Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of the attack launched by the Hailianhua APT organization using the latest MacOS backdoor program. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

The Hailianhua APT Organization (also known as APT 32 APT APT and Cobalt Kitty) is a highly organized and specialized overseas hacker organization, which mainly targets human rights organizations, media, research institutions and maritime construction companies to conduct high-level persistent attacks. AsiaInfo Security has been tracking Hailianhua for many years. Recently, we found that the organization used the latest MacOS backdoor program to attack the Mac system equipped with the Perl program. AsiaInfo Security intercepted the backdoor program and named it OSX_OCEANLOTUS.D.

Technical analysis of OSX_OCEANLOTUS.D

The MacOS backdoor program is spread via email with malicious word documents, the original Word document is called "2018-PHI U GHI DANH THAM D Congress Registration form 2018", and HMDC is an organization that promotes national independence and democracy in Vietnam.

Run-time screenshots of malicious documents

When the recipient opens the document, the backdoor program advises the recipient to enable macros. This malicious macro uses decimal ASCII code to be confused character by character in order to avoid the detection of various antivirus software.

Code snippet after document confusion

After removing the confusion, we can see that the payload is written in the Perl programming language. It extracts the theme0.xml file from the Word document. Theme0.xml is a Mach-O32 bit executable file with 0xFEEDFACE signature, which is also the final payload of the backdoor program. Theme0.xml is unzipped to the / tmp / system / word / theme / syslogd directory before execution.

Perl payload after removing confusion

Dropper analysis

Dropper is used to install a backdoor into an infected system and establish its persistent attack mechanism.

Main functions of Dropper

All strings and backdoors of Dropper are encrypted using a hard-coded RSA256 key. There are two forms of encrypted strings: RSA256 encrypted strings and custom base64 encoded and RSA256 encrypted strings.

The hard-coded RSA256 key will display the first 20 characters

Dropper uses the setStartup () method to determine whether it is running as root. Based on this, use GET_PROCESSPATH and GET_PROCESSNAME methods to decrypt the path and file name of the backdoor installation:

Root user

Path: / Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources/

Process name: screenassistantd

Ordinary user

Path: ~ / Library / Spelling /

Process name: spellagentd

It then uses the Loader:: installLoader method to read the hard-coded 64-bit Mach-O executable (magic value 0xFEEDFACF) and write to the previously determined path and file.

Dropper installs the backdoor, sets its property to "hidden", and sets the date and time of the random file

When Dropper installs the backdoor, it sets the property to "hidden" and uses the touch command to set the file date and time to a random value: touch-t YYMMDDMM "/ path / filename" > / dev / null. At the same time, the access is changed to 0x1ed = 755, which is equivalent to u = rwx,go = rx.

Magic value 0xFEEDFACF of the Mach-O executable (64-bit)

Use the GET_LAUNCHNAME and GET_LABELNAME methods to return the hard-coded names of the attribute list ".plist" for root users (com.apple.screen.assistantd.plist) and normal users (com.apple.spell.agent.plist). It then creates persistent files in the / Library / LaunchDaemons / or ~ / Library / LaunchAgents / folder. When the operating system starts, RunAtLoad is used to run the daemon, while KeepAlive makes the process run indefinitely. The persistent file is set as a masking property, and the time and date of the file are randomly generated.

List of properties with persistence settings

The launchctlload / Library/LaunchDaemons/filename.plist > / dev / nul or launchctlload ~ / Library/ LaunchAgents / filename.plist > / dev / nul command causes the operating system to launch the generated backdoor file when logging in, and Dropper will then delete itself.

Back door analysis

The backdoor contains two main functions, infoClient and runHandle. InfoClient is responsible for sending the collected operating system information to the Cobb C server (the server itself is malicious) and receiving the return information from the Cure C server, while runHandle is responsible for the backdoor function.

The main functions of the back door

The variables that infoClient populates in the HandlePP class:

List of variables for the HandlePP class

ClientID is a MD5 hash derived from environment variables, while strClientID is the hexadecimal representation of clientID. All of the following strings are encrypted with AES256 and base64 encoding. The HandlePP:: getClientID method uses the following environment variables:

serial number

Hardware UUID

MAC address

Randomly generated UUID

For the initial packet, the backdoor also collects the following information:

Operating system version

Running getpwuid-> pw_name,scutil-- get ComputerName and uname-m will provide the following return values, respectively:

Mac OSX 10.12.

System Administrator

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.