I-ProHoster > Блог > Ukuphatha > I-OceanLotus: isibuyekezo se-malware se-macOS

I-OceanLotus: isibuyekezo se-malware se-macOS

NgoMashi 2019, isampula entsha yohlelo olungayilungele ikhompuyutha ye-macOS evela eqenjini le-cyber i-OceanLotus yalayishwa ku-VirusTotal, insizakalo yokuskena edumile eku-inthanethi. Ifayela elisebenzisekayo le-backdoor linamandla afanayo nenguqulo yangaphambilini yohlelo olungayilungele ikhompuyutha ye-macOS esiyifundile, kodwa ukwakheka kwayo kushintshile futhi sekunzima kakhulu ukuyithola. Ngeshwa, asikwazanga ukuthola i-dropper ehlotshaniswa naleli sampuli, ngakho-ke asikayazi i-vector yokutheleleka.

Sisanda kushicilela okuthunyelwe nge-OceanLotus nokuthi ama-opharetha azama kanjani ukunikeza ukuphikelela, ukusheshisa ukwenziwa kwekhodi, kanye nokunciphisa unyawo ezinhlelweni zeWindows. Kuyaziwa futhi ukuthi leli qembu le-cyber liphinde libe nengxenye ye-macOS. Lokhu okuthunyelwe kuchaza ngezinguquko zenguqulo entsha yohlelo olungayilungele ikhompuyutha ye-macOS uma iqhathaniswa nenguqulo yangaphambilini (echazwe yi-Trend Micro), futhi ichaza ukuthi ungakwenza kanjani ngokuzenzakalelayo ukuqoshwa kwezintambo ngesikhathi sokuhlaziya usebenzisa i-IDA Hex-Rays API.

I-OceanLotus: isibuyekezo se-malware se-macOS

Анализ

Izingxenye ezintathu ezilandelayo zichaza ukuhlaziywa kwesampula nge-SHA-1 hashi E615632C9998E4D3E5ACD8851864ED09B02C77D2. Ifayela libizwa i-flashlight, imikhiqizo ye-antivirus ye-ESET iyithola njenge-OSX/OceanLotus.D.

I-Anti-debugging kanye nokuvikelwa kwe-sandbox

Njengawo wonke amabhanari we-MacOS OceanLotus, isampula lihlanganiswe ne-UPX, kodwa amathuluzi amaningi okuhlonza amaphakheji awaboni kanjalo. Lokhu kungenxa yokuthi ngokuvamile aqukethe isiginesha encike ebukhoneni beyunithi yezinhlamvu ethi "UPX", ngaphezu kwalokho, amasiginesha e-Mach-O awavamile futhi awabuyekezwa kaningi. Lesi sici senza ukutholwa okumile kube nzima. Kuyathakazelisa ukuthi ngemva kokukhipha impahla, indawo yokungena isekuqaleni kwesigaba __cfstring esigabeni .TEXT. Lesi sigaba sinezimpawu zokuhlaba umkhosi njengoba kuboniswe esithombeni esingezansi.

I-OceanLotus: isibuyekezo se-malware se-macOS
Umfanekiso 1. MACH-O __cfstring izici zesigaba

Njengoba kukhonjisiwe kuMfanekiso 2, izindawo zamakhodi esigabeni __cfstring ikuvumela ukuthi ukhohlise amathuluzi athile wokuqaqa ngokubonisa ikhodi njengeyunithi yezinhlamvu.

I-OceanLotus: isibuyekezo se-malware se-macOS
Umfanekiso 2. Ikhodi yangemuva itholwe yi-IDA njengedatha

Uma sekwenziwe, okubili kwakha uchungechunge njengesixazululi esinjongo yalo iwukuqhubeka nokuhlola ubukhona bokulungisa iphutha. Kulokhu kugeleza:

- Izama ukususa noma iyiphi i-debugger, ishaya ucingo ptrace с PT_DENY_ATTACH njengepharamitha yesicelo
- Ihlola ukuthi amanye amachweba akhethekile avuliwe yini ngokubiza umsebenzi task_get_exception_ports
- Ihlola ukuthi i-debugger ixhunyiwe yini, njengoba kukhonjisiwe esithombeni esingezansi, ngokubheka ukuba khona kwefulegi P_TRACED enqubweni yamanje

