One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 367014 |
| Date de publication | 2017-05-19 19:00:00 (vue: 2017-05-19 19:00:00) |
| Titre | Diversity in Recent Mac Malware |
| Texte |
In recent weeks, there have been some high-profile reports about Mac malware, most notably OSX/Dok and OSX.Proton.B. Dok malware made headlines due to its unique ability to intercept all web traffic, while Proton.B gained fame when attackers replaced legitimate versions of HandBrake with an infected version on the vendor’s download site. Another lower profile piece of Mac malware making the rounds is Mac.Backdoor.Systemd.1.
Figure 1: Systemd pretending to be corrupted and un-runnable.
There have been no public reports as to who is behind these attacks and only little information about their targets. OSX/Dok is reported to have targeted European victims, while users of HandBrake were the victims of Proton.B. One corporate victim of Proton.B was Panic, Inc. which had its source code stolen and received a ransom demand from the attackers.
Each of these malware variants is designed to take advantage of Macs, but analysis shows that they are actually drastically different from each other, showing just how diverse the Mac malware space has grown. Let’s dive into some of the technical details (but not too technical ;) of each piece of malware to learn more about what they do and how they work.
OSX/Dok
OSX.Proton.B
Mac.BackDoor.System.1
Functionality
HTTP(S) proxy
Credential theft (potentially other RAT functionality)
Backdoor/RAT
Language
Objective-C (with heavy use of shell commands)
Objective-C (with heavy use of shell commands)
C++ (with a handful of shell commands)
Persistence
Launch Agent
Launch Agent
Launch Agent
Launch Daemon
Startup Item
Uses chflags to make files read-only
Distribution
Phishing emails
Compromised software download
(presumably) Phishing
Anti-Analysis
None
Anti-debugger (PT_DENY_ATTACH)
Closes Terminal and Wireshark Windows
None
Binary Obfuscation
Newer variants are packed with UPX
Password protected zip archive
Encrypted configuration file
Encrypted configuration file
XOR encrypted strings in binary
Detection Avoidance
Signed App bundle
Installs trusted root certificate
Modifies sudo settings to prevent prompting
Checks for security software
Infected legitimate software
Use of “hidden” dot files
Uses chflags to hide files from UI
Use of “hidden” dot files
C2
MiTM proxy (no separate C2)
HTTPS
Custom 3DES
Functionality
Dok is very basic in its functionality – it reconfigures a system to proxy web traffic through a malicious h |
| Notes | |
| Envoyé | Oui |
| Condensat | $c* $c1 $c2 $c3 $c4 $c5 $c6 $c7 related '/library/startupitems/sysetmd/startupparameters '/private/tmp/ '/private/var/root/ '/users/ 'com “chflags “confidential of *nix /bin/sh /etc/rc /library/keychains/system /library/startitems /library/startupitems/sysetmd/startupparameters /library/startupitems/sysetmd/sysetmd /library/sysetmd /library/sysetmd' /usr/local/bin/brew /usr/local/bin/socat /usr/local/bin/tor 2012 3600 37152cfcfb9b33531696624d8d345feb894b5b4edd8af2c63a71e91072abe1ad 3des 3f71b6b994eabbc32a63eac14e9abd7b6cd26c37ed0baacbfbe62032c5930a40 6b379289033c4a17a0233e874003a843cd3c812403378af68ad4c16fe0d9b9c4 ;chflags ability able about access actually add advantage agent agent/daemon agents akamai alert alienvault all allow along already also alter although analysis analyze another anti any app appendix application approaches arbitrary archive are artifact artifacts attach attaching attachment attackers attackersongoing attacks attempts authentication author avoidance back backdoor backdoor/rat based basic been begin behind being below binary bootstrap both browsers bundle but bypassed c&c c++ c549c83577c294cc1323ca94e848389fce25510647ec5212fa2276de081771ca can capabilities capability case cert certificate changing checks chflags choose chrome closes code collecting com comes command commands common communicate compromised condition: configuration connection connot consolemessage contain contains content contrast control core corporate corrupted created credential credentials critical cryptographically custom daemon daemons darwin data” debugger debuggers debugging decryptdata:withpassword:error: decrypted decrypting demand deny deprecated description designed details detect detection developer dhcp did different directories discovered distinct distributed distribution dive diverse diversity dmg documents does dok dot down download drastically drops due each easily either email emails encrypt encrypted entering environment european even eventsapache exceptions exchange executable executables execute executed exfiltrated expect exploited extra extract fake fame feature featured features fewer figure file files find firefox following formats from front fruit full functionalities functionality further furthermore future gained goes google grabbing grown had handbrake handful handsoff hanging harder has hashes have headlines heavy here here: hidden hidden” hide hides high hijack hints host how however http https illustrate inc included incoming increase infected infection information init initial install installing installs intercept intercepted interval item items its itself just key keychain keychains keymod killall kills labs language launch launchd learn legitimate less let’s like like: link listen little loading local/ lock look looked lot low lower mac mach macs made make makes making malicious malware many measures mentioned meta: methods might mitm mod modified modifies more most much name named need needs network newer none norm not notably note obfuscated obfuscation objective oceanlotus office often once one only open opened operating operations order orderpreference osquery osx osx/dok osx/proton other otx out over own packed panic particular password past path pdfs perform persist persistence phishing piece pieces platform plist plist' plist'; plugins popular posit possible potentially presence present presenting presumably pretending prevent preventing previously processes profile project prompt prompting prompts protected proton provides proxy public pulses queries queries: query radio ranging ransom ransomware rat read received recent reconfigures remove replaced reported reports requires restartservice return root rounds rule rules run runnable running runservice runtime safari samples screenshots script security see select sent separate server service settings several shell showing shows side signed silence similar since site slightly slimmed smb snitch socket software some someone source space |
| Tags | |
| Stories | Wannacry APT 32 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.