ProHoster > Ibhulogi > Ulawulo > I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS

NgoMatshi 2019, isampulu entsha ye-malware yafakwa kwi-VirusTotal, inkonzo edumileyo yokuskena kwi-intanethi, macOS Iqela le-cyber le-OceanLotus. I-backdoor executable inamandla afanayo nenguqulelo yangaphambili ye-malware esiyifundele yona macOS, kodwa ulwakhiwo lwayo lutshintshile kwaye kube nzima ukuyibona. Ngelishwa, asikwazanga ukufumana idropper enxulumene nale sampuli, ngoko ke asikayazi i-infection vector okwangoku.

Sisanda kupapasha iposti malunga ne-OceanLotus kunye nendlela abaqhubi abazama ngayo ukuqinisekisa ukuba izinto ziyaqhubeka, ukukhawulezisa ukusetyenziswa kwekhowudi, kunye nokunciphisa iimpawu zokubakho kwiinkqubo WindowsKwakhona kwaziwa ukuba eli qela le-cyber likwanecandelo le- macOSEsi sithuba sichaza utshintsho kwinguqulelo yamva nje ye-malware ye macOS xa kuthelekiswa nenguqulelo yangaphambili (ichazwe nguTrend Micro), kwaye ichaza nendlela onokuthi uzenzele ngayo ukuchithwa kweentambo ngexesha lokuhlalutya usebenzisa i-IDA Hex-Rays API.

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS

Uhlalutyo

Amacandelo amathathu alandelayo achaza uhlalutyo lwesampulu nge-SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2. Ifayile ibizwa ngokuba ilayitiwe, iimveliso ze-antivirus ze-ESET zibhaqa njenge-OSX/OceanLotus.D.

I-Anti-debugging kunye nokhuseleko lwebhokisi yesanti

Njengaye wonke umntu macOS- Iibhanari ze-OceanLotus, isampuli igcwele i-UPX, kodwa uninzi lwezixhobo zokuchonga iipacker aziyiboni njengenjalo. Oku kunokwenzeka kuba uninzi lwazo ziqulathe utyikityo oluxhomekeke kubukho bomtya we-"UPX". Ngaphezu koko, utyikityo lwe-Mach-O aluxhaphakanga kwaye aluhlaziyi rhoqo. Olu phawu lwenza ukuba kube nzima ukubona i-static. Okubangela umdla kukuba, emva kokukhupha, indawo yokungena isekuqaleni kwecandelo. __cfstring kwicandelo .TEXT. Eli candelo lineempawu zeflegi njengoko kubonisiwe kumfanekiso ongezantsi.

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS
Umzobo 1. MACH-O __cfstring iimpawu zecandelo

Njengoko kubonisiwe kuMfanekiso 2, iindawo zekhowudi kwicandelo __cfstring ikuvumela ukuba uqhathe ezinye izixhobo zokuqhawula ngokubonisa ikhowudi njengemitya.

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS
Umzobo 2. Ikhowudi yangasemva ifunyenwe yi-IDA njengedatha

Xa sele iphunyeziwe, ibini yenza intambo njenge-anti-debugger enjongo yayo ikukuphela kokukhangela ubukho bomlungisi. Ngolu qukuqelo:

-Izama ukususa nayiphi na i-debugger, ukufowuna ptrace с PT_DENY_ATTACH njengeparameter yesicelo
- Ijonga ukuba ezinye izibuko ezikhethekileyo zivuliwe ngokubiza umsebenzi task_get_exception_ports
- Ijonga ukuba i-debugger ixhunyiwe, njengoko kubonisiwe kumfanekiso ongezantsi, ngokujonga ubukho beflegi P_TRACED kwinkqubo yangoku

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS
Umzobo 3. Ukukhangela uxhulumaniso lwe-debugger usebenzisa umsebenzi we-sysctl

Ukuba i-watchdog ibona ubukho be-debugger, umsebenzi ubizwa ngokuba exit. Ukongeza, isampuli emva koko ijonga imeko-bume ngokuqhuba imiyalelo emibini:

ioreg -l | grep -e "Manufacturer" и sysctl hw.model

Isampulu emva koko ijonga ixabiso lembuyekezo ngokuchasene noluhlu oluqinileyo lwemitya evela kwiinkqubo ezaziwayo zokubonwa: acle, vmware, ibhokisi ebonakalayo okanye ngokufanayo. Okokugqibela, umyalelo olandelayo ukhangela ukuba umatshini yenye yezi zilandelayo “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” kunye “XS”. Ezi ziikhowudi zemodeli yenkqubo, umzekelo, "MBP" ithetha iMacBook Pro, "MBA" ithetha iMacBook Air, njl.

system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}

Izongezo eziphambili

Ngelixa imiyalelo ye-backdoor ayitshintshanga ukusukela kuphando lwe-Trend Micro, siye saqaphela ezinye iinguqulelo ezimbalwa. Iiseva zeC & C ezisetyenziswe kule sampuli zintsha kwaye zenziwe nge-22.10.2018/XNUMX/XNUMX.

- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com

I-URL yomthombo itshintshile yaba /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
Ipakethi yokuqala ethunyelwe kwi-C & C iseva iqulethe ulwazi oluninzi malunga nomshini wokubamba, kubandakanywa yonke idatha eqokelelwe yimiyalelo kwitheyibhile engezantsi.

