NgoMashi 2019, isampula entsha yohlelo olungayilungele ikhompuyutha ye-macOS evela eqenjini le-cyber i-OceanLotus yalayishwa ku-VirusTotal, insizakalo yokuskena edumile eku-inthanethi. Ifayela elisebenzisekayo le-backdoor linamandla afanayo nenguqulo yangaphambilini yohlelo olungayilungele ikhompuyutha ye-macOS esiyifundile, kodwa ukwakheka kwayo kushintshile futhi sekunzima kakhulu ukuyithola. Ngeshwa, asikwazanga ukuthola i-dropper ehlotshaniswa naleli sampuli, ngakho-ke asikayazi i-vector yokutheleleka.
Sisanda kushicilela
Анализ
Izingxenye ezintathu ezilandelayo zichaza ukuhlaziywa kwesampula nge-SHA-1 hashi E615632C9998E4D3E5ACD8851864ED09B02C77D2
. Ifayela libizwa i-flashlight, imikhiqizo ye-antivirus ye-ESET iyithola njenge-OSX/OceanLotus.D.
I-Anti-debugging kanye nokuvikelwa kwe-sandbox
Njengawo wonke amabhanari we-MacOS OceanLotus, isampula lihlanganiswe ne-UPX, kodwa amathuluzi amaningi okuhlonza amaphakheji awaboni kanjalo. Lokhu kungenxa yokuthi ngokuvamile aqukethe isiginesha encike ebukhoneni beyunithi yezinhlamvu ethi "UPX", ngaphezu kwalokho, amasiginesha e-Mach-O awavamile futhi awabuyekezwa kaningi. Lesi sici senza ukutholwa okumile kube nzima. Kuyathakazelisa ukuthi ngemva kokukhipha impahla, indawo yokungena isekuqaleni kwesigaba __cfstring
esigabeni .TEXT
. Lesi sigaba sinezimpawu zokuhlaba umkhosi njengoba kuboniswe esithombeni esingezansi.
Umfanekiso 1. MACH-O __cfstring izici zesigaba
Njengoba kukhonjisiwe kuMfanekiso 2, izindawo zamakhodi esigabeni __cfstring
ikuvumela ukuthi ukhohlise amathuluzi athile wokuqaqa ngokubonisa ikhodi njengeyunithi yezinhlamvu.
Umfanekiso 2. Ikhodi yangemuva itholwe yi-IDA njengedatha
Uma sekwenziwe, okubili kwakha uchungechunge njengesixazululi esinjongo yalo iwukuqhubeka nokuhlola ubukhona bokulungisa iphutha. Kulokhu kugeleza:
- Izama ukususa noma iyiphi i-debugger, ishaya ucingo ptrace
с PT_DENY_ATTACH
njengepharamitha yesicelo
- Ihlola ukuthi amanye amachweba akhethekile avuliwe yini ngokubiza umsebenzi task_get_exception_ports
- Ihlola ukuthi i-debugger ixhunyiwe yini, njengoba kukhonjisiwe esithombeni esingezansi, ngokubheka ukuba khona kwefulegi P_TRACED
enqubweni yamanje
Umfanekiso 3. Ihlola uxhumano lwe-debugger usebenzisa umsebenzi we-sysctl
Uma i-watchdog ithola ukuba khona kwe-debugger, umsebenzi ubizwa exit
. Ukwengeza, isampula bese ihlola imvelo ngokusebenzisa imiyalo emibili:
ioreg -l | grep -e "Manufacturer" и sysctl hw.model
Isampula libe selihlola inani lokubuyisela liqhathaniswa nohlu olunamakhodi aqinile lwamayunithi ezinhlamvu avela kumasistimu e-virtualization aziwayo: i-acle, VMware, ibhokisi lokugcina noma ukufana. Ekugcineni, umyalo olandelayo uhlola ukuthi umshini ungomunye walandelayo “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” kanye “XS”. Lawa amakhodi emodeli yesistimu, isibonelo, "MBP" isho iMacBook Pro, "MBA" isho iMacBook Air, njll.
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}
Izengezo eziyinhloko
Ngenkathi imiyalo ye-backdoor ingashintshile kusukela ocwaningweni lwe-Trend Micro, siqaphele ezinye izinguquko ezimbalwa. Amaseva e-C&C asetshenziswe kule sampuli masha impela futhi adalwe ngomhlaka-22.10.2018/XNUMX/XNUMX.
- daff.faybilodeau[.]com
- sarc.onteagleroad[.]com
- au.charlineopkesston[.]com
I-URL yesisetshenziswa isishintshile yaba /dp/B074WC4NHW/ref=gbps_img_m-9_62c3_750e6b35
.
Iphakethe lokuqala elithunyelwe kuseva ye-C&C liqukethe ulwazi olwengeziwe mayelana nomshini wokusingathwa, okufaka yonke idatha eqoqwe imiyalo kuthebula elingezansi.
