Hacking Team's principle and Function Analysis of Mac malware
Last week, security personnel Patrick Wardle published an article about HackingTeam's new backdoor and virus implants. It also indicates that the Hacking Team becomes active again, bringing new malware.
To understand the principles and functions of the malware, some security personnel have made an in-depth analysis. The malware is named Backdoor. OSX. Morcut, the Backdoor implant is Backdoor. OSX. Morcut. u, and the virus implant is a Trojan-Dropper.OSX.Morcut.d.
Encryption key
The main backdoor component receives load commands from the encrypted Json configuration file. To decrypt the configuration file, a known key is used first, but the file cannot be decrypted. By viewing the binary file, the researchers determined that the algorithm for encoding the file is AES 128, so a new encryption key is required. After analysis, during the encryption program initialization process, the key is passed as a parameter to the function:
By tracking the code, the researchers found a new key to encrypt the configuration file:
It can be seen that the key length is 32 bytes, so only the first 16 bytes play the role of the key. The researchers used the key to successfully decrypt the configuration file and found that the file is in Json format, which contains the command that the backdoor needs to execute on the target OS X machine:
Malicious features of implanted programs
· Screen Retrieval
· When the target is connected to Wi-Fi or uses the bandwidth of a specific network channel (defined in the Json configuration file, for example), information stolen is synchronized or reported to the Linode server located in the UK.
· Steal information, Address Book, calendar events, and phone numbers of locally installed applications. When iPhone users connect to the same and trusted Wi-Fi, OS X allows users to make calls directly from the desktop.
· It monitors the target by enabling the front camera recording, using embedded headset recording, sniffing local chats, and stealing data from the clipboard.
· It steals target emails, text messages, and MMS messages, including OS X desktops paired with the iPhone, such
· In other functions, you can also monitor the geographical location of a target.
The Json file shows that the operation started on Friday, October 16, 2015. That is to say, this is a new backdoor implant program of HackingTeam.
Reference sample hashes
0eb73f2225886fd5624815cd5d523d08
E2b81bed4472087dca00bee18acbce04
C & C Server
212 [.] 71 [.] 254 [.] 212