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS

Ukongeza kolu tshintsho loqwalaselo, isampuli ayisebenzisi ithala leencwadi lokucoca inethiwekhi libcurl, kodwa ithala leencwadi langaphandle. Ukuyifumana, i-backdoor izama ukufihla yonke ifayile kuluhlu lwangoku usebenzisa i-AES-256-CBC ngesitshixo. gFjMXBgyXWULmVVVzyxy, efakwe ooziro. Ifayile nganye ikhutshiwe kwaye igcinwe njenge /tmp/store, kunye nokuzama ukuyilayisha njengethala leencwadi kwenziwa ngokusebenzisa umsebenzi yehla. Xa umzamo wokucima uguqulelo oluntsonkothileyo uphumela kumnxeba oyimpumelelo dlopen, i-backdoor extracts imisebenzi ethunyelwe ngaphandle Boriry и ChadylonV, ezibonakala zinoxanduva lonxibelelwano lwenethiwekhi kunye nomncedisi. Asinayo idropper okanye ezinye iifayile ezisuka kwindawo yoqobo yesampulu, ngoko ke asikwazi ukwahlula eli thala leencwadi. Ngaphezu koko, ekubeni icandelo lifihliwe, umthetho we-YARA osekwe kule mitya awuyi kuhambelana nefayile efunyenwe kwidiski.

Njengoko kuchazwe kwinqaku elingentla, lidala clientID. Le ID yiMD5 hash yexabiso lembuyekezo yomnye wale miyalelo ilandelayo:

- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}' (fumana idilesi ye-MAC)
-iqela elingaziwayo ("x1ex72x0a"), esetyenziswa kwiisampuli zangaphambili

Phambi kwe-hashing, i-"0" okanye "1" yongezwa kwixabiso lokubuyisela ukubonisa amalungelo engcambu. Oku clientID igcinwe ngaphakathi /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, ukuba ikhowudi iqhutywa njengengcambu okanye kwi ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML kuzo zonke ezinye iimeko. Ifayile iqhele ukufihlwa usebenzisa umsebenzi _iiflegi, isitampu saso sexesha siyatshintshwa kusetyenziswa umyalelo touch –t ngexabiso elingenamkhethe.

Uluhlu lweekhowudi

Njengeenketho zangaphambili, iintambo zifihliwe kusetyenziswa i-AES-256-CBC (iqhosha lehexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 ifakwe ngooziro, kunye ne-IV ezaliswe ngooziro) ngomsebenzi CCCrypt. Isitshixo sitshintshile kwiinguqulelo zangaphambili, kodwa ekubeni iqela lisasebenzisa i-algorithm ye-encryption yomtya ofanayo, i-decryption inokuzenzekela. Ukongeza kwesi sithuba, sikhulula iskripthi se-IDA esisebenzisa i-Hex-Rays API ukuze siguqule imitya ekhoyo kwifayile yokubini. Esi script sinokunceda kuhlalutyo lwexesha elizayo lwe-OceanLotus kunye nohlalutyo lweesampulu ezikhoyo esingeke sikwazi ukuzifumana. Ushicilelo lusekwe kwindlela yehlabathi jikelele yokufumana iingxoxo ezigqithiselwe kumsebenzi. Ukongeza, ijonga izabelo zeeparamitha. Indlela inokuphinda isetyenziswe ukufumana uluhlu lweengxoxo zemisebenzi kwaye emva koko uyidlulisele kwi-callback.

Ukwazi iprototype yomsebenzi yitshintshe, ushicilelo lufumana zonke iimbekiselo ezinqamlezileyo kulo msebenzi, zonke iingxoxo, emva koko susa uguqulelo elugcinweni lwedatha kwaye ibeke okubhaliweyo okucacileyo ngaphakathi kwezimvo kwidilesi yereferensi enqamlezileyo. Ukuze iskripthi sisebenze ngokuchanekileyo, kufuneka simiselwe kwi-alfabhethi yesiko esetyenziswe ngumsebenzi wokuguqula i-base64, kwaye i-global variable kufuneka ichazwe iqulethe ubude besitshixo (kule meko i-DWORD, jonga uMfanekiso 4).

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS
Umzobo 4. Inkcazo ye-global variable key_len

Kwifestile yoMsebenzi, unokucofa-ekunene umsebenzi wokuguqulela kwaye ucofe u- “Khupha kwaye ucime iingxoxo”. Iscript kufuneka sibeke imigca efihliweyo kwizimvo, njengoko kubonisiwe kuMfanekiso 5.

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS
Umzobo 5. Umbhalo ofihliweyo ubekwe kwizimvo

Ngale ndlela imitya efihliweyo ibekwe ngokufanelekileyo kunye kwi-IDA yefestile iixrefs kulo msebenzi njengoko kubonisiwe kuMfanekiso 6.

I-OceanLotus: Uhlaziyo lwe-Malware lwe macOS
Umzobo 6. Xrefs ukuba f_decrypt umsebenzi

Umbhalo wokugqibela unokufumaneka apha Indawo yokugcina uGithub.

isiphelo

Njengoko sele kukhankanyiwe, i-OceanLotus ihlala iphucula kwaye ihlaziya izixhobo zayo zokusebenza. Ngeli xesha, iqela le-cyber liphucule i-malware ukuze isebenze nabasebenzisi beMac. Ikhowudi ayitshintshanga kakhulu, kodwa kuba abasebenzisi abaninzi beMac bengazihoyi iimveliso zokhuseleko, ukukhusela i-malware ekubhaqweni kubaluleke okwesibini.

Iimveliso ze-ESET zazisele zibhaqa le fayile ngexesha lophando. Ngenxa yokuba ithala leencwadi lothungelwano elisetyenziselwa unxibelelwano lweC&C ngoku liguqulelwe ngokuntsonkothileyo kwidiski, eyona ndlela yothungelwano iprotocol esetyenziswa ngabahlaseli ayikaziwa.

Izalathisi zokulalanisa

Iimpawu zokulalanisa kunye neempawu ze-MITER ATT&CK nazo ziyafumaneka kwi GitHub.

umthombo: www.habr.com

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster