Pages

Friday, May 24, 2013

OSX Kitmos : other binary, other C&C


On May the 20th, Norman has published a report about an Indian cyberattack infrastructure that they call "Hangover" due to information found to the path to a PDB file.
Their blog post also refers to Oslo Freedom Forum attack that I wrote about in my previous article :
"Based on the sample and Command&Control domain mentioned in the F-Secure post, we can say quite conclusively that the Oslo Freedom Forum attack was performed through the same attack infrastructure. We also found another MachO executable apparently written by the same person (same Apple Developer ID), and using another domain in the Hangover infrastructure – torqspot.org."

As this domain was present in another Mach-O binary that I have, I have chose to take a quick look at it.



File informations

SHA1 hash : b6a47d52de64af50a5a1415213e60dc1b076b4e7
File type : Mach-O executable i386
VirusTotal report : https://www.virustotal.com/en/file/a74196018b2854765333a8f798b0ae3f3b71c89ec9632188f07c71d055125cb2/analysis/

C&C information

This sample uses "torqspot.org" as C&C domain name. Whois reveals still fake information :

Domain ID:D168171472-LROR
Domain Name:TORQSPOT.ORG
Created On:16-Mar-2013 05:28:07 UTC
Last Updated On:16-May-2013 03:45:16 UTC
Expiration Date:16-Mar-2014 05:28:07 UTC
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_25590875
Registrant Name:Melissa Leo
Registrant Street1:E-5 cecill street
Registrant Street2:Manchester
Registrant City:Manchester
Registrant State/Province:Manchester(Cityof)
Registrant Postal Code:M14LF
Registrant Country:GB
Registrant Phone:+044.7251868
Registrant Email:leo.melissa@mail.ru

C&C is not responding anymore.

IOC

All logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :

- "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@"
- "CONTACTS mreslt %@"
- "CONTACTS urlResponse  %d"
- "responseData: %@"
- "http://torqspot.org/App/MacADV/$hostname/$serverResponse"
- "/Applications"
- "End"
- "app path =%@"
- " exec path =%@"
- "file: %@"
- "connected to upload server %@"
- "Fail connected to upload server %@, begin in %d sec"
- "Try zip and upload for failed file, before."
- "ComputerName_UserName : %@"
- "Failed retry %@"
- "Retry %@"
- "New seesion"
- "search path from state.dat"
- "search path from root"
- "available paths: %@"
- "No found folder"
- "No found file"
- "Start searching"
- "%ld files found"

DNS resolution to "torqspot.org" and all kind of HTTP requests to this domain can also be used to identify a compromised computer on a network.

Features

Lots of features and functions (coml, cop, runSystemCommand, ...) are similar to previous binary analyzed. Below, only new and interesting will be detailed.

macurl

- send synchronous HTTP request to "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@" w/ hostname as 1st arg and "no" as 2nd arg
- get data at URL "http://torqspot.org/App/MacADV/$hostname/$serverResponse" w/ dataWithContentsOfURL function, where $serverResponse is the response sent by the server to the previous request
- write downloaded data to file "/Applications/$ServerResponse"
- execute following command :
"/usr/bin/ditto -x -k /Applications/$ServerResponse /Applications/" to extract PKZip archive "/Applications/$ServerResponse" to "/Applications/"
- replace/add ".app" extension to "/Applications/$ServerResponse"
- if path exists, run the executable (NSTask, setLaunchPath, launch)
- create string "http://torqspot.org/App/MacDV/up.php?cname=%@&file=%@&res=%@" w/ arguments : $hostname, $serverResponse and "sucess" (w/ one 'c' :)
- send a request using that string (w/ sendSynchronousRequest:returningResponse:error: method)
- log "file: %@" w/ data answered by the server as argument

initFileBackup

- get bundlePath and add "FileBackup.ini" to it
- use "stringWithContentsOfFile:encoding:error:" function to get content data of config file ("<bundlePath>/FileBackup.ini")
- if file content iss less than 10 characters, go to the end of the function
- extract data between <URL> and </URL> to pass as parameter to setUrl function
- extract data between <EXTENSION> and <EXTENSION> and use it to create an array of strings based on ';' separator
- call setExtArray to initialize an array with extensions stored in "FileBackup.ini" file

