One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8425581 |
| Date de publication | 2023-12-18 22:51:00 (vue: 2023-12-19 18:07:33) |
| Titre | Dans les coulisses: la frappe coordonnée de Jaskago \\ sur macOS et Windows Behind the Scenes: JaskaGO\\'s Coordinated Strike on macOS and Windows |
| Texte | Executive summary
In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems.
As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary.
Key takeaways:
The malware is equipped with an extensive array of commands from its Command and Control (C&C) server.
JaskaGO can persist in different methods in infected system.
Users face a heightened risk of data compromise as the malware excels at exfiltrating valuable information, ranging from browser credentials to cryptocurrency wallet details and other sensitive user files.
Background
JaskaGO contributes to a growing trend in malware development leveraging the Go programming language. Go, also known as Golang, is recognized for its simplicity, efficiency, and cross-platform capabilities. Its ease of use has made it an attractive choice for malware authors seeking to create versatile and sophisticated threats.
While macOS is often perceived as a secure operating system, there exists a prevalent misconception among users that it is impervious to malware. Historically, this misbelief has stemmed from the relative scarcity of macOS-targeted threats compared to other platforms. However, JaskaGO serves as a stark reminder that both Windows and macOS users are constantly at risk of malware attacks.
As the malware use of file names resembling well-known applications (such as “Capcut_Installer_Intel_M1.dmg”, “Anyconnect.exe”) suggest a common strategy of malware deployment under the guise of legitimate software in pirated application web pages.
The first JaskaGo sample was observed in July 2023, initially targeting Mac users. Following this opening assault, dozens of new samples have been identified as the threat evolved its capabilities and developed in both macOS and to Windows versions; its low detection rate is evident by its recent sample by anti-virus engines. (Figure 1)
 .
Figure 1. As captured by Alien Labs: Anti-virus detection for recent JaskaGO samples within VirusTotal.
Analysis
Upon initial execution, the malware cunningly presents a deceptive message box, displaying a fake error message, claiming a missing file. This is strategically designed to mislead the user into believing that the malicious code failed to run. (Figure 2)
Figure 2. As captured by Alien Labs: Fake error message.
Anti-VM
The malware conducts thorough checks to determine if it is operating within a virtual machine (VM). This process begins with the examination of general machine information, where specific criteria such as the number of processors, system up-time, available system memory, and MAC addresses are checked. The presence of MAC addresses associated with well-known VM software, such as VMware or VirtualBox, is a key indicator. (Figure 3)
Figure 3. As captured by Alien Labs: Looking for VM related MAC addresses.
Additionally, the malware\'s Windows version searches for VM-related traces in both the registry and the file system. (Figure 4)
|
| Envoyé | Oui |
| Condensat | ֿlocal “/library/launchagents/service “anyconnect “capcut “cookies “login “spctl mapped t1543 /library/launchdaemons/init 001: 003: 004: 1c0e66e2ea354c745aebda07c116f869c6f17d205940bf4f19e0fdf78d5dec26 2023 207b5ee9d8cbff6db8282bc89c63f85e0ccc164a6229c882ccdf6143ccefdcbc 37f07cc207160109b94693f6e095780bea23e163f788882cc0263cbddac37320 3f139c3fcad8bd15a714a17d22895389b92852118687f62d7b4c9e57763a8867 44d2d0e47071b96a2bd160aeed12239d4114b7ec6c15fd451501c008d53783cf 6cdda60ffbc0e767596eb27dc4597ad31b5f5b4ade066f727012de9e510fc186 6efa29a0f9d112cfbb982f7d9c0ddfe395b0b0edb885c2d5409b33ad60ce1435 7bc872896748f346fdb2426c774477c4f6dcedc9789a44bd9d3c889f778d5c4b 85bffa4587801b863de62b8ab4b048714c5303a1129d621ce97750d2a9a989f9 888623644d722f35e4dcc6df83693eab38c1af88ae03e68fd30a96d4f8cbcc01 8ad4f7e14b36ffa6eb7ab4834268a7c4651b1b44c2fc5b940246a7382897c98e 9b23091e5e0bd973822da1ce9bf1f081987daa3ad8d2924ddc87eee6d1b4570d ^profile access acquired action actions activities actor addition additional additionally addresses adopting adversary agent aims alert alien all also among analysis anti antivirus appbackgroundservice appdata application applications are array article assault associated at&t att&ck attacks attempt attractive authors automated automatic automatically available awaiting background based been begins behind being believing both box browser browser’s browsers but bypass bypassed c&c c714f3985668865594784dba3aeda1d961acc4ea7f59a178851e609966ca5fa6 can capabilities captured challenge challenges channel checked checks choice chrome claiming clipboard:a code collect collected collecting com command commands commands: common communication compared compelling compromise conclusion conducts config configured connection constantly continuously contributes control cookies: coordinated crafted create created creates creating creation: credentials criteria cross crypto cryptocurrency cunningly currency d+$ daemon dangerous data data” deceptive decrypt default delete deployment description designed desktop details detect detection determine determined developed development developments device different directory disable disabled disabling discovered discovery disk displaying dmg” downloading dozens duplicates during e347d1833f82dc88e28b1baaa2657fe7ecbfe41b265c769cce25f1c0e181d7e0 e69017e410aa185b34e713b658a5aa64bff9992ec1dbd274327a5d4173f6e559 ease effective efficiency effort either embed embedding employing employs encryption engines ensure ensures environment equipped error establish establishes even evident evolved evolving examination example excels exe” execute executes executing execution executive exfiltrate exfiltrating exfiltration existent exists exit extension extensive extracting f2809656e675e9025f4845016f539b88c6887fa247113ff60642bd802e8a15d2 f38a29d96eee9655b537fee8663d78b0c410521e1b88885650a695aad89dbe3f face facilitate failed fake feature figure file files findings firefox first folder folders following format formidable found from functionalities: funds further gatekeeper gatekeeper: general generated generating get golang google growing guise handle has hash have heightened held helps here highlighting historically history home however http https://www identified impervious include include: includes includes: indicator indicators infected information ini initial initially initiates initiating installer instructions intel intelligence invulnerability iocs its itself jaskago json july key key4 keys known labs labs: landscape language launch launchagent launchdaemon launched launching legitimate leveraging like list local localstate login logins looking low mac machine macos made make making malicious malware mapped master matrix may mechanisms memory message messages methods methods: microsoft misbelief misconception mislead missing mitre modify multi name names network” new non not note notion number obfuscate observed often one opening operating operation other otx out over packages pages password passwords payloads perc |
| Tags | Malware Vulnerability Threat Prediction Technical |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.