One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 60 |
| Date de publication | 2016-02-17 14:00:00 (vue: 2016-02-17 14:00:00) |
| Titre | OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update |
| Texte | In May 2015, researchers at Qihoo 360 published a report on OceanLotus that included details about malware targeting Chinese infrastructure. In that report, there is a description about a piece of malware that targets OS X systems. A sample of that malware was uploaded to VirusTotal a few months ago. Curiously, as of February 8th, 2016, none of the 55 anti-virus solutions used by VirusTotal are detecting the sample as malicious. As such, we thought it would be interesting to take a closer look at the OS X version of OceanLotus.AnalysisOceanLotus for OS X is packaged as an application bundle pretending to be an Adobe Flash update. Although there are other files in the bundle, the files of interest are:FlashUpdate.app/Contents/MacOS/EmptyApplicationFlashUpdate.app/Contents/Resources/en.lproj/.en_iconFlashUpdate.app/Contents/Resources/en.lproj/.DS_StoresThe LoaderAs you can see below, EmptyApplication is a universal binary that can run on both i386 and x86_64 architectures. It is a fairly simple program that ROL3 decodes the "hidden" files .en_icon and .DS_Stores then executes them.$file EmptyApplicationEmptyApplication: Mach-O universal binary with 2 architecturesEmptyApplication (for architecture x86_64): Mach-O 64-bit executable x86_64EmptyApplication (for architecture i386): Mach-O executable i386For obfuscation, EmptyApplication uses XOR encryption with the key "xc" to obfuscate strings within the binary. Below is the simple decryption function. In the 64-bit version, strings shorter than 8 bytes are stored as integer values. Encrypted strings longer than 8 bytes are stored in adjacent variables and the decrypting function reads past the variable's 8 byte boundary. As you can see below, &v34 is passed to the decrypting function, but the function actually decrypts the combination of v34 and v35. After decoding .en_icon, EmptyApplication writes it to a temporary directory with the name "pboard" (presumably to mimic the OS X paste board daemon) and executes the binary. EmptyApplication then deletes itself, decodes .DS_Stores, and writes the decoded binary as "EmptyApplication" – replacing the original EmptyApplication executable. Finally, the new EmptyApplication is relaunched with a call to NSTask.launch(). The decrypted .DS_Stores binary does almost the same thing as the original EmptyApplication, except it does not look for .DS_Stores.The TrojanEncrypted StringsThe decoded .en_icon file is the main Trojan. It has anti-debugging capabilities and handles the connection to the command and control servers. As we'll discuss later, the Trojan takes advantage of several OS X specific commands and API calls, so it's clear that this Trojan was tailor-made for OS X rather than a port from another operating system.Again, most strings in the binary are XOR encrypted but this binary uses multiple keys and the keys themselves are XOR encrypted. In fact, the first thing the Trojan does is to decrypt several XOR keys. It is interesting to note that the code that sets up the decryption keys is executed before the "main" entry point by using C++ static constructors. This code is referenced in the __mod_init_func section of mach-o binaries. As you can see from the image above, the primary decryption key used throughout the executable is "Variable". However, there are several different instances of the "Variable" string, a |
| Envoyé | Oui |
| Condensat | $c1 $c2 $file $xor rule usage: wherewith '$1 '/library/ '/library/hash/ '/library/logs/ '/library/parallels/ '/tmp/crunzip '/users/ 'com 'ioplatformuuid'this 'xattr &v34 /bin/launchctl /library/ /library/hash/ /library/launchagents/com /library/logs/ /library/parallels/ /library/preferences/ /system/library/coreservices/systemversion /usr/sbin/screencapture /~library/parallels/ 0x1b 12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888app 1ad6a35f4c2d73593912f9f9e1a55097 2015 2016 360 3d974c08c6e376f40118c3c2fa0af87fdb9a6147c877ef0e16adad12ad0ee43arol3 400 443 4c59c448c3991bd4c6d5a9534835a05dc00b1b6032f89ffdd4a9c294d0184e3brol3 64emptyapplication 86400 8th 987680637f31c3fc75c5d2796af84c852f546d654def35901675784fffc07e5demptyapplication: 9cf500e1149992baae53caee89df456de54689caf5a1bc25750eb22c5eca1ccerol3 :update about above accepted actions actual actually addition additional adjacent adobe advanced advantage after again agent ago alienvault alive allow almost already also although analysis analysisoceanlotus annoyance another anti any anything api apis app app/contents/macos/emptyapplicationflashupdate app/contents/resources/en appears apple application applications architecture architectures architecturesemptyapplication are are:flashupdate argument artifact attach attaching attempts attribute author authors awk awx before being below binaries binary bit block board both boundary bundle bundle83cd03d4190ad7dd122de96d2cc1e29642ffc34c2a836dbc0e1b03e3b3b55cffanother but byte bytes c++ c2a3b568fe2154305b3caa1d9a3c42360eacfc13335aee10ac50ef4598e33eea07c2s:kiifd c2s c2summarythe call calling calls camon can can't capabilities capture cares case cat catch cfg cfg'; cfg/tmp/crunzip cgwindowlistcopywindowinfo check checks chflags chinese clear clearly closer cmd code coded codes com combination command command: command:/usr/sbin/ioreg commands communicates communication communicationthe compromised condition: configuration confirming connect connection console constants constants constructors contact contacting contains contents continues control converted copies corevideosd could created creates creating curiously current currently customizing daemon darwin data date debuggers debugging debuggingto decode decode decoded decodes decoding decrypt decrypted decrypting decryption decrypts deletes deny depth description desktop details detect detecting detection detectionyara developed did different difficult directive directories directory discuss disk documents does done dot down download dropped dump during dynamic earlier emptyapplication emptyapplicationemptyapplication: encoded encrypted encryption engineer engineering entire entry environment epoch error essentially every evidence evolved example except exception exec executable executables execute executed executes executing executing: exercise explanatory extended fact failed fairly fallback familiar fdtyurs fdtyurs'; fdtyurs/library/hash/ february file fileautomatically filename files files:/library/ fileupdate final finally first flag flash following found from fromurl full func function functionality furthermore gathers gecos gets google grep handle handler handles handling hardcoded has hash hash'; hashtag hashtag/ have header here hidden highlighted host how however http i386 i386for icon icon: iconflashupdate image included indication indirection info information infrastructure init initial instances instead int integer interactive interest interesting interval intimately iocshashes:rol3 ioplatformexpertdevice ioplatformuuid it's items its itself keep key keys kiifd kill klssharedfilelistrecentdocumentitems labs last later latter launch launchagent launchd less library like:as likely list loaderas local localip usage: locally logs logs/corevideosd logs/corevideosd'; logs/corevideosd/library/launchagents/com longer look looking looks lower lproj/ lssharedfilelistcreate mac mach machine made main make makes making malicious malware match mature may md5 m |
| Tags | |
| Stories | APT 32 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.