Grouping Fancy Bear uses malware for OS X in cyber attacks
The cyber grouping of Fancy Bear (Sofacy, APT 28, Sednit, Pawn Storm, TsarTeam) has already gained sufficient fame in the media space due to recent cyber attacks on the servers of the world anti-doping agency WADA. Later, an account supposedly belonging to this group appeared on Twitter, in which from time to time the publication of various parts of the WADA data received by Fancy Bear was announced.
Yesterday, the famous American security company Palo Alto Networks published the results of a new Trojan research for OS X called Komplex, which was used by Fancy Bear for cyber attacks on poppy users. ESET AV products detect this malware as OSX / Komplex.A . Komplex collects basic information about the user's system and sends it to the server. This information includes the system version, user name, list of running processes. After that, the data is sent in encrypted form to the managing C & C server.
The involvement of Fancy Bear in Komplex malware is confirmed by the indicators of the infrastructure they use. In particular, the apple-iclouds [.] Net and itunes-helper [.] Net domains used to communicate with C & C have already been used by grouping in previous cyber attacks. The same applies to the domain appleupdate [.] Org, which itself was not noticed in use, however, the IP address to which it was mapped was previously used as a managing server for the previous malicious campaign.
')
Installation of malware into the system is divided into several stages. On the first, a special executable file gets to the user, which saves the Komplex dropper to the disk, as well as a PDF document as bait. Palo Alto Networks specialists have discovered variants of this executable file for both 32-bit and 64-bit systems. Regardless of the architecture, it saves the Trojan dropper to the / tmp / content directory. After that, the document is opened by the Preview application.
Fig. The part of the Mach-O code of the file that drops the Komplex dropper file to the disk, as well as the document bait. (Palo Alto Networks data)
The document is saved to a file called roskosmos_2015-2025.pdf, the screenshot below shows one of its pages. It is called the “Project of the Federal Space Program of Russia for 2016-2025”.
Fig. Part of the bait document. (Palo Alto Networks data)
The Komplex dropper is responsible for installing the third executable file into the system and setting the necessary OS X system parameters for it to ensure that it starts after a reboot. The dropper file contains the debug line "/ Users / kazak / Desktop / Project / komplex", which indicates the name Komplex.
The dropper itself is quite simple in terms of the functions it performs, since all calls to important functions are concentrated in the starting function _main .
Fig. Function code _main dropper. (Palo Alto Networks data)
The main task of the dropper is to install the payload component in the system. It is saved to the Users / Shared / .local / kextd file . Immediately after its launch in the system, the payload executable file checks the debugger activity using a special method. To do this, use a function called AmIBeingDebugged . The function code uses the sysctl call to check for the P_TRACED debug flag, which indicates this. It is interesting to note that this feature is very similar to Apple’s proposed method of checking debugging applications in its Detecting the Debugger manual.
Fig. The anti-debug code of the Komplex payload. (Palo Alto Networks data)
After this check, the payload code performs another check for the presence of a sandbox environment, which is used by automatic file analysis tools. To do this, it sends a request to the Google search engine, which indicates the possibility of successful interaction with its C & C server only if there is an Internet connection. The code for this function is shown below.
Fig. Code checking the possibility of access to the Internet. (Palo Alto Networks data)
After collecting the above system data, Komplex sends it in encrypted form to a remote C & C server using an HTTP POST request.
Fig. Encrypted system data sent by malware to a remote server.
Fig. The function of collecting data on the system. (Palo Alto Networks data)
We previously wrote about the activities of Fancy Bear in the following posts.
» Sednit hacker group switched to using their own set of exploits
» Hacker group Sednit specializes in attacks against isolated air-gapped networks
» Sednit hacker group uses 0day exploits for cyber attacks
Yesterday, the famous American security company Palo Alto Networks published the results of a new Trojan research for OS X called Komplex, which was used by Fancy Bear for cyber attacks on poppy users. ESET AV products detect this malware as OSX / Komplex.A . Komplex collects basic information about the user's system and sends it to the server. This information includes the system version, user name, list of running processes. After that, the data is sent in encrypted form to the managing C & C server.
The involvement of Fancy Bear in Komplex malware is confirmed by the indicators of the infrastructure they use. In particular, the apple-iclouds [.] Net and itunes-helper [.] Net domains used to communicate with C & C have already been used by grouping in previous cyber attacks. The same applies to the domain appleupdate [.] Org, which itself was not noticed in use, however, the IP address to which it was mapped was previously used as a managing server for the previous malicious campaign.
')
Installation of malware into the system is divided into several stages. On the first, a special executable file gets to the user, which saves the Komplex dropper to the disk, as well as a PDF document as bait. Palo Alto Networks specialists have discovered variants of this executable file for both 32-bit and 64-bit systems. Regardless of the architecture, it saves the Trojan dropper to the / tmp / content directory. After that, the document is opened by the Preview application.
Fig. The part of the Mach-O code of the file that drops the Komplex dropper file to the disk, as well as the document bait. (Palo Alto Networks data)
The document is saved to a file called roskosmos_2015-2025.pdf, the screenshot below shows one of its pages. It is called the “Project of the Federal Space Program of Russia for 2016-2025”.
Fig. Part of the bait document. (Palo Alto Networks data)
The Komplex dropper is responsible for installing the third executable file into the system and setting the necessary OS X system parameters for it to ensure that it starts after a reboot. The dropper file contains the debug line "/ Users / kazak / Desktop / Project / komplex", which indicates the name Komplex.
The dropper itself is quite simple in terms of the functions it performs, since all calls to important functions are concentrated in the starting function _main .
Fig. Function code _main dropper. (Palo Alto Networks data)
The main task of the dropper is to install the payload component in the system. It is saved to the Users / Shared / .local / kextd file . Immediately after its launch in the system, the payload executable file checks the debugger activity using a special method. To do this, use a function called AmIBeingDebugged . The function code uses the sysctl call to check for the P_TRACED debug flag, which indicates this. It is interesting to note that this feature is very similar to Apple’s proposed method of checking debugging applications in its Detecting the Debugger manual.
Fig. The anti-debug code of the Komplex payload. (Palo Alto Networks data)
After this check, the payload code performs another check for the presence of a sandbox environment, which is used by automatic file analysis tools. To do this, it sends a request to the Google search engine, which indicates the possibility of successful interaction with its C & C server only if there is an Internet connection. The code for this function is shown below.
Fig. Code checking the possibility of access to the Internet. (Palo Alto Networks data)
After collecting the above system data, Komplex sends it in encrypted form to a remote C & C server using an HTTP POST request.
Fig. Encrypted system data sent by malware to a remote server.
Fig. The function of collecting data on the system. (Palo Alto Networks data)
We previously wrote about the activities of Fancy Bear in the following posts.
» Sednit hacker group switched to using their own set of exploits
» Hacker group Sednit specializes in attacks against isolated air-gapped networks
» Sednit hacker group uses 0day exploits for cyber attacks
Source: https://habr.com/ru/post/311142/
All Articles