AtomicStealer - BrewApp

Analysis Extract the BrewApp.dmg file: 
hdiutil attach BrewApp.dmg
cp -R /Volumes/BrewApp ./
hdiutil detach /Volumes/BrewApp

The sample's symbols have been removed, and all strings have been processed:

The malware calls system multiple times. Set a breakpoint on system to start debugging:

"osascript -e 'tell application "Terminal" to set visible of front window to false'" This command hides the current window, which may be used for anti-debugging or sample disguise. Let's skip this execution:

Next, a temporary directory will be created under $HOME:

If created successfully, these functions will be executed:

  • sub_100005E30

Uses fopen to create a Sysinfo.txt file in the temporary directory just created, which is used to store collected system information:

It uses these commands to collect system information:

- sw_vers
- system_profiler SPHardwareDataType
- system_profiler SPDisplaysDataType

  • sub_1000073E0

There is a while loop that verifies the identity of the local macOS system user using the command dscl /Local/Default -authonly whoami {password}. If it fails, a fake window is triggered to obtain the user's password. Upon success, the password is written to the password-entered file:




It will then copy the user's login.keychain-db file:

  • The other functions seem to do nothing.

  • back to sub_1000124D0

List installed apps and appends them to the Sysinfo.txt file:

Copies browser cookies files, data from the Notes app, and files with the following extensions: {"txt", "docx", "rtf", "doc", "wallet", "keys", "key"}, etc.

Packages the directory:

Uploads the files to the malware's server:

image

Finally, cleans up the temporary directory and displays an error message to deceive the user:

image

HZRat

Analysis

Extract the pkg file:

pkgutil --expand OpenVPNConnect.pkg out

extract-pkg2

List OpenVPN_Connect.pkg/:

extract-pkg3

Check Pkg Scripts:

  • pretinstall: a macho file
  • postinstall: set permissions for OpenVPN Connect.app

extract-postinstall

Extract payload -> /Applications/OpenVPN Connect.app:

  • OpenVPN Connect.app: It's a legal App.
  • exe: Execute the init malicious file in the background and open "OpenVPN Connect.app"
  • init: a macho file

extract-pyload

  • pretinstall

execvp is executed at startup:

re-pretinstall-execvp

Dynamic analysis to obtain execvp parameters:

re-preinstall-lldb

Looks like it did nothing.

  • init

It will connect to the C&C server ip at startup:

re-init-c2

C&C Server IP:

Here, the port: 0x1f91 => 8081

  • 47.100.65.182:8081
  • 10.9.241.235:8081

re-init-c2-ip

Send Cookie:

  1. Generate a random number as a cookie.
  2. Command data is encrypted using XOR, with the key being 0x42.

re-init-cookie

Waiting for interactive, Receive Command:

re-init-receive

Code 3,8,9: Execute command line:

re-init-389-cmd

Code 4: Write file:

re-init-4-writefile

Code 5: Download file:

re-init-5-downloadfile

Code 11: Ping check:

re-init-11-ping

Because the C2 server was shutdown, it was not possible to determine what shell commands it would deliver for execution:

c2-server-commands

PartyChaos

Analysis
  • In the entry function, you can see that after processing the variant string, use the system command to execute it

static

  • Use lldb debugging to find the executed commands

lldb