One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8368296 |
| Date de publication | 2023-08-10 10:00:00 (vue: 2023-08-10 10:07:00) |
| Titre | Les systèmes Mac se sont transformés en nœuds de sortie proxy par adcharge Mac systems turned into proxy exit nodes by AdLoad |
| Texte | This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers.
Executive summary
AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.
Key takeaways:
AdLoad malware is still present and infecting systems, with a previously unreported payload.
At least 150 samples have been observed in the wild during the last year.
AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes.
The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild.
Analysis
AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack.
These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems.
The main purpose of the malware has always been to act as a downloader for subsequent payloads.
It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne.
In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system.
This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code.
This activity probably represents AdLoad\'s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme.
AT&T Alien Labs™ has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022.
Figure 1. Histogram of AdLoad samples identified by Alien Labs.
The vast numb |
| Envoyé | Oui |
| Condensat | $external $home “app “application/x “peer ‘/users/$user/library/application ‘/users/x/library/application ‘main ‘pcyx /a/rep /library/launchagents/ /pr /tmp 000 001: 002: 0xbebafeca 0xcafebabe 0xcefaedfe 0xcffaedfe 0xfeedface 0xfeedfacf 10: 150 1904b705105db4550371d678f8161826b98b1a9fca139fa41628214ed816d2f5 200 2017 2021 2022 2038612 20|cfnetwork|2f| 22| 22|action|22 22|connect 22|peer 22|result|22 22|result|22| 25; 28|unknown|20|version|29 2d595880cfb1691dd43de02d1a90273919f62311a7668ef078709eff2fd6bd87 2fb1d8e6454f43522f42675dcf415569e5df5d731e1d1390f793c282cce4a7aa 300 3a| 3d063efde737b7b2e393926358cbb32469b76395e1a05e8c127a12e47550f264 4002756 4002757 4002758 4a7c9829590e1230a448dd7a4272b9fbfbafccf7043441967c2f68f6082dde32 54efc69cb6ee7fde00c0320202371dcdad127d0e7c8babce4659be8230d81a81 600 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc 68b6beb70bd547b75f2d36d70ca49f8b18542874480d39e33b09ee69eb1048b3 7000 7000:7002 7001 7002 7cb10a70fd25645a708c81f44bb1de2b6de39d583ae3a71df0913917ad1dffc3 9+/ 956aae546af632ea20123bfe659d57e0d5134e39cdb5489bd6f1ba5d8bbd0472 ==| above access accessiblelist accessing act acting action actions active actively activities activity activity; activitycache activityinput actors actual addition additional additionally address adload adloadbeacon adversaries advertisements adware after agent agent; agents ai/adload aiding alert alien all already also alternatives always amazon among analysis analysis analyze analyzed analyzerstate and anonymity another any api app appear appearance appeared appearing appears appendix application application/x applications are around arrived article articlesagile aside assistant” associated at&t att&ck attack attribute attributing author availability available aware back backdoors background bapp base64 based battery beacon beaconing become becoming been before beginning behaving behavior behind being believe benefits big bigger binaries blog body body; both botnet botnet: browseractivity bundler bundleware business but buyers buying bypass bypasses c&c c7721ab85bad163576c166a0a71c0dbe4cc491dda68c5a5907fd1d8cac50780d campaign campaigns can carries case cases caspi catch category certificate certificates cfnetwork/$version” chain characters charset=utf check checks classtype:bad classtype:trojan clearly client clients cloud cnc code collecting com com/a/rep com/l coming command common commondevice communicating communication company compellingagent component compromise conclusion condition: configuration connectioncache connections consequently contains content content: control controls converting conveying copied corresponds could count cpu create created cs= currently d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b darwin data data; defense defenses deleted deleting deliver delivered delivering deobfuscate/decode depending deploy deployment depth:10; depth:11; depth:2; depth:33; depth:3; depth:6; describe described description description destination detected detection detections device devices different digitaloceanspaces directory disable discovered discovery disney distance:0; distance:7; dns does domain domains download downloader downloads drive dropped dst; during each edu/illinois/page ee9ebdb1d9a7424cd64905d39820b343c5f76e29c9cd60c0cdd3bfe069fb7d51 emerging enchantedreign encoded encrypted end endpoint environment environments especially essencecuration essentialenumerator established; etc evasion every example executable executed executes execution executive existence existing exit explained extracts false familyshlayer far far: fast fernando figure file filename filenames files files: findings first flow flow:established flow:established; flow:to focus focusing folder followed following form formed former forwarded forwards from functionconfig further gains gatekeeper gatekeeper’s generated generic geolocation get giant globally had happened hardcoded hardware has have hbo helper helper’ high hijacked hijacking hist |
| Tags | Spam Malware Threat Cloud |
| Stories | APT 32 |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.