SAN FRANCISCO – Malware developers always try to outdo each other with creations that are more stealthy and more advanced than those of their competitors. “At this week's RSA security conference, a former National Security Agency hacker showed an approach that is often more effective: stealing a rival's code and then reusing it.
Patrick Wardle, now a security researcher with the enterprise management firm Jamf for MacOS and iOS, has shown how reusing old Mac malware can be a smarter and less resource-intensive approach to deploying ransomware, remote spy tools, and other types of malware. Where the approach really pays off is the reuse of advanced code written by government-sponsored hackers.
"There are incredibly well-funded, well-equipped, highly motivated hacking groups in three-letter agencies that create amazing malware that is fully functional and fully tested," said Wardle during a lecture entitled "Repurposed Malware: One dark side of recycling ". "
"The idea is: why don't you let these groups create malware in these agencies and if you're a hacker, just use them for your own mission?" he said.
Kidnapping the kidnappers
To prove this, Wardle described how he modified four pieces of the Mac malware that has been used in wild attacks in recent years.
The change in use caused the malware to report to Wardle's command servers rather than the developers' designated servers. From there, Wardle had full control over the recycled malware. The feat allowed him to use well-developed and fully functional applications to install his own malicious payload, get screenshots and other sensitive data from compromised Macs, and perform other nefarious actions written in the malware.
In addition to saving time and resources, malware reuse has two main advantages:
- It can allow attackers, especially those from government-sponsored groups, to infect high-risk environments, such as: For example, those that are already infected and are under the eye of other malicious software players. In this position, many nationwide hacking groups will forego providing their crown jewel malware to keep proprietary tactics, techniques, and processes private. In these scenarios, reusing someone else's malware may be a viable alternative.
- In the event that the malware infection is detected and forensically analyzed, there is a good chance that researchers may mistake the attack for the original hackers, not the party who re-used the malware
There is no lack of evidence that reuse of competitors' malware is already common among nationwide hackers. WannaCry and NotPetya – the worms that caused computer stoppages worldwide in 2017 and are widely attributed to North Korea and the Russian Federation – quickly spread from computer to computer national with the help of EternalBlue, the Windows exploit developed and later stolen safety authority. Researchers at security firm Symantec found that a hacking group, largely affiliated with the Chinese government, reused NSA malware installed by EternalBlue in March 2016, 14 months before the release of powerful NSA hacking tools.
This 2017 article by freelance reporter Kim Zetter reports that files released by Wikileaks showed CIA hackers recycling techniques and code fragments used in previous attacks for use in new projects. A few years ago, the Russian-speaking hacker group Turla kidnapped the servers of OilRig, a rival associated with the Iranian government, according to Symantec. Turla then used the infrastructure to attack a government in the Middle East.
One of the uses of Wardle was AppleJeus.c, a recently discovered malicious code embedded in a fake cryptocurrency trading app for macOS. The example was the first, or at least one of the first, known malware examples for macOS that used an in-memory or fileless method to run malicious second-level payload on target Macs.
By running malicious code exclusively in memory – rather than using the more common method of storing and then storing the code on disk – AppleJeus.c significantly reduced the likelihood that antivirus programs and other forms of endpoint security could detect or detect the infection, greatly reducing the payload the second stage. Researchers have tied the malware to Lazarus, a hacker group that works for the North Korean government.
Instead of developing its own installer for fileless payload for macOS, Wardle made only a minor change to AppleJeus.c: Instead of retrieving the fileless payload from the server originally coded in AppleJeus.c, the modified malware now received the payload from one of server controlled by him.
"This means that the (first phase of) malware, when executed, communicates with our server instead of the hacker's original infrastructure and creates the custom command and control server that packs the payload," said Wardle.
The first step was to thoroughly analyze the inside of AppleJeus.c. Among other things, he observed the capabilities of the malware and the protocol with which it communicated with the command and control server of the original developers. Using a disassembler, he observed the malware using a cryptographic hashing function and a decryption function, for example, in order to load the user data of the second stage and then execute it.
Using a debugger to stop the malware shortly before executing the hashing function, he found the string VMI5EOhq8gDz, which turned out to be the decryption key when passed to the hash function. He then used the disassembler and debugger to get the decryption and parameters in a similar way.
Enlarge /. The disassembled code AppleJeus.c, which is used to decrypt, load and execute (in memory) the received user data of the second stage.
Next, Wardle used a hex editor to change the hard-coded control server domain from the original version to the address of the server it controlled. He designed this new control server to use the same communication protocol and to interact step by step with every function of the malware.
In order for the modified version of AppleJeus.c to accept the user data of the second stage, the Wardle control server had to encrypt it using the same key and encryption that he observed during his analysis. With his converted AppleJeus.c, Wardle was able to load and execute any Mac mach-O executable of his choice.
Enlarge /. Use a hex editor to identify (and later modify) the control server hard-coded into the malware.
"With a single change to the binary file (and building a lightweight C&C server), we now have access to an advanced nation-state loader that meets our bids … without having to write (client-side) code!" Wardle wrote in a message after his lecture, "This is a lot easier than rewriting it from scratch 🙂 Even if this reused variant is ever discovered, it is likely wrongly attributed to the North Koreans."
Interestingly, much of the code used to carry out AppleJeus.c's in-memory infection itself was extracted from a technical analysis published by Cylance researcher Stephanie Archibald.
Three times more with feeling
Wardle used similar techniques to reuse three other pieces of Mac malware that were spread in the wild. The malware included Fruitfly, a remote access tool that stole millions of user images, including many nudes, over 13 years before the final shutdown, a 2016 ransomware app and Windtail primarily targeted at government agencies and businesses in the Middle East judged.
Wardle was able to make further changes to its reused pieces of code to circumvent the malware protection measures built into macOS. Because the Xprotect malware scanner is based on file signatures, for example, it is sufficient to change a single byte of reused code to completely avoid detection. If signature certificates issued by Apple have been revoked, it is trivial to deregister the software and sign it with a new certificate. To remove warnings that appear when users try to run code or install apps downloaded from the Internet, you can simply remove the programming flags that display these warnings.
This week's RSA presentation could give the impression that malware reuse is only possible with Mac offerings. The above examples of recycled malicious code should make it clear that this type of recycling works against any operating system or platform. Given the plethora of working malware and easy reuse, it's easy to understand why this practice is so common, Wardle said. "The idea is to let those with more time, money and resources do all the hard work."