. Asinayo idropper okanye ezinye iifayile ezisuka kwindawo yoqobo yesampulu, ngoko ke asikwazi ukwahlula eli thala leencwadi. Ngaphezu koko, ekubeni icandelo lifihliwe, umthetho we-YARA osekwe kule mitya awuyi kuhambelana nefayile efunyenwe kwidiski.
Njengoko kuchazwe kwinqaku elingentla, lidala clientID. Le ID yiMD5 hash yexabiso lembuyekezo yomnye wale miyalelo ilandelayo:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}'
(fumana idilesi ye-MAC)
-iqela elingaziwayo ("x1ex72x0a
"), esetyenziswa kwiisampuli zangaphambili
Phambi kwe-hashing, i-"0" okanye "1" yongezwa kwixabiso lokubuyisela ukubonisa amalungelo engcambu. Oku clientID igcinwe ngaphakathi /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
, ukuba ikhowudi iqhutywa njengengcambu okanye kwi ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML kuzo zonke ezinye iimeko. Ifayile iqhele ukufihlwa usebenzisa umsebenzi touch –t
ngexabiso elingenamkhethe.
Uluhlu lweekhowudi
Njengeenketho zangaphambili, iintambo zifihliwe kusetyenziswa i-AES-256-CBC (iqhosha lehexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92
ifakwe ngooziro, kunye ne-IV ezaliswe ngooziro) ngomsebenzi
Ukwazi iprototype yomsebenzi yitshintshe, ushicilelo lufumana zonke iimbekiselo ezinqamlezileyo kulo msebenzi, zonke iingxoxo, emva koko susa uguqulelo elugcinweni lwedatha kwaye ibeke okubhaliweyo okucacileyo ngaphakathi kwezimvo kwidilesi yereferensi enqamlezileyo. Ukuze iskripthi sisebenze ngokuchanekileyo, kufuneka simiselwe kwi-alfabhethi yesiko esetyenziswe ngumsebenzi wokuguqula i-base64, kwaye i-global variable kufuneka ichazwe iqulethe ubude besitshixo (kule meko i-DWORD, jonga uMfanekiso 4).
Umzobo 4. Inkcazo ye-global variable key_len
Kwifestile yoMsebenzi, unokucofa-ekunene umsebenzi wokuguqulela kwaye ucofe u- “Khupha kwaye ucime iingxoxo”. Iscript kufuneka sibeke imigca efihliweyo kwizimvo, njengoko kubonisiwe kuMfanekiso 5.
Umzobo 5. Umbhalo ofihliweyo ubekwe kwizimvo
Ngale ndlela imitya efihliweyo ibekwe ngokufanelekileyo kunye kwi-IDA yefestile iixrefs kulo msebenzi njengoko kubonisiwe kuMfanekiso 6.
Umzobo 6. Xrefs ukuba f_decrypt umsebenzi
Umbhalo wokugqibela unokufumaneka apha
isiphelo
Njengoko sele kukhankanyiwe, i-OceanLotus ihlala iphucula kwaye ihlaziya izixhobo zayo zokusebenza. Ngeli xesha, iqela le-cyber liphucule i-malware ukuze isebenze nabasebenzisi beMac. Ikhowudi ayitshintshanga kakhulu, kodwa kuba abasebenzisi abaninzi beMac bengazihoyi iimveliso zokhuseleko, ukukhusela i-malware ekubhaqweni kubaluleke okwesibini.
Iimveliso ze-ESET zazisele zibhaqa le fayile ngexesha lophando. Ngenxa yokuba ithala leencwadi lothungelwano elisetyenziselwa unxibelelwano lweC&C ngoku liguqulelwe ngokuntsonkothileyo kwidiski, eyona ndlela yothungelwano iprotocol esetyenziswa ngabahlaseli ayikaziwa.
Izalathisi zokulalanisa
Iimpawu zokulalanisa kunye neempawu ze-MITER ATT&CK nazo ziyafumaneka kwi
umthombo: www.habr.com