APT reports

New MacOS X backdoor variant used in APT attacks

Two days ago we intercepted a new APT campaign using a new MacOS X backdoor variant targeted at Uyghur activists.

But before we go into details, let’s start with a quiz:

– The Dalai Lama walks into an Apple Store. Why?

A possible answer is, “to buy one of the new MacBook Pro’s with the Retina display!” (speaking of which, I would very much like to buy one of those as well, but it’s kind of difficult to justify the hit to the family budget)

Joke aside, actually Dalai Lama is a well known Mac user. Here’s a photo of him using a Mac during a conf call:

And a better one of him using a 17” MacBook Pro:

Perhaps it is no surprise that we are seeing an increase in the number of APT attacks against such high profile users using Mac’s.

On June 27th, we’ve intercepted a new wave of APT attacks targeting certain Uyghur Mac users.

The e-mails have a ZIP file attached. Inside the ZIP file, there’s a JPG photo and a MacOS X app:

The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as “Backdoor.OSX.MaControl.b”.

MD5 ( “matiriyal.app/Contents/MacOS/iCnat” ): e88027e4bfc69b9d29caef6bae0238e8

When executed, it installs itself in the system and connects to its Command and Control server to get instructions. The backdoor allows its operator to list files, transfer files and generally, run commands on the infected machine.

As usual, although some of the comments and debug info are in English, they contain common mistakes:

– “Recieve” instead of “Receive”

– “os verison” instead of “os version”

– “memery” instead of “memory”

– Etc…

The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size. The configuration block is obfuscated with a simple “substract 8” operation.

Once decrypted, the command and control server address can be read: 61.178.77.*, located in China:

With Macs growing in popularity and their increased adoption by high profile targets, we expect the number of MacOS X APT attacks will also grow. Previous attacks used MS Office exploits (Exploit.MSWord.CVE-2009-0563.a.); the one described here relies on social engineering to get the user to run the backdoor. Just like with PC malware, a combination of exploits and social engineering tricks are generally the most effective; it won’t be surprising to see a spike in such attacks soon.

Update: AlienVault posted a description of the Windows counterpart of the backdoor used in this attack. You can read their analysis here.

New MacOS X backdoor variant used in APT attacks

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox