In my write-up on the macOS variant of ElectroRAT, I describe how to extract these embedded binaries.ĭarwinCam ( SHA1: 7e0a289572c2b3ef5482dded6019f51f35f85456): " The attacker uses go-bindata to embed additional binaries within the malware" 7Y2A70Ha9g- Avigayil Mechtinger January 5, 2021 The commands are sent as a json structure with the following keys: type, uid and data for additional parameters needed for the command. Commands received from the C&C are parsed by the RAT using corresponding functions before sending a message back with the response. Once the malware has checked in with the command and control server, it acts upon any (remote) tasking: …and then once the address of the command and control server ( 213.226.100.140) is retrieved, connects out (with some basic information about infected machine): Via Wireshark, we can confirm the macOS variant of ElectroRAT performs these same actions. r98bbVThs3- Avigayil Mechtinger January 5, 2021 The malware then calls the registerUser function, which creates and sends a user registration Post request to the C&C. Upon execution, ElectroRAT queries a raw pastebin page to retrieve the C&C IP address. In a Twitter thread, Avigayil (the security researcher at Intezer) notes that the malware first “ queries a raw pastebin page to retrieve the C&C IP address”: % cat ~/Library/LaunchAgents/istĪs the RunAtLoad is set to true the OS will automatically (re)launch the malware each time the user (re)logs in.Ĭapabilities: Persistent Backdoor (+ embedded binaries). Via a ProcessMonitor, we see that the trojanized application (whose pid is 1350) will execute this mdworker binary (via bash): The malware is found within the trojanized application bundle, as a binary named mdworker eTrader app, containing ElectroRAT If the user is tricked into downloading and running the application, they will inadvertently infect themselves with ElectroRAT. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware." -IntezerĮTrader app, containing ElectroRAT eTrader app, containing ElectroRAT " These applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. In terms of its infection vector, Intezer noted the use of trojanized/fake crypto currency applications : Infection Vector: Trojanized/Fake Crypto-Currency Applications “Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets” steal personal information from cryptocurrency users" -Intezer This extensive operation is composed of a full-fledged marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch." " we discovered a wide-ranging operation targeting cryptocurrency users, estimated to have initiated in January 2020. Installed (to /usr/bin/lldb) as part of Xcode.Ī “reverse engineering tool (for macOS) that lets you disassemble, decompile and debug your applications” …or malware specimens!ĮlectroRAT is a cross-platform remote “administration” tool (RAT), designed to steal information from cryptocurrency users.ĭownload: OSX.ElectroRAT (password: infect3d)ĮlectroRAT was uncovered by Intezer, who note: The de-facto commandline debugger for macOS. My open-source light weight network monitor. My open-source utility that displays code-signing information, via the UI. My open-source utility that monitors file events (such as creation, modifications, and deletions) providing detailed information about such events. My open-source utility that monitors process creations and terminations, providing detailed information about such events. While there are a myriad of malware analysis tools, these are some of my favorites, and include: Throughout this blog, I reference various tools used in analyzing the malware specimens. What was the purpose of the malware? a backdoor? a cryptocurrency miner? or something more insidious…Īlso, for each malware specimen, I’ve added a direct download link to the malware specimen, case you want to follow along with my analysis or dig into the malware more! □️ Malware Analysis Tools & Tactics How it installed itself, to ensure it would be automatically restarted on reboot/user login. However at the end of this blog, I’ve included a section dedicated to these other threats, that includes a brief overview, and links to detailed write-ups.įor each malicious specimen covered in this post, we’ll identify the malware’s: Adware and/or malware from previous years, are not covered. In this blog post, we focus on new Mac malware specimens or significant new variants that appeared in 2021.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |