ProHoster > Ibhulogi > Ulawulo > I-OceanLotus: uhlaziyo lwe-malware ye-macOS

I-OceanLotus: uhlaziyo lwe-malware ye-macOS

NgoMatshi ka-2019, isampulu entsha ye-malware ye-macOS evela kwiqela le-cyber i-OceanLotus yalayishwa kwi-VirusTotal, inkonzo edumileyo yokuskena kwi-intanethi. Ifayile ye-backdoor ephunyezwayo inamandla afanayo njengenguqulo yangaphambili ye-malware ye-macOS esiyifundileyo, kodwa isakhiwo sayo sitshintshile kwaye kuye kwaba nzima ngakumbi ukubhaqa. Ngelishwa, asikwazanga ukufumana i-dropper ehambelana nale sampuli, ke asikayazi i-vector yosulelo.

Sisanda kupapasha iposti malunga ne-OceanLotus kunye nendlela abaqhubi abazama ngayo ukubonelela ngokuzingisa, ukukhawulezisa ukuphunyezwa kwekhowudi, kunye nokunciphisa unyawo kwiinkqubo zeWindows. Kukwayaziwa ukuba eli qela le-cyber likwanecandelo le-macOS. Esi sithuba sichaza utshintsho kwinguqulelo entsha ye-malware ye-macOS xa kuthelekiswa nenguqulelo yangaphambili (ichazwe nguTrend Micro), kwaye ichaza nendlela onokuthi uzenzele ngayo ukuchithwa kweentambo ngexesha lokuhlalutya usebenzisa i-IDA Hex-Rays API.

I-OceanLotus: uhlaziyo lwe-malware ye-macOS

Uhlalutyo

Amacandelo amathathu alandelayo achaza uhlalutyo lwesampulu nge-SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2. Ifayile ibizwa ngokuba ilayitiwe, iimveliso ze-antivirus ze-ESET zibhaqa njenge-OSX/OceanLotus.D.

I-Anti-debugging kunye nokhuseleko lwebhokisi yesanti

Njengazo zonke iibhinari ze-OceanLotus zeMacOS, isampulu ipakishwe nge-UPX, kodwa uninzi lwezixhobo zokuchongwa komfaki-mpahla aziyiboni ngolo hlobo. Oku mhlawumbi ngenxa yokuba ininzi iqulethe utyikityo oluxhomekeke kubukho bomtya we "UPX", ukongeza, iisignesha zeMach-O aziqhelekanga kwaye azihlaziywa rhoqo. Olu phawu lwenza ubhaqo olumileyo lubenzima. Kuyathakazelisa ukuba emva kokukhupha, indawo yokungena isekuqaleni kwecandelo __cfstring kwicandelo .TEXT. Eli candelo lineempawu zeflegi njengoko kubonisiwe kumfanekiso ongezantsi.

I-OceanLotus: uhlaziyo lwe-malware ye-macOS
Umzobo 1. MACH-O __cfstring iimpawu zecandelo

Njengoko kubonisiwe kuMfanekiso 2, iindawo zekhowudi kwicandelo __cfstring ikuvumela ukuba uqhathe ezinye izixhobo zokuqhawula ngokubonisa ikhowudi njengemitya.

I-OceanLotus: uhlaziyo lwe-malware ye-macOS
Umzobo 2. Ikhowudi yangasemva ifunyenwe yi-IDA njengedatha

Xa sele iphunyeziwe, ibini yenza intambo njenge-anti-debugger enjongo yayo ikukuphela kokukhangela ubukho bomlungisi. Ngolu qukuqelo:

-Izama ukususa nayiphi na i-debugger, ukufowuna ptrace с PT_DENY_ATTACH njengeparameter yesicelo
- Ijonga ukuba ezinye izibuko ezikhethekileyo zivuliwe ngokubiza umsebenzi task_get_exception_ports
- Ijonga ukuba i-debugger ixhunyiwe, njengoko kubonisiwe kumfanekiso ongezantsi, ngokujonga ubukho beflegi P_TRACED kwinkqubo yangoku

I-OceanLotus: uhlaziyo lwe-malware ye-macOS
Umzobo 3. Ukukhangela uxhulumaniso lwe-debugger usebenzisa umsebenzi we-sysctl

Ukuba i-watchdog ibona ubukho be-debugger, umsebenzi ubizwa ngokuba exit. Ukongeza, isampuli emva koko ijonga imeko-bume ngokuqhuba imiyalelo emibini:

ioreg -l | grep -e "Manufacturer" и sysctl hw.model

Isampulu emva koko ijonga ixabiso lembuyekezo ngokuchasene noluhlu oluqinileyo lwemitya evela kwiinkqubo ezaziwayo zokubonwa: acle, vmware, ibhokisi ebonakalayo okanye ngokufanayo. Okokugqibela, umyalelo olandelayo ukhangela ukuba umatshini yenye yezi zilandelayo “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” kunye “XS”. Ezi ziikhowudi zemodeli yenkqubo, umzekelo, "MBP" ithetha iMacBook Pro, "MBA" ithetha iMacBook Air, njl.

system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}

Izongezo eziphambili

Ngelixa imiyalelo ye-backdoor ayitshintshanga ukusukela kuphando lwe-Trend Micro, siye saqaphela ezinye iinguqulelo ezimbalwa. Iiseva zeC & C ezisetyenziswe kule sampuli zintsha kwaye zenziwe nge-22.10.2018/XNUMX/XNUMX.

- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com

I-URL yomthombo itshintshile yaba /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
Ipakethi yokuqala ethunyelwe kwi-C & C iseva iqulethe ulwazi oluninzi malunga nomshini wokubamba, kubandakanywa yonke idatha eqokelelwe yimiyalelo kwitheyibhile engezantsi.

I-OceanLotus: uhlaziyo lwe-malware ye-macOS

Ukongeza kolu tshintsho loqwalaselo, isampuli ayisebenzisi ithala leencwadi lokucoca inethiwekhi libcurl, kodwa ithala leencwadi langaphandle. Ukuyifumana, i-backdoor izama ukufihla yonke ifayile kuluhlu lwangoku usebenzisa i-AES-256-CBC ngesitshixo. gFjMXBgyXWULmVVVzyxy, efakwe ooziro. Ifayile nganye ikhutshiwe kwaye igcinwe njenge /tmp/store, kunye nokuzama ukuyilayisha njengethala leencwadi kwenziwa ngokusebenzisa umsebenzi yehla. Xa umzamo wokucima uguqulelo oluntsonkothileyo uphumela kumnxeba oyimpumelelo dlopen, i-backdoor extracts imisebenzi ethunyelwe ngaphandle Boriry и ChadylonV, ezibonakala zinoxanduva lonxibelelwano lwenethiwekhi kunye nomncedisi. Asinayo idropper okanye ezinye iifayile ezisuka kwindawo yoqobo yesampulu, ngoko ke asikwazi ukwahlula eli thala leencwadi. Ngaphezu koko, ekubeni icandelo lifihliwe, umthetho we-YARA osekwe kule mitya awuyi kuhambelana nefayile efunyenwe kwidiski.

Njengoko kuchazwe kwinqaku elingentla, lidala clientID. Le ID yiMD5 hash yexabiso lembuyekezo yomnye wale miyalelo ilandelayo:

- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}' (fumana idilesi ye-MAC)
-iqela elingaziwayo ("x1ex72x0a"), esetyenziswa kwiisampuli zangaphambili

Phambi kwe-hashing, i-"0" okanye "1" yongezwa kwixabiso lokubuyisela ukubonisa amalungelo engcambu. Oku clientID igcinwe ngaphakathi /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, ukuba ikhowudi iqhutywa njengengcambu okanye kwi ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML kuzo zonke ezinye iimeko. Ifayile iqhele ukufihlwa usebenzisa umsebenzi _iiflegi, isitampu saso sexesha siyatshintshwa kusetyenziswa umyalelo touch –t ngexabiso elingenamkhethe.

Uluhlu lweekhowudi

Njengeenketho zangaphambili, iintambo zifihliwe kusetyenziswa i-AES-256-CBC (iqhosha lehexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 ifakwe ngooziro, kunye ne-IV ezaliswe ngooziro) ngomsebenzi CCCrypt. Isitshixo sitshintshile kwiinguqulelo zangaphambili, kodwa ekubeni iqela lisasebenzisa i-algorithm ye-encryption yomtya ofanayo, i-decryption inokuzenzekela. Ukongeza kwesi sithuba, sikhulula iskripthi se-IDA esisebenzisa i-Hex-Rays API ukuze siguqule imitya ekhoyo kwifayile yokubini. Esi script sinokunceda kuhlalutyo lwexesha elizayo lwe-OceanLotus kunye nohlalutyo lweesampulu ezikhoyo esingeke sikwazi ukuzifumana. Ushicilelo lusekwe kwindlela yehlabathi jikelele yokufumana iingxoxo ezigqithiselwe kumsebenzi. Ukongeza, ijonga izabelo zeeparamitha. Indlela inokuphinda isetyenziswe ukufumana uluhlu lweengxoxo zemisebenzi kwaye emva koko uyidlulisele kwi-callback.

Ukwazi iprototype yomsebenzi yitshintshe, ushicilelo lufumana zonke iimbekiselo ezinqamlezileyo kulo msebenzi, zonke iingxoxo, emva koko susa uguqulelo elugcinweni lwedatha kwaye ibeke okubhaliweyo okucacileyo ngaphakathi kwezimvo kwidilesi yereferensi enqamlezileyo. Ukuze iskripthi sisebenze ngokuchanekileyo, kufuneka simiselwe kwi-alfabhethi yesiko esetyenziswe ngumsebenzi wokuguqula i-base64, kwaye i-global variable kufuneka ichazwe iqulethe ubude besitshixo (kule meko i-DWORD, jonga uMfanekiso 4).

I-OceanLotus: uhlaziyo lwe-malware ye-macOS
Umzobo 4. Inkcazo ye-global variable key_len

Kwifestile yoMsebenzi, unokucofa-ekunene umsebenzi wokuguqulela kwaye ucofe u- “Khupha kwaye ucime iingxoxo”. Iscript kufuneka sibeke imigca efihliweyo kwizimvo, njengoko kubonisiwe kuMfanekiso 5.

I-OceanLotus: uhlaziyo lwe-malware ye-macOS
Umzobo 5. Umbhalo ofihliweyo ubekwe kwizimvo

Ngale ndlela imitya efihliweyo ibekwe ngokufanelekileyo kunye kwi-IDA yefestile iixrefs kulo msebenzi njengoko kubonisiwe kuMfanekiso 6.

I-OceanLotus: uhlaziyo lwe-malware ye-macOS
Umzobo 6. Xrefs ukuba f_decrypt umsebenzi

Umbhalo wokugqibela unokufumaneka apha Indawo yokugcina uGithub.

isiphelo

Njengoko sele kukhankanyiwe, i-OceanLotus ihlala iphucula kwaye ihlaziya izixhobo zayo zokusebenza. Ngeli xesha, iqela le-cyber liphucule i-malware ukuze isebenze nabasebenzisi beMac. Ikhowudi ayitshintshanga kakhulu, kodwa kuba abasebenzisi abaninzi beMac bengazihoyi iimveliso zokhuseleko, ukukhusela i-malware ekubhaqweni kubaluleke okwesibini.

Iimveliso ze-ESET zazisele zibhaqa le fayile ngexesha lophando. Ngenxa yokuba ithala leencwadi lothungelwano elisetyenziselwa unxibelelwano lweC&C ngoku liguqulelwe ngokuntsonkothileyo kwidiski, eyona ndlela yothungelwano iprotocol esetyenziswa ngabahlaseli ayikaziwa.

Izalathisi zokulalanisa

Iimpawu zokulalanisa kunye neempawu ze-MITER ATT&CK nazo ziyafumaneka kwi GitHub.

umthombo: www.habr.com

Yongeza izimvo