before_start_

- get bundlePath and add "state.dat" to it
- if that file exists, read its content and create an array of strings by spliting on "#####" separator. Then use strings in that array as paths
- if the file doesn't exist, path will be set to "/"
- call connectServer/upload of ZipUpload class and run a command similar to this : "/usr/bin/curl -F upload=@ -F pc="

find_

Looking for files based on extension

batch_

Do some stuff and call macurl

deleteState_

Delete file "<bundlePath>/state.dat" if it exists

saveState_

Save a string array to "<bundlePath>/state.dat" by separating strings by "#####". This function is called by find function and the malware terminates.


Refs

https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc
http://www.f-secure.com/weblog/archives/00002554.html
http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/
http://blogs.norman.com/2013/security-research/the-hangover-report
https://www.botnets.fr/index.php/HangOver

Monday, May 20, 2013

OSX Kitmos analysis


On 16th of May, Sean Sullivan has published an article on F-Secure blog about a new Mac OSX malware discovered on the Mac of an African activist by Jacob Appelbaum during an Oslo Freedom Forum workshop.

File information

SHA1 hash : 4395a2da164e09721700815ea3f816cddb9d676e

According to file Unix command, this binary is a Mach-o executable containing x86 and x64 code. VirusTotal repport of this binary can be found here. With a really quick look at the sample, we can see that it is not packed, obfuscated or encrypted.

C&C information

This sample contains two C&C url which in fact are at the moment pointing to the same server at IP 50.116.28.24 (This differs from F-Secure blog post, where IP addresses of both domains where different). This IP address points to Linode hosting company.

A whois on "securitytable.org" reveals these (fake) information :

Domain ID:D168053198-LROR
Domain Name:SECURITYTABLE.ORG
Created On:04-Mar-2013 06:58:36 UTC
Last Updated On:16-May-2013 16:02:07 UTC
Expiration Date:04-Mar-2014 06:58:36 UTC
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1:DE-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru

Whois information of "docsforum.info" domain are similar.

IOC

All logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :
- " before ==%@"
- "path == %@"
- "path2===%@"
- "Hellooo"
- "Copy successful"
- "Upload response %@"
- "the path =%@"
- "path1 =%@"
- " Error - Statistics file upload failed: "%@""
- " the array value =%@"
- path to $HOME/MacApp
- date in this format : "yy-MM-dd-HH:mm:ss"
- ComputerName_UserName : $hostname-$username"
- "Start file zip : %@"
- "Start file zip : %@"
- "Start file upload : %@"
- "finished zipping file"
- "finished uploading file"
- "file path==%@"

Network traffic can be useful too to identify a compromised Mac on your network. A compromised macintosh, will generate DNS requests to "securitytable.org" and "docsforum.info" domains which, at the time I'm writing these blog post resolves to 50.116.28.24. HTTP requests to "http://securitytable.org/lang.php" and "http://docsforum.info/lang.php" will also reveal the compromission.

Features

sub_1E72

Function "sub_1E72" is responsible of the persistence of this malware. In fact, this function add the malware to the list of items to start at session login.





- get malware bundle path thanks to NSBundle.bundlePath
- call LSSharedFileListCreate with kLSSharedFileListSessionLoginItems as ListType in order to access to the list of applications starting when user logged on
- call LSSharedFileListInsertItemURL to add the path to the malware bundle to the list

PS : The malware is added to startup items of the current user only, if the malware author would like to start is program for all users on the system, he must use kLSSharedFileListGlobalLoginItems list type as LSSharedFileListCreate argument.

More information about this technique can be found here : http://cocoatutorial.grapewave.com/2010/02/creating-andor-removing-a-login-item/

cop

The first time the binary is executed, it copy itself to $HOME/<bundle_name>.app. Then, the sample calls "coml" function with the path to the new place (or its actual place, if it's not his first execution) as parameter. 

The call to "coml" will result of the execution of the following command : "/bin/sh -c open -a $HOME/<bundle_name>.app" (see coml & runSystemCommand below)

coml

Prepare "open -a $arg" NSString for "runSystemCommand" function.

runSystemCommand

Execute "/bin/sh -c $arg".


