![]() Next, the original XOR key ( 0x7831CFC5) can be applied (in Big Endian order) to the rest of the data to decrypt it, resulting in:Į7C82476 1F1B 69643D30303030266D61633D4D616320. Once the XOR key 0x0E150722 is applied to it, the original randomly generated XOR key can now be obtained: The binary data within the POST request, once base64-decoded, can look in hexadecimal form as:Į7C82476 DAD4 581CF8FF0148F5E95C19A6F27C19A6EF.Īs explained above, the first 4 bytes is the encoded key: E7C82476 -> 0x7624c8e7. ![]() The other ' path' parts of the URL are random. The only difference is that there is no CRC16 field present in the encoded chunk. It is encrypted in the same fashion as the data: (random 4-byte XOR key to encode the token, passed encoded with a fixed XOR key 0x0E150722). The base64-encoded ' request' string, marked in blue, is an encrypted config parameter TOKEN (' h8sn3vq6kl'). zip, are picked up by the bot from the config parameter EXTENSIONS. The random ' extensions' specified within URL string and marked in red, such as. For instance, the generated URLs might look like: The POST requests generated by the bot contain randomised URL parameters. a 2-byte CRC16 hash, used for data integrity check.The bot then constructs a blob that consists of 3 parts: The key is generated by using Mersenne twister algorithm to produce a high quality random sequence of integers. The data transferred over the network is encrypted with a random 4-byte XOR key. If not, it keeps checking in a loop until the computer goes online. The bot checks if it's connected to the Internet by accessing the Google page. The SERVERS parameter contains an updated list of C&C servers.Ĭonfig parameters TOKEN and EXTENSIONS are used to randomise URL parameters, as demonstrated below. To upload a log file (result from execution of a designated command or a downloaded file), the data uploaded by the bot would be wrapped up into the ' message' below:Ī new config request ' message' would look like: The block of files specified between START_BLOCK_FILE and END_BLOCK_FILE tags will be downloaded/executed.Ĭonfig parameters FILES, LOG, ID, CONFIG, OLD_CONFIG, and MAC are used to construct a ' message' that will be encrypted and submitted to the server.įor example, to upload system info in a so-called ' hello' message, the bot will construct a message that looks like: Below is the list of the config parameters along with their default values: ![]() The bot parses and distinguishes a number of configuration parameters. The embedded config parameters are encoded with a XOR key: The bot keeps its execution parameters in a configuration (config) section. The bot collects system information such as: Set execution permissions and run downloaded files.Open a pipe stream and execute shell commands.The embedded executable is a bot that allows remote access. The dropper will create a plist and update the LaunchAgents in order to enable an auto-start for the created executable (" RunAtLoad"). When run, it will dump an embedded executable and then launch it. Once the password is specified, the malware will be downloaded, saved as /Users/Shared/dufh, and executed.Īt this stage, the executable file dufh is a dropper. "Your computer has malware that needs to be removed"Īs a result, once the unsuspecting user click the malicious link, the following dialog box will pop up: The launcher path for this command is specified within the as "/bin/sh" (a symlink to the currently configured system shell), and the prompt message displayed to the user is: Where, once decoded, contains the following commands interpreted and executed by MacKeeper, using system shell: 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: ![]() The webpage hosted by the attackers in this particular case has the following format: The actual reason is so that the malware could be executed with the admin rights. Once clicked, the users running MacKeeper will be presented with a dialog that suggests they are infected with malware, prompting them for a password to remove this. The attack this post discusses can be carried out via a phishing email that contains malicious URL. Since the proof-of-concept was published, it took just days for the first instances to be seen in the wild. ![]() The first reports on this vulnerability suggested that no malicious MacKeeper URLs had been spotted in the wild yet. Last month a new advisory was published on a vulnerability discovered in MacKeeper, a controversial software created by Ukrainian company ZeoBIT, now owned by Kromtech Alliance Corp.Īs discovered by Braden Thomas, the flaw in MacKeeper's URL handler implementation allows arbitrary remote code execution when a user visits a specially crafted webpage. Written by Sergei Shevchenko, Cyber Research ![]()
0 Comments
Leave a Reply. |