One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 58 |
| Date de publication | 2016-03-21 13:00:00 (vue: 2016-03-21 13:00:00) |
| Titre | OS X Malware Samples Analyzed |
| Texte | By Eddie Lee and Krishna KonaA couple of months ago, as we rang in 2016, we thought it would be interesting to take a quick look back at some OSX malware from 2015 and 2014. As reported by the team at Bit9+Carbon Black [1], 2015 marked “the most prolific year in history for OS X malware”. We collected a few samples of malware named in that report, along with some samples of other notable OSX malware, with the intention of learning more about them and fill in any gaps in our detection mechanisms (NIDS and Correlation rules). Although our primary objective was to capture network traffic from the malware samples, we were also interested in other aspects of the malware like persistence mechanisms (if any) that they utilized, so we documented that activity as well.To start off with, we reviewed Flashback, one of the most infamous pieces of OS X malware that reminded everyone to the fact that OS X is not immune to malware. After that, we played with KitM, which is spyware, and LaoShu, a RAT. Then we analyzed Mask, a sophisticated malware that was used for cyber espionage. We also looked into CoinThief malware that steals bitcoins from the infected machine and the WireLurker malware that is capable of infecting iPhone devices connected to the compromised machine. Finally, we analyzed OceanLotus that was discovered May last year and found to be attacking Chinese government infrastructure. Below is a summary of our findings from analyzing the samples in a sandbox – the findings include links to fully executable samples, IDS signatures, persistence mechanisms and C&C details.OS X Malware DetailsFlashbackDescription: Flashback masquerades as Adobe Flash player update or a signed-java applet. Downloads/installs Web Traffic Interception component to inject ads into HTTP/HTTPS streams [4].Sample: https://www.virustotal.com/en/file/58029f84c3826a0bd2757d2fe7405611b75ffc2094a80606662919dae68f946e/analysis/Persistence mechanism: Installs a malicious file in user's home directory with the filename starting with a ‘dot' to hide itself and installs a LaunchAgent in ~/Library/LaunchAgents to refer to the created malicious file.C&C communication: Uses DGA for CnC domain names and twitter hashtags to decode the address of CnC server.AlienVault Detections:IDSExisting SIDs: 2014596, 2014597, 2014598, 2014599, 2014534, 2014522, 2014523, 2014524, 2014525System Compromise, Trojan infection, FlashbackKumar in the Mac (KitM)Description: KitM is a signed malware that can take screenshots, download and install programs, and steal data [5].Sample: https://www.virustotal.com/en/file/07062d9ecb16bd3a4ea00d434f469fe63d5c1c95d1b4903705de31353e9c92ce/analysis/Persistence mechanism: Adds a Login Item at ~/Library/Preferences/com.apple.loginitems.plistC&C server: liveapple[dot]eu (down)AlienVault Detections:IDS rules: https://github.com/AlienVault-Labs/AlienVaultLabs/blob/master/malware_analysis/OSX_Malware/snort_kitm.rulesSystem Compromise, Trojan infection, KitM |
| Notes | |
| Envoyé | Oui |
| Condensat | “the /applications/ /library/launchagents /library/launchdaemons /system/library/launchagents /system/library/launchdaemons 2014 2014522 2014523 2014524 2014525system 2014534 2014596 2014597 2014598 2014599 2015 2016 2019660 2019661 2019662 2019663 2019664 2019665 2019666 2019667 2019718system 2019731 2021712 2021714 2021715new 20k 42/unit42 able about above acquainted activity added addition address adds adobe adoption ads advantage adware/mackeeper after against agent agents agents: ago aheadapple alienvault allowed alone along also although analysis analysis/osx analyzed analyzing any app' appc&c apple apple's applet appleupdt application applications appstore arbitrary are aren't art aspects associated attack/http://kasperskycontenthub attackers attacking attacks authors back backdoor based basis been behavior below better binary bit9+carbon bitcoin bitcoins black blocker boots browser browsers bundle bundles but c&c called can capabilities capable capture carbonblack careto caretocointhiefdescription: caretodescription: china/ chinese chrome cloudfront cnc cointhief cointhiefwirelurkerdescription: collected com com/2014/01/21/data com/alienvault com/content/dam/paloaltonetworks com/en com/en/file/07062d9ecb16bd3a4ea00d434f469fe63d5c1c95d1b4903705de31353e9c92ce/analysis/persistence com/en/file/0710be16ba8a36712c3cac21776c8846e29897300271f09ba0a41983e370e1a0/analysis/ com/en/file/5443ad1db119b599232b91bbf0ac3d0e1e4f4894f7f4ba191e7b9f7a27acea0d/analysis/persistence com/en/file/58029f84c3826a0bd2757d2fe7405611b75ffc2094a80606662919dae68f946e/analysis/persistence com/en/file/5d4f4fb2a663f1f79fb96edcd832374304af877938747b5844daacf4beba2427/analysis/persistence com/en/file/7d5eff5f83ab79e5f75acb9b84138561c8fd63ba00c050699c9f5be29d342f6e/analysis/persistence com/en/file/83cd03d4190ad7dd122de96d2cc1e29642ffc34c2a836dbc0e1b03e3b3b55cff/analysis/persistence com/files/2015 com/oceanlotus com/open com/pdf/conference/vb2014/vb2014 com/privacyscan/new com/product/156/apple com/pulse/5531bbbfb45ff53dc229c806/observationswe com/pulse/55d4c6dc67db8c37b0a358ea/mask/careto: com/pulse/568da51b67db8c057c6fc689/wirelurker: com/pulse/568da7e467db8c057c6fc696/cointhief: com/pulse/568da8bc4637f2624bcdc2d1/kitm: com/us/resources/white com/weblog/archives/00002558 com/wp come comeinbaby comitunes214 comitunes311 commands communication: component compromise compromised connect connected connection content/uploads/sites/43/vlpdfs/unveilingthemask control corporate correlation could couple courier created credentials cvedetails cyber daemons daemons: data decode deeper default description: details detailsflashbackdescription: detect detection detections:ids detections:idsexisting device devices dga difficult directory disclosure discovered discoveredhttps://www dismissed documented doesn't domain domains dot down download downloads/installs easier eddie end enhancing eset espionage essentially events everyone examined:laoshu: exchange exchange/blog/oceanlotus executability: executable executables execute executed exercise expect extensions extensionsthese fact familiar feb file filename files fill filtrate finally findings firefox first flash flashback flashbackkumar flaws floracrunch following found from full fully functional functionality furthermore gaps gathering get gives google government groups has hashtags have headquartered helper hide high hires history hits home hopefully how however html htmlhttps://nakedsecurity http/https https://github https://otx https://www id=49http://go ids immune improve include includes including increase increases indeed indication infamous infected infecting infection information infrastructure inject inroads install installed installs intention interception interested interesting ios iphone item items itemsbrowser itemsthese itself itunes212 java kitm kitmlaoshudescription: known konaa krishna labs/alienvaultlabs/blob/master/malware laoshu laoshuappetite/mask laptop last launch launchagent launchdaemons/system/library/launchdaemons/com |
| Tags | |
| Stories | APT 32 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.