110. A Sad State of Malwares

Coming up this week on Breaking Badness. Today we discuss: BotenaGo Amok, Return of the Mac (Malware), and our fun new game, two truths and a lie.

Here are a few highlights from each article we discussed:

BotenaGo Amok

• This malware was first identified in November 2021, so first we’ll start with a refresher. AT&T Alien Labs discovered Golang (Go) malware it calls ‘BotenaGo’ which targets routers and IoT devices.
• The news regarding this malware is that Alien Labs recently discovered the source code (which is 2,891 lines of code) was uploaded to GitHub, meaning anyone can customize it for whatever objectives they have. Alien Labs predicts there will be an uptick in campaigns using BotenaGo against routers and IoT devices.
• What’s worrisome about BotenaGo is that it has a low Antivirus (AV) detection rate.
• Additionally, the source code availability means new variants will use new infrastructure.
• Its capabilities include the following:
  • Victim device fingerprinting
  
  
  • Screen capture
  
  
  • File download/upload
  
  
  • Execute terminal commands
  
  
  • Audio recording
  
  
  • Keylogging
• To minimize risk, ensure IoT devices have minimal exposure to the internet and if detected, patch as quickly as possible.

Return of the Mac (Malware)

• What’s interesting about Mac malware is that there hasn’t been a lot of it so far in its lifetime. There’s a Wikipedia page dedicated to Mac malware and it requires no scrolling - that’s how uncommon malware on Macs has been thus far.
• Historically, the reputation Macs have had is that their OS is more secure than Windows, and it might still hold some truth, but we’re seeing (and will continue to see) more instances of threats against Macs, given its market share.
• This latest instance of malware targeting Macs was discovered by the firm, eSet, which calls this malware DazzleSpy. It’s one of the more sophisticated malware packages seen to date: it exploits several vulnerabilities, it’s effective, it’s hard to detect, and hard to remove.
• DazzleSpy is delivered via watering-hole attacks featuring malicious or hacked websites that drop the initial loader, which exploits a code execution vulnerability in webkit, which is Safari’s browser engine. So we at DomainTools certainly see the importance of detecting malicious domains as early in the process as possible.
• Once the malware is installed, the script on the malicious (or hacked) domain checks for the installed macOS version and redirects the victim to the next stage if their browsers are running on macOS 10.15.2 or newer. This next stage runs a series of JavaScript files, which basically gain the ability to read and write to Mac memory by first leaking the memory address of an object and then creating a fake JavaScript object from a specific memory object. This means that you now have a situation where there are two arrays that overlap in memory, allowing it to set a pointer that references a memory location where a malicious executable named Mach-O can be run.
• Mach-O first downloads a file from the URL supplied as an argument, then decrypts the file and writes the resulting file to $TMPDIR/airportpaird and makes it executable. Mach-O then uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable. Finally, it uses the same privilege escalation to launch the next stage with root privileges. Now DazzleSpy is installed and the Mac is fully backdoored.
• At this point in time, it’s unknown who is behind DazzleSpy, but a working theory is that it's likely state-sponsored. The victimology may tell us more about who is behind this.
• Currently, the targets for these attacks are narrow (pro-democracy activists for Hong Kong). It would not be surprising if this continued to spread, but right now, the individual odds of being affected are low.

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You'll have to tune in to find out!

Current Scoreboard

This Week’s Hoodie/Goodie Scale

BotenaGo Amok[Taylor]: 6.5/10 Hoodies[Tim]: 10/10 Hoodies

Return of the Mac (Malware)[Taylor]: 4/10 Hoodies[Tim]: 5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.*A special thanks to John Roderick for our incredible podcast music!