Hacking Team's principle and Function Analysis of Mac malware

Source: Internet
Author: User

Hacking Team's principle and Function Analysis of Mac malware

Last week, security personnel Patrick Wardle published an article about HackingTeam's new backdoor and virus implants. It also indicates that the Hacking Team becomes active again, bringing new malware.

To understand the principles and functions of the malware, some security personnel have made an in-depth analysis. The malware is named Backdoor. OSX. Morcut, the Backdoor implant is Backdoor. OSX. Morcut. u, and the virus implant is a Trojan-Dropper.OSX.Morcut.d.

Encryption key

The main backdoor component receives load commands from the encrypted Json configuration file. To decrypt the configuration file, a known key is used first, but the file cannot be decrypted. By viewing the binary file, the researchers determined that the algorithm for encoding the file is AES 128, so a new encryption key is required. After analysis, during the encryption program initialization process, the key is passed as a parameter to the function:

 

By tracking the code, the researchers found a new key to encrypt the configuration file:

 

It can be seen that the key length is 32 bytes, so only the first 16 bytes play the role of the key. The researchers used the key to successfully decrypt the configuration file and found that the file is in Json format, which contains the command that the backdoor needs to execute on the target OS X machine:

 

Malicious features of implanted programs

· Screen Retrieval

· When the target is connected to Wi-Fi or uses the bandwidth of a specific network channel (defined in the Json configuration file, for example), information stolen is synchronized or reported to the Linode server located in the UK.

 

· Steal information, Address Book, calendar events, and phone numbers of locally installed applications. When iPhone users connect to the same and trusted Wi-Fi, OS X allows users to make calls directly from the desktop.

· It monitors the target by enabling the front camera recording, using embedded headset recording, sniffing local chats, and stealing data from the clipboard.

· It steals target emails, text messages, and MMS messages, including OS X desktops paired with the iPhone, such

 

· In other functions, you can also monitor the geographical location of a target.

The Json file shows that the operation started on Friday, October 16, 2015. That is to say, this is a new backdoor implant program of HackingTeam.

Reference sample hashes

0eb73f2225886fd5624815cd5d523d08

E2b81bed4472087dca00bee18acbce04

C & C Server

212 [.] 71 [.] 254 [.] 212

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.