One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 372877 |
| Date de publication | 2017-06-10 01:05:00 (vue: 2017-06-10 01:05:00) |
| Titre | MacSpy: OS X RAT as a Service |
| Texte |
MacSpy is advertised as the "most sophisticated Mac spyware ever”, with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.
The authors state that they created this malware due to Apple products gaining popularity in the recent years. They also state that during their tenure in the field that they have noticed a lack of "sophisticated malware for Mac users" and they believe that "people were in need of such programs on MacOS". So they created MacSpy. The MacSpy authors claim to have the following features in the free version of their RAT:
If you are willing to pay an unknown amount of bitcoins for the advanced version, the malware authors advertise the following features:
MacSpy is not as polished as some of the malware-as-a-service providers out there, as there doesn’t seem to be any customer facing automated service of signing up for their service. In order to receive a copy of MacSpy we had to email the author our preferred username and password, in order for them to make us an account. After confirming our details they created an account for us, and delivered a zipped file and the following instructions:
Initial Analysis
After unzipping the archive we observed it contained the following files:
The archive contains four files:
Mach-O 64-bit executable called 'updated'
Mach-O 64-bit executable called 'webkitproxy'
Mach-O 64-bit dynamically linked shared library called 'libevent-2.0.5.dylib'
Config file
After examining webkitproxy and libevent-2.0.5.dylib, we noted they are signed by Tor, and thus we concluded that they are related to the function of Tor Onion routing. The contents of the config file further convince us of our suspicions are correct:
Config Contents
SOCKSPort 47905 KeepAliveIsolateSOCKSAuth OnionTrafficOnly
DataDirectory proxyData
AvoidDiskWrites 1
ControlPort 47906
MaxCircuitDirtiness 7200
EnforceDistinctSubnets 0
HidServAuth .onion
The "updated" file, on the other hand is not digitally signed, and it is currently completely undetected by various AV companies on VirusTotal.
Anti-Analysis
MacSpy has several countermeasures that hamper analysis efforts. To prevent debugging, it calls ptrace() with the PT_DENY_ATTACH option. This is a common anti-debugger check and will prevent debuggers from attaching to the process.
If you bypass the ptrace countermeasure, MacSpy has additional code that checks if it is running in a debugger.
|
| Notes | |
| Envoyé | Oui |
| Condensat | $c1 $c1 $header0 $header1 $header2 /dev/disk0 hostname mm timezone username related 'com 'libevent 'system ’s *500 /users//library/ /usr/bin/curl 0 hidservauth 0 ip 1 controlport 1 uuid 127 138692271 firewall 15g1510 19052 1:47905 2 systemuptime 209 27056cabd185e939195d1aaa2aa1030f 3600 4096 processorcount 47905 47906 maxcircuitdirtiness 499 650 6c03e4a9bcb9afaedb7451a33c214ae4 7200 enforcedistinctsubnets : about above account addition additional advanced advertise advertised after again against agent alarm alienvault all along already also amount amounts analysis analysis: analysts analyze annoying anti any appendix: apple archive are artifact associated assume attach attaching attempt author authors automated bare based becoming been behavior belief believe below best bit bitcoins bones boot build but bypass c72de549a1e72cfff928e8d2591d7e97 called calls can cc07ab42070922b760b6bf9f894d0290 check checking checks claim cloud cnc code collected collecting com combination command common communicates companies compares completely compromise compromised concluded conclusion condition: config confirming connecting contact contained containing contains content contents continue continues control convince copies copy cores correct: correlation countermeasure countermeasures cpus created creates credentials curl currently customer customers daemon darwin data data: date day de memory debugger debuggers debugging deletes delivered deny description description”: details detect detection difficult digitally directories directory disk0 disk0s1 disk0s2 disk0s3 diversity diving doesn’t due during dylib dylib' dynamically earlier efforts efi email engine ensures entry environment environments europe/zurich languages ever” evidenced examining exchange executable executed executing execution exfiltrate exfiltration exhibits expect f38977a34b1f6d8592fa17fafdb76c59 facing fail false root family feature features features: feeds field file files files: find first folder folders followed following format four free from fullusername function functionality further gaining game generally generate goes google greater greeted grow guid had hamper hand has have here hfs hidden host hostname http:// idea identifier ids increasing information initial inside instructions: intelligence internal interval invest isn’t its itself keepalive keepaliveisolatesocksauth key: kill killing label labeled labs lack launch launchd least less libevent library line linked listing logging logical low maas mac mach machine macintosh macmini6 macos macransom macs macspy macspy macspy' macspy: make malware malwareongoing market may memory meta: mini os minimal model more most name naming need network new nids not noted noticed notify number observed often one onion onion/upload oniontrafficonly datadirectory open option order original osquery osx/dok other otx out overflow partition passing password pay people persist persistence physical piece platform players plist plist'; point polished popularity portal post preferred prevent price process producing products program program programarguments programs proper providers provides proxy proxydata avoiddiskwrites ptrace pulse queries query ransomware rat rat: receive recent recovery related relatively repeats requests resources rich routing rule rules run runatload running safe said sandboxes scheme see seem seen select sending sends sent series server service services set setting several share shared shark show signed signing similar since size smb socks5 socksport some sophisticated spreading spyware stack start starting state statement stay stealthy stores identifier stores/ stores/data/tmp/systeminfo stores/data/tmp/systeminfo' stores/updated storiesdiversity strings: successfully such supports suspicions system syst |
| Tags | |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.