- create a NSArray via arrayWithObjects method used as command line options for "sh" and containing : "-c" and runSystemCommand argument
- create NSTask and call launchedTaskWithLaunchPath:arguments: method with "/bin/sh" and previous NSArray as argument

uploadRequestFinished

This function log some information like the response string received from the server or the path of the uploaded file. Then, the uploaded file is removed from the file system with a call to removeItemAtPath.

uploadRequestFailed

Log " Error - Statistics file upload failed: "%@"" where %@ is replaced by localizedDescription returned string.

sendRequestToServer

This function is sending hostname of the compromised macintosh to C&C server thanks to an HTTP request to http://docsforum.info/lang.php URL.

- create "http://docsforum.info/lang.php" URL for ASIFormDataRequest
- get hostname via NSProcessInfo.processInfo.hostName
- call stringByReplacingOccurrencesOfString on hostname value to replace '.' by 'p'
- log that new "hostname" string
- add hostname value to the HTTP request as a POST data named "cname" (addPostValue function)
- do the request w/ startAsynchronous

NB : I don't know if this function is called somewhere as I haven't found any xref to this function

getscreenshot

This function is used to take screenshots w/ screencapture Mac OSX binary and save them in $HOME/MacApp directory. Name of the screenshot follow this format : "yy-MM-dd-HH:mm:ss.png". This function is first called inside applicationDidFinishLaunching function. Screenshots are saved every 20 seconds.



- create $HOME/MacApp path (with NSHomeDirectory, stringWithFormat functions)
- this path will be log in Apple System Log via NSLog
- use the shared file manager to play with FS (via NSFileManager.defautlManager)
- check if the path exists (via fileExistsAtPath)
  - If it doesn't exist, create directory with createDirectoryAtPath
- get date string with this format "yy-MM-dd-HH:mm:ss" (via NSDate, NSDateFormatter, setDateFormat, stringFromDate)    // the date format is different from F-secure screenshot. here, use of ':' instead of '/' on F-Secure screenshot
- date is logged (NSLog)
- create string $HOME/MacApp/yy-MM-dd-HH:mm:ss.png
- create a NSTask object to run a program as a subprocess
  - defines the executable path to "/usr/sbin/screencapture" via setLaunchPath
  - arguments are passed to screenshot via setArguments
    /usr/sbin/screencapture -x -T 20 $HOME/MacApp/yy-MM-dd-HH:mm:ss.png : take a screenshot without any sound after a 20 seconds delay and save it to the aforementioned path
  - task is launched via launch method
- to finish, uploadImage function is called

uploadImage

This function is used to upload screenshots to "http://securitytable.org/lang.php"

- create NSUrl object with string "http://securitytable.org/lang.php" and use it to create an ASIFormDataRequest
- create MacApp directory path string and log it (like in getscreenshot function)
- get the hostname of the computer, thanks to "hostname" method of NSProcessInfo object (process information agent of the process)
- check that the path to MacApp folder exists. Go to end of the function if not
- count the number of files/screenshots w/ contentsOfDirectoryAtPath and use count function on the returned string array
- log the number of files/screenshots
- get first file of the list
- log " the array value =%@" where %@ is replaced by the name of the first file
- If ".DS_Store" exists, remove it from the file array
- Loop to take and upload screenshot
  - create NSData with content of each file/screenshot (via initWithContentsOfFile)
  - call ASIFormDataRequest.addPostValue function and set $hostname data to key "cname"
  - second call to addPostValue with key "name" and value : path to the screenshot
  - then call to setData ("setData:withFileName:andContentType:forKey:")
    key : userfile
    content type : image/png
    filename : path to the screenshot
    data : file content (screenshot)
  - upload the file/screenshot
  - call getscreenshot function

Summary

This Mac OSX malware is really simple. It has only few features :
- start at user login
- take screenshot
- upload screenshot

In addition, it is absolutely not stealth as screenshots are saved in $HOME/MacApp directory of the infected user. No advanced malware techniques/features (packing, encryption, obfuscation) have been seen in this sample.

Refs

https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc
http://www.f-secure.com/weblog/archives/00002554.html
http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/