Lazarus APT’s Operation Interception Uses Signed Binary

逆向病毒分析 1年前 (2022) admin
449 0 0

Malware authors have regularly used signed binaries to bypass the Apple security mechanism and infect macOS users. We came across one such sample and this time they are baiting users with job vacancies at Coinbase while silently pushing a signed binary in the background and doing their malicious activity. This is an instance of Operation In(ter)ception by Lazarus.

This malware under consideration is a fat binary containing x86_64 and ARM64 architecture compiled executable that can be executed in both Intel & Apple silicon machines.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 1 : Fat binary

The malware is a signed executable. The developer id belonged to Shankey Nohria but it has been revoked as of now.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 2 : Revoked certificate

When executed, it drops 4 files in the folder ~/Library/Fonts (The ~ character stands for the user’s home directory).

1. A PDF document named Coinbase_online_careers_2022_07.pdf

2. A package bundle named FinderFontsUpdater.app which contains a fat binary

3. A downloader agent which connects to the C2 named safarifontsagent. This is also a fat binary

4. A zero byte file named Finder.

The PDF contains job details at Coinbase company. The PDF is created with Microsoft Word 2019, version 1.7. The author of the document is mentioned as “UChan”.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 3 : Dropped pdf properties

As the malware executes, the pdf pops up on the screen but in the background the malware begins its malicious operation, starting with wiping the current saved state of the terminal.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 4 : Removing the saved state of terminal

Then it drops 2 files and then extracts those files using tar command into FinderFontsUpdater.app and safarifontsagent.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 5 : Extracting the dropped files into executable binaries

Once the 2 files have been extracted, LaunchAgent is created in the name of iTunes_trush with the target binary set as safarifontsagent, using the function startDaemon().

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 6 : LaunchAgent created
Lazarus APT’s Operation Interception Uses Signed Binary
Figure 7 : Dropped files

After dropping the above files, the malware executes FinderFontsUpdater.app (2nd stage).

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 8 : The second stage file gets executed by the malware

The main function of FinderFontsUpdater.app is to execute safarifontsagent (3rd stage) binary which communicates with the C2.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 9 : Function to execute the 3rd stage malware

Upon execution, the safarifontsagent calls a user defined function named DownloadFile() with couple of arguments, one of the arguments is an URL “hxxps(:)//concrecapital(.)com” appended with the user name of the victim machine which can be seen in Figure 10.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 10 : Argument of the DownloadFile() function 

Then the malware queries the system with commands like getuid, getpwuid, getuname etc., to get information. After that, it uses the commands “sw_vers -productVersion” & “sysctlbyname hw.cpufrequency” to get information about the victim’s machine .

After that the malware calls the curl_easy_init() function to get a curl handle for communication with C2.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 11 : Curl commands to receive the payload

Then the malware opens the Finder file in ‘wb’ (Open for writing in binary) mode.

The malware uses the information that was gathered earlier, i.e. product version, cpu speed etc. and appends it to the url hxxps(:)//concrecapital(.)com. Then the url with the appended data is passed as an argument to curl_easy_setopt() function.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 12 :URL to get the payload from the C2

It then uses functions like  curl_easy_setopt & curl_easy_perform to connect to the C2 and get the payload that will be written in the Finder file.

Lazarus APT’s Operation Interception Uses Signed Binary
Figure 13 : Finder file is opened in write mode and Curl operations in motion

The C2 server was not alive to respond so we were unable to find out what the payload was.

Threat actors targeting macOS users are increasing everyday. So, as a user, one needs to be cautious when executing unknown executables. Users are requested to use a reputable security product such as “K7 Antivirus for Mac” and to keep it updated so as to stay safe from such threats.

IOCs

Hash : 4a7a1626b6baf8c917945b8fc414c8b9 (parent malware)

Detection Name :  Trojan ( 0040f2c11 )

Like what you’re reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

 

版权声明:admin 发表于 2022年12月24日 上午9:27。
转载请注明:Lazarus APT’s Operation Interception Uses Signed Binary | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...