I-OceanLotus: isibuyekezo se-malware se-macOS
Umfanekiso 3. Ihlola uxhumano lwe-debugger usebenzisa umsebenzi we-sysctl

Uma i-watchdog ithola ukuba khona kwe-debugger, umsebenzi ubizwa exit. Ukwengeza, isampula bese ihlola imvelo ngokusebenzisa imiyalo emibili:

ioreg -l | grep -e "Manufacturer" и sysctl hw.model

Isampula libe selihlola inani lokubuyisela liqhathaniswa nohlu olunamakhodi aqinile lwamayunithi ezinhlamvu avela kumasistimu e-virtualization aziwayo: i-acle, VMware, ibhokisi lokugcina noma ukufana. Ekugcineni, umyalo olandelayo uhlola ukuthi umshini ungomunye walandelayo “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” kanye “XS”. Lawa amakhodi emodeli yesistimu, isibonelo, "MBP" isho iMacBook Pro, "MBA" isho iMacBook Air, njll.

system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}

Izengezo eziyinhloko

Ngenkathi imiyalo ye-backdoor ingashintshile kusukela ocwaningweni lwe-Trend Micro, siqaphele ezinye izinguquko ezimbalwa. Amaseva e-C&C asetshenziswe kule sampuli masha impela futhi adalwe ngomhlaka-22.10.2018/XNUMX/XNUMX.

- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com

I-URL yesisetshenziswa isishintshile yaba /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35.
Iphakethe lokuqala elithunyelwe kuseva ye-C&C liqukethe ulwazi olwengeziwe mayelana nomshini wokusingathwa, okufaka yonke idatha eqoqwe imiyalo kuthebula elingezansi.

I-OceanLotus: isibuyekezo se-malware se-macOS

Ngokungeziwe kulolu shintsho lokucushwa, isampula ayisebenzisi ilabhulali yokuhlunga inethiwekhi libcurl, kodwa umtapo wolwazi wangaphandle. Ukuze uyithole, i-backdoor izama ukususa ukubhala ngekhodi yonke ifayela kuhla lwemibhalo lwamanje isebenzisa i-AES-256-CBC ngokhiye. gFjMXBgyXWULmVVVzyxy, ahlanganiswe ngoziro. Ifayela ngalinye linqanyuliwe futhi lilondolozwe njenge /tmp/store, futhi umzamo wokuwulayisha njengomtapo wezincwadi wenziwa kusetshenziswa umsebenzi yehla. Uma umzamo wokususa ukubethela uphumela ocingweni oluyimpumelelo dlopen, i-backdoor extracts imisebenzi ethunyelwe Boriry и ChadylonV, ngokusobala anesibopho sokuxhumana kwenethiwekhi neseva. Asinayo i-dropper noma amanye amafayela asuka endaweni yoqobo yesampula, ngakho-ke asikwazi ukuncozulula le labhulali. Ngaphezu kwalokho, njengoba ingxenye ibethelwe, umthetho we-YARA osuselwe kulezi zinhlamvu ngeke ufane nefayela elitholakala kudiski.

Njengoba kuchazwe esihlokweni esingenhla, idala clientID. Le ID i-MD5 hashi yenani lokubuyisela lomunye wemiyalo elandelayo:

- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}' (thola ikheli le-MAC)
- Iqembu elingaziwa ("x1ex72x0a"), esetshenziswa kumasampuli wangaphambilini

Ngaphambi kwe-hashing, u-"0" noma "1" wengezwa kunani lokubuyisela ukukhombisa amalungelo empande. Lokhu clientID agcinwe phakathi /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex, uma ikhodi isetshenziswa njengempande noma kokuthi ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML kuzo zonke ezinye izimo. Ifayela ngokuvamile lifihliwe kusetshenziswa umsebenzi _amafulegi, isitembu saso sesikhathi siyashintshwa kusetshenziswa umyalo touch –t ngevelu engahleliwe.

