Records of macOS Malware Analysis

AtomicStealer - BrewApp

Summary

• Malware Sample: AtomicStealer.zip
• Tag: CryptoStealer
• Writeup(s):
  • https://alden.io/posts/infostealers-a-brewin/
  • https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/
  • https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising

Analysis
Extract the BrewApp.dmg file:

hdiutil attach BrewApp.dmg
cp -R /Volumes/BrewApp ./
hdiutil detach /Volumes/BrewApp

The sample's symbols have been removed, and all strings have been processed:

The malware calls system multiple times. Set a breakpoint on system to start debugging:

"osascript -e 'tell application "Terminal" to set visible of front window to false'" This command hides the current window, which may be used for anti-debugging or sample disguise. Let's skip this execution:

Next, a temporary directory will be created under $HOME:

If created successfully, these functions will be executed:

• sub_100005E30

Uses fopen to create a Sysinfo.txt file in the temporary directory just created, which is used to store collected system information:

It uses these commands to collect system information:

- sw_vers
- system_profiler SPHardwareDataType
- system_profiler SPDisplaysDataType

• sub_1000073E0

There is a while loop that verifies the identity of the local macOS system user using the command dscl /Local/Default -authonly whoami {password}. If it fails, a fake window is triggered to obtain the user's password. Upon success, the password is written to the password-entered file:

It will then copy the user's login.keychain-db file:

• The other functions seem to do nothing.

• back to sub_1000124D0

List installed apps and appends them to the Sysinfo.txt file:

Copies browser cookies files, data from the Notes app, and files with the following extensions: {"txt", "docx", "rtf", "doc", "wallet", "keys", "key"}, etc.

Packages the directory:

Uploads the files to the malware's server:

Finally, cleans up the temporary directory and displays an error message to deceive the user:

HZRat

Summary

• Malware Sample: HZ_RAT.zip
• Tag: backdoor,DingTalk,WeChat
• Writeup(s):
  • HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat

Analysis

Extract the pkg file:

pkgutil --expand OpenVPNConnect.pkg out

List OpenVPN_Connect.pkg/:

Check Pkg Scripts:

• pretinstall: a macho file
• postinstall: set permissions for OpenVPN Connect.app

Extract payload -> /Applications/OpenVPN Connect.app:

• OpenVPN Connect.app: It's a legal App.
• exe: Execute the init malicious file in the background and open "OpenVPN Connect.app"
• init: a macho file

• pretinstall

execvp is executed at startup:

Dynamic analysis to obtain execvp parameters:

Looks like it did nothing.

• init

It will connect to the C&C server ip at startup:

C&C Server IP:

Here, the port: 0x1f91 => 8081

• 47.100.65.182:8081
• 10.9.241.235:8081

Send Cookie:

1. Generate a random number as a cookie.
2. Command data is encrypted using XOR, with the key being 0x42.

Waiting for interactive, Receive Command:

Code 3,8,9: Execute command line:

Code 4: Write file:

Code 5: Download file:

Code 11: Ping check:

Because the C2 server was shutdown, it was not possible to determine what shell commands it would deliver for execution:

PartyChaos

Summary

• Malware Sample: From a phishing site: partychaos[.]space
• Tag: CryptoStealer

Analysis

• In the entry function, you can see that after processing the variant string, use the system command to execute it

• Use lldb debugging to find the executed commands