OS X OceanLotus (Hailian flower Trojan)

OS X OceanLotus (Hailian flower Trojan)

On April 9, May 2015, researchers from Qihoo published a research report on OceanLotus Trojans. In the report, they analyzed in detail the trojan that attacked Chinese organizations. The report also introduces a Trojan horse for the OS X system, which was uploaded to VirusTotal a few months ago. Interestingly, as of February 8, 2016, 55 anti-virus solutions on VirusTotal still could not detect this malicious sample. Therefore, we decided to investigate this OS X OceanLotus Trojan.

0x00 Analysis

OS X OceanLotus is an Application Bundle disguised as an Adobe Flash update ). There are many different files in this application package. Below are some of the files we are interested in:

FlashUpdate. app/Contents/MacOS/EmptyApplicationFlashUpdate. app/Contents/Resources/en. lproj/. en_iconFlashUpdate.app/Contents/Resources/en. lproj/. DS_Stores0x01 Loader)

As shown in the following figure, EmptyApplication is a universal binary that can be run in both the i386 architecture and x86_64 architecture. This is a very simple program. First, this program uses the ROL3 algorithm to decode two "Files":. en_icon and DS_Stores; and then runs these files.

#!bash$file EmptyApplicationEmptyApplication: Mach-O universal binary with 2 architecturesEmptyApplication (for architecture x86_64): Mach-O 64-bit executable x86_64EmptyApplication (for architecture i386): Mach-O executable i386

In the obfuscation algorithm, EmptyApplication uses "xc" as the encryption key of the XOR algorithm, and obfuscated the strings in binary. The following is a simple decryption function.

In 64-bit versions, strings within 8 bytes are saved as integer values ). Strings larger than 8 bytes are encrypted and stored in adjacent variables. The decryption function defines 8 bytes when reading variables. As shown below, & v34 is passed to the decryption function, but the function actually decrypts the combination of v34 and v35.

Decoded. after en_icon, EmptyApplication writes it to a temporary directory named "pboard" (which may be disguised as a clipboard daemon process in OS X) and executes binary files. Then, EmptyApplication will delete itself, decode. DS_Stores, and write the decoded binary data to "EmptyApplication"-replace the original EmptyApplication executable file. Finally, the new EmptyApplication can be started by calling NSTask. launch. The decrypted. DS_Stores binary is not much different from the original EmptyApplication, but the new EmptyApplication does not search for. DS_Stores.

0x02 Trojan Encrypted string

The decoded. en_icon file is the main Trojan. This trojan is capable of anti-debugging and can process CC connections. As we will talk about later, this trojan uses several OS x commands and API calls. Therefore, this trojan is obviously made specifically for OS X, rather than transplanted from other systems.

Another point is that most of the binary strings use the XOR Algorithm for encryption. However, this binary uses multiple different keys, and these keys are also encrypted by XOR. In fact, the first thing this Trojan does is to decrypt several XOR keys. Interestingly, the code used to set the decryption key is executed before the "main" entry point by using the C ++ static constructor. This code is referenced in the _ mod_init_func section of the mach-o binary file.

It can be seen that the main decryption key used for the entire executable file is "Variable ". However, there are several different "Variable" strings, so that the trojan author can use different decryption keys to update the code. Although XOR decryption is not difficult, this solution can increase the complexity of reverse engineering. The decryption function below is similar to the function used by EmptyApplication, except that the following version uses a variable decryption key:

Anti-debugging

To avoid connection to the debugging program, the trojan uses the PT_DENY_ATTACH parameter to call ptrace (). In addition, the trojan will create a signal handler to capture SIGTRAPs, call "int 3" to place a SIGTRAPs, set the flag in the SIGTRAP processor, and check the flag value before continuing to run. In terms of anti-debugging, This method is very effective.

Next, before executing the code, Trojan will check the signature by viewing the last 27 bytes of the binary file. Among the 27 bytes, the first 11 must match a hard-coded binary value, and the last 16 bytes must be the MD5 Hash Value of the binary value minus the value of the 27 bytes.

Trojan Maintenance

The first function of a Trojan is to set a Launch Agent to maintain the trojan. The Launch Agent runs every time a user logs on. Trojan will copy itself ~ /Library/Logs/. Logs/corevideosd (if the Trojan horse has root permission, it will be copied to/Library/Logs/. Logs/corevideosd), and in ~ Create a Launch Agent plist in/Library/LaunchAgents/com. google. plugins. plist (or/Library/LaunchAgents/com. google. plugins. plist) to reference the corevideosd executable file.

In addition to the "hide" directory, the trojan also calls the chflags (file name, UF_HIDDEN) of the corevideosd file and the com. google. plugins. plist file ). To reduce the possibility of self-exposure, the trojan will call 'xattr-d-r com. apple. quarantine "PATH to corevideosd" 'to remove the audit extended attribute on the corevideosd file ). If the Launch Agent is running, run the "/bin/launchctl unload"/Library/LaunchAgents/com. google. plugins. plist "command to uninstall the Launch Agent before restarting corevideosd.

CC Communication

Trojan will try to contact multiple CC servers (C2) to obtain commands and other payload. The trojan uses the first C2: kiifd [.] pozon7 [.] net on the HTTP connection port 80. The following example shows a check-in request:

Here, 1AD6A35F4C2D73593912F9F9E1A55097 is the MD5 hash of IOPlatformUUID. IOPlatformUUID is obtained by executing the following OS X command:

#!bash/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | grep 'IOPlatformUUID'

This UUID will also be written to the local ~ /Library/Preferences/. fDTYuRs. Before writing data to a disk, the UUID must be encrypted by XOR. The key used is "pth ".

Currently, kiifd [.] pozon7 [.] net has been taken offline. However, if C2 can contact the trojan, the Trojan can change the code to download and execute other loads. A Trojan can run an executable file or open a compressed application package (. app application ).

After contacting the first C2 server, Trojan will check a local file ~ /Library/Parallels/. cfg (or/Library/Parallels/. cfg) to obtain the list of executable files or applications to be run. In essence ,~ /Library/Parallels/. cfg is a "Startup project (Startup Items)" file that contains a list of programs that will run when a trojan is started for the first time. Although the Chinese side said in the report that OceanLotus MAC Trojan can detect Parallels virtual machines, we disagree. OceanLotus MAC simply stores hidden configuration files in the/Library/Parallels/directory.

Next, Trojan will request an encrypted C2 connection. First, Trojan will try to connect to shop [.] ownpro [.] net. However, if the host is offline, the trojan will connect to pad [.] werzo [.] net. Network Communication of Trojans is implemented through port 443, but SSL is not used. Instead, data uses a single-byte XOR key-0x1B. In the initial request phase, the victim does not send any information about the victim host.

When you confirm that the contact is successful, Trojan will prepare for processing the Command sent from C2. First, Trojan will create a "keep activity" (keep-alive) thread, "ping" C2 once every minute. Then, Trojan will collect the following system information and current user information:

Product Name and version (read from/System/Library/CoreServices/SystemVersion. plist) whether the machine name is the name of the root User (User's name, read from pw_gecos) username (username) IOPlatformUUID MD5 Hash (if IOPlatformUUID is not found, the user name and machine name are used as the identity ID of the victim)

In addition to system and user information, Trojan Horse obtains the current time based on www.microsoft.com. To obtain the time information, Trojan will send an HTTP request to www.microsoft.com and parse the Data header in the response. In fact, there is an error in the request-the request sent to www.microsoft.com is as follows:

You will find that there is no path in the request and the server responds to a 400 error. Because Trojans only care about the Data header in the response, this problematic request can also be used. The parsed data is converted to epoch time and stored in ~ /Library/Hash/. Hashtag/. hash (or/Library/Hash/. Hashtag/. hash ). Here, another error still exists in the Code, resulting in Trojan horses going from ~ /Library/Hash/. hash reads time information, and the real Directory should contain. HashTag. Besides the timestamp, the values "th" and 1 are also stored in this file. All the content is encrypted using XOR, and the key is "camon ".

Trojan sends system information and user information to C2, and creates a thread to process commands sent from C2. The following dump is encrypted C2 communication:

After decoding the system information block using the key 0x1B, we get the following data: product name, OS version, user name, machine name, And IOPlatformUUID MD5 hash.

\ X02 \ x10 \ x00 \ x00 \ x00Mac OS X 10.10.5\ X00 \ x02 \ x00 \ x00 \ x00av \ t \ x00 \ x00 \ x00Lab _ Osx_1\ X00 \ x00 \ x001AD6A35F4C2D73593912F9F9E1A55097\ Xcb \ xf2 \ x81V \ x00 \ x00 \ x00 \ x00 @ \ x00 \ x00 \ x00 \ x02 \ x00 \ x00 \ x00th \ x00 \ x00 \ x00 \ x00 \ x00

After the system information and user information are sent to C2, this thread tries to read C2 information every second. However, C2 seems to send data every five seconds. If the data in the C2 response contains Command commands, the trojan will execute a command. The following strings are obtained by Decryption from binary files, and may belong to an interactive command console (console) on the C2 end ).

In addition to several commands, the functions of these commands are clear at a glance.

"Exec" opens an application package (. app directory) "info" returns the file or path information "recent" and returns the list of recently opened documents, by calling LSSharedFileListCreate (0, klssharedfilelistrecententitems, 0; "windows" returns information about the current window opened on the system (for example, the process of a window). By calling CGWindowListCopyWindowInfo (), "capture" is implemented to save the current desktop to the specified path, run the command "/usr/sbin/screencapture-x"(-X is used to avoid sound) There is no usage description for implementing" where ", but we all think this is a command to return the complete path of the running Trojan, run "ps awx | awk '$1 = [PID] {print $5}". PID indicates the current process ID.