Ukuqopha izintambo

Njengezinketho zangaphambilini, izintambo zibethelwe kusetshenziswa i-AES-256-CBC (ukhiye we-hexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92 ahlanganiswe ngoziro, futhi IV agcwaliswe ngoziro) ngomsebenzi CCCrypt. Ukhiye ushintshile kusukela kuzinguqulo zangaphambilini, kodwa njengoba iqembu lisasebenzisa i-algorithm yokubethela kweyunithi yezinhlamvu efanayo, ukususa ukubethela kungenziwa ngokuzenzakalelayo. Ngokungeziwe kulokhu okuthunyelwe, sikhipha iskripthi se-IDA esisebenzisa i-Hex-Rays API ukuze sisuse ukubethela kweyunithi yezinhlamvu ekhona kufayela kanambambili. Lesi script singasiza ekuhlaziyeni okuzayo kwe-OceanLotus nokuhlaziya amasampula akhona esingakakwazi ukuwathola. Iskripthi sisekelwe endleleni yendawo yonke yokwamukela ama-agumenti adluliselwe kumsebenzi. Ukwengeza, ibheka imisebenzi yepharamitha. Indlela ingasetshenziswa kabusha ukuze uthole uhlu lwama-agumenti okusebenza bese uludlulisela ku-callback.

Ukwazi umsebenzi prototype shiya, iskripthi sithola zonke izinkomba eziphambene kulo msebenzi, zonke izimpikiswano, bese sisusa ukubethela kwedatha futhi sibeke umbhalo ongenalutho ngaphakathi kwamazwana ekhelini eliyizithenjwa. Ukuze umbhalo usebenze kahle, kufanele usethelwe kuzinhlamvu zangokwezifiso ezisetshenziswa umsebenzi wokukhipha amakhodi we-base64, futhi okuguquguqukayo komhlaba wonke kufanele kuchazwe okuqukethe ubude bokhiye (kulokhu i-DWORD, bheka Umfanekiso 4).

I-OceanLotus: isibuyekezo se-malware se-macOS
Umfanekiso 4. Incazelo ye-global variable key_len

Kuwindi Lomsebenzi, ungachofoza kwesokudla umsebenzi wokukhipha ukubethela bese uchofoza okuthi “Khipha futhi unqamule ama-agumenti.” Umbhalo kufanele ubeke imigqa enqanyuliwe emazwaneni, njengoba kuboniswe kuMfanekiso 5.

I-OceanLotus: isibuyekezo se-malware se-macOS
Umfanekiso 5. Umbhalo osusiwe ubekwe emazwaneni

Ngale ndlela amayunithi ezinhlamvu asuswe ukubethela abekwa ndawonye kalula efasiteleni le-IDA ama-xrefs kulo msebenzi njengoba kukhonjisiwe kuMfanekiso 6.

I-OceanLotus: isibuyekezo se-malware se-macOS
Umfanekiso 6. Ama-Xref kuya ku-f_decrypt umsebenzi

Umbhalo wokugcina ungatholakala kokuthi Indawo yokubeka uGithub.

isiphetho

Njengoba sekushiwo, i-OceanLotus ihlala ithuthukisa futhi ibuyekeza ikhithi yayo yamathuluzi. Kulokhu, iqembu le-cyber lithuthukise uhlelo olungayilungele ikhompuyutha ukuze lusebenze nabasebenzisi be-Mac. Ikhodi ayishintshile kakhulu, kodwa njengoba abasebenzisi abaningi be-Mac beshaya indiva imikhiqizo yezokuphepha, ukuvikela uhlelo olungayilungele ikhompuyutha ukuthi lungatholwa kubalulekile okwesibili.

Imikhiqizo ye-ESET yayisivele ithola leli fayela ngesikhathi socwaningo. Ngenxa yokuthi ilabhulali yenethiwekhi esetshenziselwa ukuxhumana kwe-C&C manje isibethelwe kudiski, iphrothokholi yenethiwekhi eyiyona esetshenziswa abahlaseli ayikaziwa okwamanje.

Izinkomba zokuyekethisa

Izinkomba zokuyekethisa kanye nezibaluli ze-MITER ATT&CK nazo ziyatholakala ku- GitHub.

Source: www.habr.com

Engeza amazwana