Matt Benyo from Jamf Threat Labs started things off by introducing himself and his particular team in Jamf Threat Labs: one that researches and protects against MacOS malware. His aim is to provide a view into how malware operates.
“The way security products get marketing it’s easy to think of threat research as this spy vs spy cloak and dagger superpower versus nation-state type of stuff, and there is definitely some of that. . . But this is different. It’s what I’d consider a dumpster dive: the other side it is this really greasy scammy scumbag type of stuff.”
Such as the cryptojacking botnet Jamf Threat Labs uncovered.
A few things you need to know first
How Jamf Protect Threat Protection works
To understand this story, you’ll need a basic understanding of how Jamf Protect’s Threat Protection works.
Jamf Protect operates as a system extension in that the software can use Apple’s endpoint security API to get kernel-level visibility of activity on the system. “This API grants us some authority to intervene when a process wants to run,” explained Benyo.
For example, when software attempts to launch a process, the kernel will send a message to the subscribed security extension and let it decide if the application should be allowed to open.
This is how Jamf Protect prevents actions from even running. But “Jamf Protect,” says Benyo, “gets a very small window of time to decide if an application should be allowed to execute.”
Sources Jamf Protect uses
- File hashes: a digital fingerprint of a file, can give Jamf Protect a way to block identical files that have contained malicious code
- Team IDs: developer IDs that are signed code; Jamf Protect blocks those that have produced malicious code in the past
- Yara rules: an open-source anti-virus rule engine that helps Jamf Protect search for suspicious strings
How cryptocurrency mining works
To understand how the particular bot Jamf Threat Labs found worked, you will also need to understand the basics of how cryptocurrency mining works. “You basically volunteer your computing resources to solve a complex math problem,” explained Benyo. If a computer solves it before others do, a block is added to the blockchain. For each block your computer solves first, you get rewarded in the currency you were mining.
The overhead can be high, needing additional hardware and increased use of electricity. That’s why bad actors sometimes attempt to use other people’s computing resources without the victims knowing about it.
How this adventure started
“It all started,” said Benyo, “with an alert that we got based on Jamf Protect’s Threat Protection feature.”
Part of Jamf Threat Labs’ threat-hunting model involves monitoring how Jamf Protect threat detections are doing in the wild so that they can potentially identify malware that’s being reused or, in some cases, modified.
The fishing expedition lands a big one
“One day,” said Benyo, “while viewing these hits, we stumbled upon a threat prevention alert that captured our attention. This hit was based on a Yara rule which told us the strings inside the file matched a rule we had.”
It was an open-source, non-malicious mining program called XMRig. Nothing suspicious about that. What was suspicious? The path was a Final Cut Pro path. Why would Apple be using its software to sneak crypto mining onto a user’s Mac?
Well, it wouldn’t.
“We knew that this couldn’t be the real Final Cut Pro,” said Benyo. The team compared the Team ID to the actual Final Cut Pro. No surprise, this wasn’t a real copy.
No one else knew about this malware!
The team checked the hash at VirusTotal: a widely used service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content.
“However,” said Benyo, “what we discovered is that this particular sample didn’t seem to exist in VirusTotal. It was unknown.”
The game was afoot!
So the team decided to go out in search of it.
“If I was going to buy an illegal copy of software,” said Benyo, “I would go to the Pirate Bay.”
And that’s exactly where they found it, downloaded it and installed it.
To see what would happen.
Opening the software, it appeared to work exactly as a person would expect Final Cut Pro to work.
So the team looked further into it, digging into the application bundle. Everything except for the signature appeared normal; the structure looked right. Then, they noticed that the executable was 11.9 megabytes when the actual version of Final Cut Pro was 3.9. “So,” said Benyo, “we looked at the hash and compared it; it was the same one.”
The Telltale Chunk
Digging into the executable using the strings utility revealed a big wall of text.
First, they found a very complex bash script. Then, they found a chunk of Base64 code.
Attackers often use Base64 data to embed content within other content. Using Base64, hackers can easily encode and decode data, and this is a very easy way for an attacker to take the bytes of an executable and encode them into a different executable.
