Payload (ravex) Mac OS

Posted on  by

By hac the planet Payload Extractor is a utility that opens Mac OS X.pkg files, the same files opened by the OS X Installer application. But unlike the Installer application, Payload Extractor. Downloaded the iso image and proceeded to make a Mac OS X bootable USB on windows. To create a bootable media to install Mac OS X leopard on my old macbook A1181. I used imageusb and installed. I was very happy to find this 10.5.4 version which worked perfectly. Many thanks to all.

A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.

Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.

MacAdvertisement

Reasonably serious threat

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary researchers wrote in a blog post published on Friday. “Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”

Payload (ravex) Mac Os Catalina

Silver Sparrow comes in two versions—one with a binary in mach-object format compiled for Intel x86_64 processors and the other Mach-O binary for the M1. The image below offers a high-level overview of the two versions:

So far, researchers haven’t seen either binary do much of anything, prompting the researchers to refer to them as “bystander binaries.” Curiously, when executed, the x86_64 binary displays the words “Hello World!” while the M1 binary reads “You did it!” The researchers suspect the files are placeholders to give the installer something to distribute content outside the JavaScript execution. Apple has revoked the developer certificate for both bystander binary files.

Payload (ravex) Mac Os 11

Silver Sparrow is only the second piece of malware to contain code that runs natively on Apple’s new M1 chip. An adware sample reported earlier this week was the first. Native M1 code runs with greater speed and reliability on the new platform than x86_64 code does because the former doesn’t have to be translated before being executed. Many developers of legitimate macOS apps still haven’t completed the process of recompiling their code for the M1. Silver Sparrow’s M1 version suggests its developers are ahead of the curve.

Once installed, Silver Sparrow searches for the URL the installer package was downloaded from, most likely so the malware operators will know which distribution channels are most successful. In that regard, Silver Sparrow resembles previously seen macOS adware. It remains unclear precisely how or where the malware is being distributed or how it gets installed. The URL check, though, suggests that malicious search results may be at least one distribution channel, in which case, the installers would likely pose as legitimate apps.

Advertisement

An Apple spokesperson provided a comment on the condition they not be named and the comment not be quoted. The statement said that after finding the malware, Apple revoked the developer certificates. Apple also noted there's no evidence of a malicious payload being delivered. Last, the company said it provides a variety of hardware and software protections and software updates and that the Mac App Store is the safest venue to obtain macOS software.

Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. That’s a significant achievement.

“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints... and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” Patrick Wardle, a macOS security expert, wrote in an Internet message. “That’s pretty widespread... and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple’s best efforts.”

For those who want to check if their Mac has been infected, Red Canary provides indicators of compromise at the end of its report.

Earlier this month, researchers from AlienVault and Intego reported a new malware attack targeting Tibetan NGOs (Non-Governmental Organizations). The attack consisted of luring the victim into visiting a malicious website, which then would drop a malicious payload on the target’s computer using Java vulnerability CVE-2011-3544 and execute it. The webserver would serve a platform-specific JAR

Earlier this month, researchers from AlienVault and Intego reported a new malware attack targeting Tibetan NGOs (Non-Governmental Organizations). The attack consisted of luring the victim into visiting a malicious website, which then would drop a malicious payload on the target’s computer using Java vulnerability CVE-2011-3544 and execute it. The webserver would serve a platform-specific JAR (Java Archive) dropper based on the browser’s UserAgent String to infect the user’s Windows or OS X system.

The OS X-specific dropper is also served to Linux clients. Since the dropped payload is designed for OS X only, Linux clients will not be infected.

This analysis is focused on the OS X payload and the network protocol it used to communicate with its Command and Control (C&C) server.

OS X uses the Mach-O file format for its executable files. For OSX/Lamadai.A, the Mach-O executable was compiled for 64-bit only, which is unusual since Mach-O binaries normally contain both the 32-bit and 64-bit versions of the executable.

Upon execution, the threat copies itself to /Library/Audio/Plug-Ins/AudioServer and adds a launcher script named ~/Library/LaunchAgents /com.apple.DockActions.plist pointing to the copied file to ensure it is executed whenever the current user logs in.

Note that by default, on OS X 10.7.2, regular users do not have write permissions to /Library/Audio/Plug-Ins/AudioServer, meaning this threat is not persistent (i.e. it won’t survive a reboot). We are unsure if older versions of OS X have different filesystem permissions. Nonetheless, using another location under the user’s home directory would have worked better for the attacker.

Afterwards, the threat will try to contact its C&C server by resolving dns.assyra.com (100.42.217.73 at the time of analysis, the domain now points to 127.0.0.1) and establishing a TCP connection to port 8008. The server will respond with a TCP RST unless it has some instructions to communicate. The infected system then falls into a busy wait loop, trying to reconnect at random intervals ranging from 0 to 10 seconds.

The server may issue one of the three following instructions to the infected system:

  1. Upload a file: the C&C sends the path to upload, the client responds with the file content;

  2. Download a file: the C&C sends the file path and content, the client creates the file with permissions set to 777 (-rwxrwxrwx);

  3. Start a remote shell: the C&C sends an arbitrary shell command, the client responds with the output.

All communications between the client and the C&C are encrypted with AES and XOR. The crypto seems to be performed with a slightly modified implementation of AES and SHA1 from the PolarSSL library. The AES keys are generated from the first forty (40) bytes coming from the C&C. While the keys are constant during the entire communication, two different hardcoded XOR keys are used, one for incoming traffic and one for outgoing traffic.

Furthermore, the malware will not act upon any instruction unless the first packet received from the C&C matches a hardcoded key 16 bytes long, as seen in the picture below. The client will also add that key to the first response it will send to the C&C.

Finally, a custom SHA1-based hash is appended to every information packet going to and from the C&C for authentication and integrity checking purposes:

hash = SHA1(key1 + sha1(key2 + encrypted_packet_content + packet_number))where key1 and key2 are two 64-byte strings derived from the first XOR key

Payload (ravex) Mac Os X

During our investigation, we observed a live dialog between the C&C and our test machine. The timing and nature of the instructions received from the C&C lead us to believe that they were being manually typed by a human. Here are a few interesting pieces:

After some filesystem browsing, the C&C issued two File Upload instructions targeting one Keychain file and the Safari’s cookies store. The purpose here clearly is information stealing.

Payload (ravex) Mac Os Download

A lot of effort has been put into the network protocol, which is quite involved. The operators seemed to have a real interest in hiding the raw communication from a network dump so as to make reverse engineering more difficult. However, the use of symmetric cryptography makes it so that it is totally possible to reproduce the encryption and decryption routines and analyze the communication on-the-fly.

This attack is another reminder to stay current with OS patches as Apple patched this vulnerability in Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update in November 2011.

ESET security software (including ESET Cybersecurity for Mac) since signature update 7001 detects this threat as OSX/Lamadai.A. Some AV vendors flagged the file as OSX/Olyx, a previous Mac malware. We did not find any relation between the two threats, the network protocol and obfuscation techniques being different.

MD5 of the files analyzed:
39084b60790ca3fdebe1cd93a4764819 file-mac.tmp (OSX payload)

MD5 of related files
7f7cbc62c56aec9cb351b6c1b1926265 file-win.tmp (Win32 payload)
dd7421fb6ca03c5752a06cffb996285a index.jar (OSX/Linux dropper)
2d86dce83851f76493ba0492d066c095 default.jar (Win32 dropper)
4b6eb782f9d508bbe0e7cfbae1346a43 index.html (HTML serving the droppers)

Thanks to Marc-Étienne M. Léveillé who performed the technical analysis.

Alexis Dorais-Joncas

Discussion