On 16th of May, Sean Sullivan has published an article on F-Secure blog about a new Mac OSX malware discovered on the Mac of an African activist by Jacob Appelbaum during an Oslo Freedom Forum workshop.
File informationSHA1 hash : 4395a2da164e09721700815ea3f816cddb9d676e
According to file Unix command, this binary is a Mach-o executable containing x86 and x64 code. VirusTotal repport of this binary can be found here. With a really quick look at the sample, we can see that it is not packed, obfuscated or encrypted.
C&C informationThis sample contains two C&C url which in fact are at the moment pointing to the same server at IP 18.104.22.168 (This differs from F-Secure blog post, where IP addresses of both domains where different). This IP address points to Linode hosting company.
A whois on "securitytable.org" reveals these (fake) information :
Created On:04-Mar-2013 06:58:36 UTC
Last Updated On:16-May-2013 16:02:07 UTC
Expiration Date:04-Mar-2014 06:58:36 UTC
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant Postal Code:50563
Registrant Phone Ext.:
Registrant FAX Ext.:
Whois information of "docsforum.info" domain are similar.
IOCAll logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :
- " before ==%@"
- "path == %@"
- "Copy successful"
- "Upload response %@"
- "the path =%@"
- "path1 =%@"
- " Error - Statistics file upload failed: "%@""
- " the array value =%@"
- path to $HOME/MacApp
- date in this format : "yy-MM-dd-HH:mm:ss"
- ComputerName_UserName : $hostname-$username"
- "Start file zip : %@"
- "Start file zip : %@"
- "Start file upload : %@"
- "finished zipping file"
- "finished uploading file"
- "file path==%@"
Network traffic can be useful too to identify a compromised Mac on your network. A compromised macintosh, will generate DNS requests to "securitytable.org" and "docsforum.info" domains which, at the time I'm writing these blog post resolves to 22.214.171.124. HTTP requests to "http://securitytable.org/lang.php" and "http://docsforum.info/lang.php" will also reveal the compromission.
sub_1E72Function "sub_1E72" is responsible of the persistence of this malware. In fact, this function add the malware to the list of items to start at session login.
- get malware bundle path thanks to NSBundle.bundlePath
- call LSSharedFileListCreate with kLSSharedFileListSessionLoginItems as ListType in order to access to the list of applications starting when user logged on
- call LSSharedFileListInsertItemURL to add the path to the malware bundle to the list
PS : The malware is added to startup items of the current user only, if the malware author would like to start is program for all users on the system, he must use kLSSharedFileListGlobalLoginItems list type as LSSharedFileListCreate argument.
More information about this technique can be found here : http://cocoatutorial.grapewave.com/2010/02/creating-andor-removing-a-login-item/
copThe first time the binary is executed, it copy itself to $HOME/<bundle_name>
The call to "coml" will result of the execution of the following command : "/bin/sh -c open -a $HOME/<bundle_name>.app" (see coml & runSystemCommand below)
comlPrepare "open -a $arg" NSString for "runSystemCommand" function.
runSystemCommandExecute "/bin/sh -c $arg".
- create a NSArray via arrayWithObjects method used as command line options for "sh" and containing : "-c" and runSystemCommand argument
- create NSTask and call launchedTaskWithLaunchPath:arguments: method with "/bin/sh" and previous NSArray as argument
uploadRequestFinishedThis function log some information like the response string received from the server or the path of the uploaded file. Then, the uploaded file is removed from the file system with a call to removeItemAtPath.
uploadRequestFailedLog " Error - Statistics file upload failed: "%@"" where %@ is replaced by localizedDescription returned string.
sendRequestToServerThis function is sending hostname of the compromised macintosh to C&C server thanks to an HTTP request to http://docsforum.info/lang.php URL.
- create "http://docsforum.info/lang.php" URL for ASIFormDataRequest
- get hostname via NSProcessInfo.processInfo.hostName
- call stringByReplacingOccurrencesOfString on hostname value to replace '.' by 'p'
- log that new "hostname" string
- add hostname value to the HTTP request as a POST data named "cname" (addPostValue function)
- do the request w/ startAsynchronous
NB : I don't know if this function is called somewhere as I haven't found any xref to this function
getscreenshotThis function is used to take screenshots w/ screencapture Mac OSX binary and save them in $HOME/MacApp directory. Name of the screenshot follow this format : "yy-MM-dd-HH:mm:ss.png". This function is first called inside applicationDidFinishLaunching function. Screenshots are saved every 20 seconds.
- create $HOME/MacApp path (with NSHomeDirectory, stringWithFormat functions)
- this path will be log in Apple System Log via NSLog
- use the shared file manager to play with FS (via NSFileManager.defautlManager)
- check if the path exists (via fileExistsAtPath)
- If it doesn't exist, create directory with createDirectoryAtPath
- get date string with this format "yy-MM-dd-HH:mm:ss" (via NSDate, NSDateFormatter, setDateFormat, stringFromDate) // the date format is different from F-secure screenshot. here, use of ':' instead of '/' on F-Secure screenshot
- date is logged (NSLog)
- create string $HOME/MacApp/yy-MM-dd-HH:mm:ss.png
- create a NSTask object to run a program as a subprocess
- defines the executable path to "/usr/sbin/screencapture" via setLaunchPath
- arguments are passed to screenshot via setArguments
/usr/sbin/screencapture -x -T 20 $HOME/MacApp/yy-MM-dd-HH:mm:ss.png : take a screenshot without any sound after a 20 seconds delay and save it to the aforementioned path
- task is launched via launch method
- to finish, uploadImage function is called
uploadImageThis function is used to upload screenshots to "http://securitytable.org/lang.php"
- create NSUrl object with string "http://securitytable.org/lang.php" and use it to create an ASIFormDataRequest
- create MacApp directory path string and log it (like in getscreenshot function)
- get the hostname of the computer, thanks to "hostname" method of NSProcessInfo object (process information agent of the process)
- check that the path to MacApp folder exists. Go to end of the function if not
- count the number of files/screenshots w/ contentsOfDirectoryAtPath and use count function on the returned string array
- log the number of files/screenshots
- get first file of the list
- log " the array value =%@" where %@ is replaced by the name of the first file
- If ".DS_Store" exists, remove it from the file array
- Loop to take and upload screenshot
- create NSData with content of each file/screenshot (via initWithContentsOfFile)
- call ASIFormDataRequest.addPostValue function and set $hostname data to key "cname"
- second call to addPostValue with key "name" and value : path to the screenshot
- then call to setData ("setData:withFileName:andContentType:forKey:")
key : userfile
content type : image/png
filename : path to the screenshot
data : file content (screenshot)
- upload the file/screenshot
- call getscreenshot function
SummaryThis Mac OSX malware is really simple. It has only few features :
- start at user login
- take screenshot
- upload screenshot
In addition, it is absolutely not stealth as screenshots are saved in $HOME/MacApp directory of the infected user. No advanced malware techniques/features (packing, encryption, obfuscation) have been seen in this sample.