“What a lot of junky malware will do to avoid its strings being read is use Base64. It’s somewhat similar to Pig Latin. It will confuse your children, but anyone else can run it back using a simple command.”
What the team found
The way the malware works is that when the user launches Final Cut Pro, “the script reaches into itself,” said Benyo, “and pulls out these two other blobs.”
- Blob number one: decodes into the actual Final Cut Pro. If you’re the user, everything looks good.
- Blob number two: delivers I2P, the Invisible Internet Protocol: a daemon that makes your computer a node of the dark web. It allows for the anonymization of traffic.
The computer then sends the embedded message to the attacker’s server, and it begins to send over block challenges to the computer. When it solves them and creates a block, the attacker takes that block and sends another challenge. Over and over and over.
So, these bad actors can use other computers to do their crypto mining for them. No more overhead. No more powerful devices or high electricity use. Infected computers do all the work; the attacker gets an anonymous payout.
The plot thickens
But soft. The team discovered that this malware had evaded detection for a long, long time.
The person who uploaded this malware went by the username “wtfisthat” followed by a large number. At Pirate Bay, anyone can select an uploader’s name to see what else they have uploaded. That created a history of this malware for Jamf Threat Labs to digest.
Seeing the evolution of this malware history, the team understood how to search for this malware: search for computers with XMRig or I2P installed.
“To this day,” said Benyo, “if a LogicPro or FinalCut update comes out, within a day or two this person has a new version of this running.”
The team brought it to Apple, which quickly issued an update to solve the problem.
Highlights from the Q&A session that followed:
Q: Kind of brilliant! Victims wanting Final Cut may have strong systems and not notice the resource drain.
A: Yes; I didn’t mention that all of the programs were CPU intensive: Photoshop, Final Cut Pro, Logic . . . if someone’s fan was running, they might not notice.
Q: Is there a DMCA exemption for security researchers downloading pirated software? Are the Internet Police going to show up?
A: I don’t know and I probably should know the specifics. I did think about it early on, but we have a close relationship with Apple, and I knew eventually we would be coming to them with it, and I felt like I had my bases covered.
Q: How did they bypass some of the default MacOS security and signed apps? Did the app ask to right-click to open to bypass? Was it signed?
A: There was some of that. I will say this: it’s almost impossible to run this hijacked app on current MacOS iterations. Even when Apple switched to Monterey, this malware was difficult to run. It had instructions like ‘right click to open’ or ‘disable that.’ A lot of these torrents will have a button that says: ‘open gatekeeper-friendly.’ it strips all of the quarantine aspects of the file. If you have Jamf Protect, you’d be amazed how much of this we stop. There are a lot of people torrenting on work computers.
Q: How does a design like this work in the context of malware delivered by MDM?
A: The thing that keeps us at Jamf up a lot is if you can compromise at the MDM level, the world is your playground at that point. It’s something we think about a lot. We have certain tamper-proofing detections that we’re looking for Jamf Protect itself.
Q: How do we protect against unknown malware?
A: One of the crown jewels of Jamf Protect when it first came out was this idea of behavioral detections. We can take things, like if something is opening activity monitors, that can be extracted away into behavioral detection. If something checks for activity monitoring and then kills something, we will find and block it. What are the tactics this malware is using? The tactics are old and used by a lot of viruses, even in more sophisticated malware.
Q: If we see something new and original and only one customer is experiencing it, how does that make its way into the product so that everyone is protected?
A: That’s Threat Lab’s job! It’s the nature of our work. Putting out tripwires to catch stuff and taking what comes back and putting them out into new detections-- behavioral or otherwise.
Q: From the perspective of defense evasion, are there better ways they could have hidden themselves?
A: Oh, certainly. This wasn’t the most sophisticated attack. Obviously, they did a lot of things to obscure what they were doing to make it a headache to find it; there are ways to do things that would have been a little less obvious, but from their perspective, if it works, do it! The fact that they’re still doing this four years later even after various vendors find and block it tells me they have a lot of spread on this. We don’t have a way to quantify how many endpoints this is operating on or how much money that amounts to, but they must believe it’s worth the risk. It’s the MVP!
Watch this session video for far more fascinating details, especially about the evolution of this malware, than blog space allowed!
Register for JNUC to access this and other sessions.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.