Monday, May 29, 2017

Retefe hitting MacOSX - Some interesting points

A few weeks ago Checkpoint posted about a malware in MacOSX OSX/Dok which it is the version of Retefe ported to Mac OS.

Most of the technical aspects of this specimen behaviour are described in the blog post referenced above, however there are some other interesting points I would like to highlight.

In order to install some of the tools used by the malware, like Tor, the malware requieres to gather some packets from homebrew, and this requieres Xcode to be installed, hence both of them are installed. 











It is possible to see the set of processes launched to install the different dependencies, and how some of the tools are installed from git.

 

Other than that, the configuration of the proxy to use the Tor node can be easily spot as it modifies the file  /Library/Preferences/SystemConfiguration/preferences.plist



Regarding the persistence of the malware, and for the specific sample with hassh 07b67d95176fb35e70c38561c8d67987, this is done by creating the file /Users/labtest/Library/LaunchAgents/homebrew.mxcl.tor.plist which launches the Tor process once the user (in this case labtest) logs into the system.

Also it is very easy to spot this process through the logs:

...
May 28 09:37:05 --- last message repeated 6 times ---
May 28 09:37:05 labtests-Mac com.apple.xpc.launchd[1] (homebrew.mxcl.tor): This service is defined to be constantly running and is inherently inefficient.
...

Lastly, the keychain file, where the certificate is stored, changes when the new certificate has been imported. This file is in/Library/Keychains/

The first samples detected were on the 22/04 and the developer's signature certificate had the serial number "48 CA D4 E6 96 6E 22 D62". Some samples from those dates are:

0e48346ebd57b1b6dbaa0bbad4d579dc 
9e9542cdd28bb74b09b685ab6f0d05da 
aeb933c1e6acca67538bd9b30a1c3337 
e8bdde90574d5bf285d9abb0c8a113a8  
14c1cd9c5f263d5ba988838e0c3e3cf6 
0e48346ebd57b1b6dbaa0bbad4d579dc 
9f25c1a359b9dae3f2c1abba45f0566d 
9e9542cdd28bb74b09b685ab6f0d05da 

Then on the 03/05 other  bunch of emails were sent with this malware, but this time the certificate used to sign the maliciuos app had the serial number "12 72 51 B3 2B 9A 50 BD".
Some samples from those days:

473c6a0b2af67c241a29d87e7fd33634
56be5de1952ab4f4a75cfe7e0edd1404 
561e5d2f73b0858913f0c8792df0dcd3 
8805c2674368fe981bc70f220702fad3 
2ee232b1a56f21bdd0b46ba0acd12a22 
87a4bff26626ccf022bda7373241275c 

On the 11/05 another bunch of emails and another different certificate "30 E1 5E 51 24 0E 65 13"

005885b7df33ddc331ae9d330992cb32 
08a3a516ef995fbccff3c383ef3477e7
8f6220b340fcd681af2b95e125d9c1bd 
2d17e6b8d631492d85df6686d5229287 
246906ed9bf9a5e6ddcd2ce63504b023 

16/05, again other round of maliciuos emails and other certificate used " 57 CA 73 4E 7B 02 E2 28"

07b67d95176fb35e70c38561c8d67987
a4aaabc1ce5dab07a7f98f08965f0fce
a6cf153e0fecd92bef90cc6020f03701 
fca0afcec326504ac6257ba49f96820d 
c3a7c3edf99227b7100d283bdfbff37b 
7b67d95176fb35e70c38561c8d67987 
65e1397dfca29c39c9f181504c9e6098 
a4aaabc1ce5dab07a7f98f08965f0fce 
961637c0d8158703141d3c330f88546e 
117ee5735c38f55900df60464378ca7c 
c8ae7b20d562733077798471a3b142ad 
18799cb34889baea83771f6b8ed20278 
c0d7908264ca3a4e5f124153af184a5c

19/05, new wave of emails, other certificate used  "5E 25 44 7D 4F 1A 7E 4D"

8dac2b2dd8cdedafdcd8d6b7793d7fba 
9f4fb4ee1a9f4ae47abe3904d3ccb7c1 
92b34cbc17062c27e42e1dfb08771a92 
8dac2b2dd8cdedafdcd8d6b7793d7fba 
2ba9a98407afdd70631704e9e56d51cf 
cd62c44978cf47de096604b890b9b377 


In all the cases, all the certificates used, were created a day or couple of days before being used to sign the maliciuos app with valid apple developers accounts.

Three days ago, a new wave of emails were sent, and again a new certificate has been used, "61 BA 22 AC 99 02 79 A1". Again, the certificate used was created the day previous to the first sample being detected

It is very interesting to see the pattern between the campaigns of emails sent with the maliciuos app signed with a different certificate each time.




This last sample, however, has a detection rate really low, and only 4 AV detects it as malware. 





Some samples are here:

deb5fca6bc967be8a5bab8dc1b01b2a6 
0100888469947ea58d298381b70e824c 
635e01bc807a20895b533734f6a4aaac 
7b7e8cb4dfd1d2535b9b20a59f463dcd 

e7442877ca35c85ba7fca34231d0ab0c 

In this last wave of emails, there is something interesting which is worth to mentioned. This time, the malicious app is not attached in the email directly, but a PDF file with a link to the malicious app hosted in Dropbox is attached. Also, some typos are in the email ("Amason instead of Amazon")




Another interesting point is that the PDF contains a link to the Windows version of the malware as well (a DOCX file with Macros)

The PDF is in VT since a three days ago: 
https://virustotal.com/en/file/eb0ee996575310d4ab029cd73e21b9d5205f0137269f1b687aa923dfde7eebe0/analysis/


The link to the linked malware are here:

hxxps://www.dropbox.com/s/moqk87enoib3o3o/Dokument_26.05.2017.docx?dl=1

hxxps://www.dropbox.com/s/2baxj6fvb2997v6/Dokument_26.05.2017.zip?dl=1


The windows version of the malware, has not changed since the last time I took a look here, where they were using PowerShell instead of JS.




Since last time I took a look to the Proxifier setup to figure out the banks affected, 49 new  domains of Swiss banks have been included in the list:

*credinvest.ch *bancazarattini.ch *appkb.ch *arabbank.ch *apbank.ch *notenstein-laroche.ch *bankbiz.ch *bankleerau.ch *btv3banken.ch *bhibank.com *dcbank.ch *bnpparibas.com *bordier.com *banquethaler.com *bbva.ch *pbgate.net *cmcic-banquepasche.com *bil.com *bcpconnect.com *banquecramer.ch *banqueduleman.ch *bankhaus-jungholz.ch *sparhafen.ch *bankzimmerberg.ch *bankleerau.ch *vontobel.com *notenstein-laroche.ch *bankbiz.ch *ceanet.ch *ce-riviera.ch *cen.ch *cedc.ch *cbhbank.com *cimbanque.net *cembra.ch *cmvsa.ch *coutts.com *ca-financements.ch *commerzbank.com *dominickco.ch *efginternational.com *exane.com *ekaffoltern.ch *falconpb.com *gemeinschaftsbank.ch *frankfurter-bankgesellschaft.com *glarner-regionalbank.ch *globalance-bank.com *hsbcprivatebank.com