SAN FRANCISCO—Malware developers are constantly trying to outdo themselves with creations that are more stealthy and advanced than their competitors. At the RSA Security conference this week, a former hacker for the National Security Agency demonstrated an often more effective method: hacking and then replicating an adversary’s code.
Patrick Wardle, a security researcher at MacOS and iOS enterprise management company Jamf, shows how Mac malware recycling can be a smart and resource-efficient way to deploy ransomware, remote access spy tools, and other types of malicious code. . Where the method is really paying off, he says, is with advanced code refactoring written by government-sponsored hackers.
“There are incredibly well-funded, well-resourced, highly motivated hacker teams at three letter companies that create incredible malware that is fully featured and also fully tested,” Wardle said. during a speech entitled “New Malware: The Dark Side of Recycling.”
“The idea is: why don’t you let these groups in these companies create malware and if you are a hacker also modify it for your own work?” you have
Hijacking the kidnappers
To prove the point, Wardle describes how he modified four pieces of Mac malware that have been used in wild attacks over the past several years.
The fix allows the malware to report to Wardle’s official servers rather than servers designated by developers. From there, Wardle has full control over the recycled malware. The service lets you use well-developed and fully featured tools to install your own malicious payloads, collect screenshots and other sensitive data from compromised Macs, and perform other malicious actions of it is written in malware.
Besides saving time and resources, malware remediation provides two key benefits:
- It can allow attackers, especially those from government-sponsored groups, to infect vulnerable communities, such as those that are already infected and under the watchful eye of other malicious software players. In that situation, many national hacking groups will forgo their malware-crown malware to protect the property. procedures, procedures and procedures private. Third-party malware removal may be a good choice in these scenarios.
- In the event that a malware infection is detected and forensically analyzed, there is a good chance that investigators will attribute the attack to the original hackers and not the party that reproduced the malware.
There is no shortage of evidence that repurposing competitors’ malware is already a common practice among nation-state hackers. WannaCry and NotPetya—the viruses that destroyed the world’s computer locks in 2017 and were attributed to North Korea and the Russian Federation, respectively—spread from computer to computer with special help from EternalBlue, a Windows exploit developed by, and later stolen from, National Security Agency. Researchers at security firm Symantec found that a hacking group linked to the Chinese government also used NSA malware installed by EternalBlue, in March 2016, 14 months before the powerful NSA hacking tools was published.
This 2017 article by independent reporter Kim Zetter reports that files published by Wikileaks show CIA hackers recycling instructions and snippets of code used in previous attacks for use in new projects. A few years ago, according to evidence released by Symantec, a Russian-speaking hacker group known as Turla hijacked the servers of OilRig, a rival outfit linked to the Iranian government. Turla then used the infrastructure to attack a Middle Eastern government.
Acceptance of Jesus
One of Wardle’s reforms involved AppleJeus.c, a piece of malicious code that was recently discovered embedded in a fake cryptocurrency trading application for macOS. The example is notable for being the first, or at least among the first, malware examples known for macOS to use an in-memory, or fileless, method to execute second-level malicious payloads on Macs. focus on.
By executing the malicious code only in memory — instead of using the more common method of saving the code to disk and then executing it — AppleJeus.c significantly reduces the chances antivirus programs and endpoint protection systems will detect the infection or be able to catch it second level loads. Researchers have linked the malware to Lazarus, a hacking group working for the North Korean government.
Instead of developing his own fileless payload installer for macOS, Wardle made a small change to AppleJeus.c: instead of getting the fileless payload from the server that was originally written into AppleJeus.c, the malware repair now in the payload from the managed server.
“This means that when the (first stage of) malware is executed, it will now talk to our server instead of the hacker’s original infrastructure,” and so it will download and execute new second-stage payloads, Wardle said.
The first step is to properly analyze the inner workings of AppleJeus.c. Among the things to consider are the malware’s capabilities and the process it uses to communicate with the command and control server of the original developers. Using an attacker, for example, you observe the malware using a cryptographic hashing function and a decryption function to compile and then execute a second-level payload.
By using a modifier to stop the malware just before performing the hashing operation, it detects the string VMI5EOhq8gDz, which when passed to the hash function turns out to be the decryption key. Then you use the release and debugger to discover the decryption cipher and parameters in the same way.
Next, Wardle used a hex editor to change the original version of the hardcoded control server declaration to the address of the server under his control. It designed this new control server to use the same communication protocol and to communicate step by step with each activity of the malware.
To allow the modified version of AppleJeus.c to accept the second-level payload, the Wardle control server has to, among other things, encrypt it with the same key and cipher that it observed during its analysis. With that, Wardle can use a refactored AppleJeus.c to compile and run any executable Mac mach-O file he wants.
“With a single conversion to binary, (and building a light weight C&C server), we now have access to an advanced country loader that will do it to our bidding… without having to write any (client-side) code!” “This is way easier than writing from scratch 🙂 Also, if you find the difference you already made, you’ll probably share it back to the North Koreans,” Wardle wrote in a follow-up message. “
Interestingly, most of the code used to infect AppleJeus.c in-memory is itself lifted from deep-dive knowledge analysis published by Cylance researcher Stephanie Archibald.
Three times more with feeling
Wardle used similar techniques to replicate three other pieces of Mac malware that have been distributed in the wild. The malware included Fruitfly, a remote access tool that stole millions of user images, many of them nude, over 13 years before it was finally shut down, a ransomware that was discovered in 2016, and Windtailwhich mostly targets government agencies and companies in the Middle East.
Wardle was able to make other tweaks to his code snippets so they could bypass the malware vulnerabilities built into macOS. For example, because the Xprotect malware scanner relies on file signatures, changing one byte of recycling code is enough to completely escape detection. And when the signature certificates issued by Apple are revoked, it is not necessary to remove the software and register with a new certificate. And to remove the warnings that appear when users try to run code or install applications downloaded from the Internet, it is easy to remove the programming flags that cause those warnings to appear.
This week’s RSA issue may give the impression that the malware patch is unique to Mac offerings. The examples of malicious code reuse mentioned earlier should make it clear that this type of reuse works against any operating system or platform. Given the complexity of malware and the ease with which it can be recycled, it’s easy to understand why the practice is so common, Wardle said. “The idea is to let those with more time, money, and resources do all the hard work.”