In addition to the above functions, some command code can allow C2 to execute the following operations (some commands overlap with the previous ones ):

Update/Library/Hash /. hashtag /. update or read the hash file/Library/Parallels /. the cfg file automatically downloads the file from a URL to decompress or open the compressed application, and runs an executable file, or execute code from a dynamic library to kill a process and delete a file or disconnect C2 connection through the path 0x03. Conclusion:

This OS x OceanLotus Trojan is obviously a mature Trojan dedicated to OS X. The use of OS x commands and APIs proves that the trojan author is very proficient in the OS x system, and the trojan author has spent a lot of time customizing the Trojan to adapt the Trojan to the OS X environment. Like other advanced malware, the use of binary obfuscation indicates that the trojan author wants to protect his own achievements, increase the difficulty of reverse engineering and reduce the probability of trojan detection. The fact that the 0 detection rate on VirusTotal also shows that the trojan author has successfully done so.

We also found a relatively simple OceanLotus Trojan version. The C2 used by this trojan is still hard-coded in binary and connected to kiifd [.] pozon7 [.] net through port 80. However, it is not connected to encrypted C2. This version cannot start multithreading to process other tasks, so we think this trojan may be an early variant. Therefore, we have not thoroughly analyzed this early version. However, if you want to study the development history of Trojans, this early variant is still a good research object.

App bundle

Bytes

Another older variant that only communicates with the unencrypted C2

C2s:

Kiifd [.] pozon7 [.] net

Shop [.] ownpro [.] net

Pad [.] werzo [.] net

Dropped Files:

/Library/. SystemPreferences/. prev/.ver.txt or ~ /Library/. SystemPreferences/. prev/.ver.txt

/Library/Logs/. Logs/corevideosd or ~ /Library/Logs/. Logs/corevideosd

/Library/LaunchAgents/com. google. plugins. plist or ~ /Library/LaunchAgents/com. google. plugins. plist

/Library/Parallels/. cfg or /~ Library/Parallels/. cfg

/Tmp/crunzip. temp. XXXXXX (passed to mktemp (), so the actual file will vary)

~ /Library/Preferences/. fDTYuRs

/Library/Hash/. Hashtag/. hash (or ~ /Library/Hash/. Hashtag/. hash)

Detection

#!bashYara Rulesrule oceanlotus_xor_decode{        meta:               author = "AlienVault Labs"               type = "malware"               description = "OceanLotus XOR decode function"    strings:        $xor_decode = { 89 D2 41 8A ?? ?? [0-1] 32 0? 88 ?? FF C2 [0-1] 39 ?A [0-1] 0F 43 D? 4? FF C? 48 FF C? [0-1] FF C? 75 E3 }    condition:        $xor_decode}rule oceanlotus_constants{        meta:               author = "AlienVault Labs"               type = "malware"               description = "OceanLotus constants"    strings:        $c1 = { 3A 52 16 25 11 19 07 14 3D 08 0F }        $c2 = { 0F 08 3D 14 07 19 11 25 16 52 3A }    condition:        any of them}

,

#!bashOsquery OceanLotus pack:{  "platform": "darwin",  "version": "1.4.5",  "queries": {    "OceanLotus_launchagent": {      "query" : "select * from launchd where name = 'com.google.plugins.plist';",      "interval" : "10",      "description" : "OceanLotus Launch Agent",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_1": {      "query" : "select * from file where pattern = '/Users/%/Library/Logs/.Logs/corevideosd';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_2": {      "query" : "select * from file where path = '/Library/Logs/.Logs/corevideosd';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_3": {      "query" : "select * from file where pattern = '/Users/%/Library/.SystemPreferences/.prev/.ver.txt';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_4": {      "query" : "select * from file where path = '/Library/.SystemPreferences/.prev/.ver.txt';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_5": {      "query" : "select * from file where pattern = '/Users/%/Library/Parallels/.cfg';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_6": {      "query" : "select * from file where path = '/Library/Parallels/.cfg';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_7": {      "query" : "select * from file where pattern = '/Users/%/Library/Preferences/.fDTYuRs';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_8": {      "query" : "select * from file where pattern = '/Users/%/Library/Hash/.Hashtag/.hash';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_9": {      "query" : "select * from file where path = '/Library/Hash/.Hashtag/.hash';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_10": {      "query" : "select * from file where pattern = '/Users/%/Library/Hash/.hash';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_11": {      "query" : "select * from file where path = '/Library/Hash/.hash';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    },    "OceanLotus_dropped_file_12": {      "query" : "select * from file where path = '/tmp/crunzip.temp.%';",      "interval" : "10",      "description" : "OceanLotus dropped file",      "value" : "Artifact used by this malware"    }  }}