Analysis<\/h1>\n
The following three sections of this blogpost describe the analysis of the sample with the SHA-1 hash E615632C9998E4D3E5ACD8851864ED09B02C77D2<\/span>. The file is named flashlightd and is detected by ESET products as OSX\/OceanLotus.D.<\/p>\n As usual for OceanLotus macOS binaries, the sample is packed with UPX, but most packer identification tools do not recognize it as such, probably because they mostly include a signature that relies on the presence of a \u201cUPX\u201d string, and further, Mach-O signatures are less common and not as regularly updated. This particular characteristic makes static detection more difficult. Once unpacked, one interesting thing is that the entry point is located at the beginning of the __cfstring<\/span> section in the .TEXT<\/span> segment. This section has the flag attributes seen in Figure 1.<\/p>\n<\/p>\n Figure 1. MACH-O __cfstring<\/span> section attributes<\/i><\/p>\n<\/div>\n As seen in Figure 2, the fact that the code is in the __cfstring<\/span> section tricks some disassembly tools to display the code as strings.<\/p>\n<\/p>\n Figure 2. The backdoor code is defined as data by IDA<\/i><\/p>\n<\/div>\n When run, the binary first creates a thread as an anti-debugging watchdog whose sole purpose is to continuously check if a debugger is present. In order to do that, this thread:<\/p>\n Figure 3. Check if a debugger is attached via sysctl<\/span> function<\/i><\/p>\n<\/div>\n If the watchdog detects that a debugger is present the exit <\/span>function is called. Moreover, the sample then checks its environment by issuing the following two commands: Even though the backdoor commands have not changed since the Trend Micro article, we noticed a few other modifications. The C&C servers used for this sample are quite recent as their creation date is 2018-10-22.<\/p>\n The URL resource used has changed to \/dp\/B074WC4NHW\/ref=gbps_img_m-9_62c3_750e6b35<\/span>.<\/p>\n The first packet that is sent to the C&C server contains more information regarding the host machine. All data gathered by the commands in the following table are included.<\/p>\n<\/p>\nAnti-debug and anti-sandbox<\/h2>\n
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2019\/04\/Figure-1-wm-1.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2019\/04\/Figure-2-wm2.png\")
<\/a><\/p>\n\n
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2019\/04\/Figure-3-wm.png\")
<\/a><\/p>\n
\nioreg -l | grep -e “Manufacturer”<\/span> and sysctl hw.model<\/span>
and checks the return value against a hardcoded list of known virtualization system strings: oracle, vmware, virtualbox or parallels. Finally, the command:
\nsystem_profiler SPHardwareDataType 2>\/dev\/null | awk ‘\/Boot ROM Version\/ {split($0, line, “:”);printf(“%s”, line[2]);}<\/span>
checks if the machine is one of the following: “MBP”, \u201cMBA\u201d, \u201cMB\u201d, \u201cMM\u201d, \u201cIM\u201d, \u201cMP\u201d and \u201cXS\u201d. These codes represent the model of the system. For instance, \u201cMBP\u201d stands for MacBook Pro, \u201cMBA\u201d stands for MacBook Air and so on\u2026<\/p>\nMajor updates<\/h2>\n
\n
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2019\/04\/Figure-4-wm.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2019\/04\/Figure-5-wm.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2019\/04\/Figure-6-wm.png\")
<\/a><\/p>\n