Ngokungeziwe kulolu shintsho lokucushwa, isampula ayisebenzisi ilabhulali yokuhlunga inethiwekhi gFjMXBgyXWULmVVVzyxy
, ahlanganiswe ngoziro. Ifayela ngalinye linqanyuliwe futhi lilondolozwe njenge /tmp/store
, futhi umzamo wokuwulayisha njengomtapo wezincwadi wenziwa kusetshenziswa umsebenzi dlopen
, i-backdoor extracts imisebenzi ethunyelwe Boriry
и ChadylonV
, ngokusobala anesibopho sokuxhumana kwenethiwekhi neseva. Asinayo i-dropper noma amanye amafayela asuka endaweni yoqobo yesampula, ngakho-ke asikwazi ukuncozulula le labhulali. Ngaphezu kwalokho, njengoba ingxenye ibethelwe, umthetho we-YARA osuselwe kulezi zinhlamvu ngeke ufane nefayela elitholakala kudiski.
Njengoba kuchazwe esihlokweni esingenhla, idala clientID. Le ID i-MD5 hashi yenani lokubuyisela lomunye wemiyalo elandelayo:
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, """); printf("%s", line[4]); }'
- ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s", line[4]); }'
- ifconfig en0 | awk '/ether /{print $2}'
(thola ikheli le-MAC)
- Iqembu elingaziwa ("x1ex72x0a
"), esetshenziswa kumasampuli wangaphambilini
Ngaphambi kwe-hashing, u-"0" noma "1" wengezwa kunani lokubuyisela ukukhombisa amalungelo empande. Lokhu clientID agcinwe phakathi /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex
, uma ikhodi isetshenziswa njengempande noma kokuthi ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML kuzo zonke ezinye izimo. Ifayela ngokuvamile lifihliwe kusetshenziswa umsebenzi touch –t
ngevelu engahleliwe.
Ukuqopha izintambo
Njengezinketho zangaphambilini, izintambo zibethelwe kusetshenziswa i-AES-256-CBC (ukhiye we-hexadecimal: 9D7274AD7BCEF0DED29BDBB428C251DF8B350B92
ahlanganiswe ngoziro, futhi IV agcwaliswe ngoziro) ngomsebenzi
Ukwazi umsebenzi prototype shiya, iskripthi sithola zonke izinkomba eziphambene kulo msebenzi, zonke izimpikiswano, bese sisusa ukubethela kwedatha futhi sibeke umbhalo ongenalutho ngaphakathi kwamazwana ekhelini eliyizithenjwa. Ukuze umbhalo usebenze kahle, kufanele usethelwe kuzinhlamvu zangokwezifiso ezisetshenziswa umsebenzi wokukhipha amakhodi we-base64, futhi okuguquguqukayo komhlaba wonke kufanele kuchazwe okuqukethe ubude bokhiye (kulokhu i-DWORD, bheka Umfanekiso 4).
Umfanekiso 4. Incazelo ye-global variable key_len
Kuwindi Lomsebenzi, ungachofoza kwesokudla umsebenzi wokukhipha ukubethela bese uchofoza okuthi “Khipha futhi unqamule ama-agumenti.” Umbhalo kufanele ubeke imigqa enqanyuliwe emazwaneni, njengoba kuboniswe kuMfanekiso 5.
Umfanekiso 5. Umbhalo osusiwe ubekwe emazwaneni
Ngale ndlela amayunithi ezinhlamvu asuswe ukubethela abekwa ndawonye kalula efasiteleni le-IDA ama-xrefs kulo msebenzi njengoba kukhonjisiwe kuMfanekiso 6.
Umfanekiso 6. Ama-Xref kuya ku-f_decrypt umsebenzi
Umbhalo wokugcina ungatholakala kokuthi
isiphetho
Njengoba sekushiwo, i-OceanLotus ihlala ithuthukisa futhi ibuyekeza ikhithi yayo yamathuluzi. Kulokhu, iqembu le-cyber lithuthukise uhlelo olungayilungele ikhompuyutha ukuze lusebenze nabasebenzisi be-Mac. Ikhodi ayishintshile kakhulu, kodwa njengoba abasebenzisi abaningi be-Mac beshaya indiva imikhiqizo yezokuphepha, ukuvikela uhlelo olungayilungele ikhompuyutha ukuthi lungatholwa kubalulekile okwesibili.
Imikhiqizo ye-ESET yayisivele ithola leli fayela ngesikhathi socwaningo. Ngenxa yokuthi ilabhulali yenethiwekhi esetshenziselwa ukuxhumana kwe-C&C manje isibethelwe kudiski, iphrothokholi yenethiwekhi eyiyona esetshenziswa abahlaseli ayikaziwa okwamanje.
Izinkomba zokuyekethisa
Izinkomba zokuyekethisa kanye nezibaluli ze-MITER ATT&CK nazo ziyatholakala ku-
Source: www.habr.com