MAC HACKING MADE EASY — Former NSA hacker repackages in-the-wild Mac malware for his own use. Dan Goodin – Feb 28, 2020 3:15 pm UTC SAN FRANCISCO—Malware developers are always trying to outdo each other with creations that are stealthier and more advanced than their competitors’. At the RSA Security conference this week, a former…
SAN FRANCISCO—Malware developers are always trying to outdo each other with creations that are stealthier and more advanced than their competitors’. At the RSA Security conference this week, a former hacker for the National Security Agency demonstrated an approach that’s often more effective: stealing and then repurposing a rival’s code.
Patrick Wardle, who is now a security researcher at the macOS and iOS enterprise management firm Jamf, showed how reusing old Mac malware can be a smarter and less resource-intensive approach for deploying ransomware, remote access spy tools, and other types of malicious code. Where the approach really pays dividends, he said, is with the repurposing of advanced code written by government-sponsored hackers.
“There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that’s fully featured and also fully tested,” Wardle said during a talk titled “Repurposed Malware: A Dark Side of Recycling.”
“The idea is: why not let these groups in these agencies create malware and if you’re a hacker just repurpose it for your own mission?” he said.
Hijacking the hijackers
To prove the point, Wardle described how he altered four pieces of Mac malware that have been used in in-the-wild attacks over the past several years.
The repurposing caused the malware to report to command servers belonging to Wardle rather than the servers designated by the developers. From there, Wardle had full control over the recycled malware. The feat allowed him to use well-developed and fully featured applications to install his own malicious payloads, obtain screenshots and other sensitive data from compromised Macs, and carry out other nefarious actions written into the malware.
Besides saving time and resources, malware repurposing provides two key benefits:
- It may allow attackers, particularly those from state-sponsored groups, to infect high-risk environments, such as those that are already infected and under the eye of other malicious software actors. In that position, many nation state hacking groups will forgo deploying their crown-jewel malware to keep proprietary tactics, techniques, and procedures private. Repurposing someone else’s malware might be a suitable alternative in these scenarios.
- In the event that the malware infection is detected and forensically analyzed, there’s a good chance that researchers will misattribute the attack to the original hackers and not the party that repurposed the malware
There’s no shortage of evidence that the repurposing of rivals’ malware is already a common practice among nation-state hackers. WannaCry and NotPetya—the worms that wreaked worldwide computer shutdowns in 2017 and are widely attributed to North Korea and the Russian Federation respectively—spread rapidly from computer to computer with crucial help from EternalBlue, the Windows exploit developed by, and later stolen from, the National Security Agency. Researchers at security firm Symantec found a hacking group widely tied to the Chinese government reused NSA malware that gets installed by EternalBlue, in March 2016, 14 months prior before the powerful NSA hacking tools were published.
This 2017 article by freelance reporter Kim Zetter reports that files published by Wikileaks showed CIA hackers recycling techniques and snippets of code used in previous attacks for use in new projects. A few years ago, according to evidence unearthed by Symantec, the Russian-speaking hacker group known as Turla hijacked the servers of OilRig, a rival outfit connected to Iran’s government. Turla then used the infrastructure to attack a Middle Eastern government.
One of Wardle’s repurposings involved AppleJeus.c, a piece of recently discovered malicious code embedded in a fake cryptocurrency trading app for macOS. The sample was notable for being the first, or at least among the first, known malware specimens for macOS to use an in-memory, or fileless, method to execute second-stage malicious payloads onto targeted Macs.
By executing malicious code solely in memory—rather than using the more common route of saving the code to disk and then executing it—AppleJeus.c significantly lowered the chances antivirus programs and other forms of endpoint security would detect the infection or be able to capture the second-stage payloads. Researchers have tied the malware to Lazarus, a hacker group working for the North Korean government.
Rather than develop his own fileless payload installer for macOS, Wardle made just one minor modification to AppleJeus.c: instead of obtaining the fileless payload from the server originally hardcoded into AppleJeus.c, the modified malware now got the payload from a server he controlled.
“This means that when the [first stage of the] malware is executed, it will now talk to our server instead of the hacker’s original infrastructure, and it will create the custom command and control server that packages off the payload,” Wardle said.
The first step was to thoroughly analyze the inner workings of AppleJeus.c. Among the things he observed were the malware’s capabilities and the protocol it used to communicate with the original developers’ command and control server. Using a disassembler, for instance, he observed the malware using a cryptographic hashing function and a decryption function to load and then execute the second-stage payload.
By using a debugger to stop the malware just before it ran the hashing function, he found the string
VMI5EOhq8gDz, which when passed to the hash function turned out to be the decrpytion key. He then used the disassembler and debugger to discover the decryption cipher and parameters in a similar way.
Next, Wardle used a hex editor to change the original version’s hard-coded control server domain to the address of the server under his control. He designed this new control server to use the same communication protocol and to interact step by step with each function of the malware.
To get the modified version of AppleJeus.c to accept the second-stage payload, Wardle’s control server had to, among other things, encrypt it with the same key and cipher he observed during his analysis. With that, Wardle could use his repurposed AppleJeus.c to load and execute any Mac mach-O executable file of his choice.
“With a single modification to the binary, (and building a light-weight C&C server), we now have access to an advanced nation-state loader that will perform to our bidding …without having to write any (client-side) code!” Wardle wrote in a message following his talk. “This is way easier than writing it from scratch 🙂 Also, if this repurposed variant is ever detected, it will likely be misattributed back to the North Koreans.”
As an interesting aside, much of the code used to carry out AppleJeus.c’s in-memory infection was itself lifted from a deep-dive technical analysis published by Cylance researcher Stephanie Archibald.
Thrice more with feeling
Wardle used similar techniques to repurpose three other pieces of Mac malware that have circulated in the wild. The malware included Fruitfly, a remote access tool that stole millions of user images, many of them nudes, over 13 years before finally being shutdown, a ransomware app discovered in 2016, and Windtail, which targeted mostly government agencies and companies in the Middle East.
Wardle was able to make other tweaks to his repurposed pieces of code so they would bypass malware mitigations built in to macOS. For instance, because the Xprotect malware scanner is based on file signatures, changing a single byte of reused code is sufficient for it to completely escape detection. And when Apple-issued signing certificates have been revoked, it’s trivial to unsign the software and sign it with a new certificate. And to remove warnings displayed when users try to execute code or install apps downloaded from the Internet, it’s easy to remove the programming flags that make those warnings appear.
This week’s RSA talk may give the impression that malware repurposing is unique to Mac offerings. The examples of recycled malicious code mentioned earlier should make clear that this kind of recycling works against any operating system or platform. Given the wealth of working malware and the ease in reusing it, it’s easy to understand why the practice is so common, Wardle said. “The idea is to let those with more time, money, and resources do all the hard work.”