OSX Malware Linked to Operation Emmental Hijacks User Network Traffic

The OSX_DOK malware (Detected by Trend Micro as OSX_DOK. C)  showcases sophisticated features such as certificate abuse and security software evasion that affects machines using Apple’s OSX operating system. This malware, which specifically targets Swiss banking users, uses a phishing campaign to drop its payload, which eventually results in the hijacking of a user’s network traffic using a Man-in-the- Middle (MitM) attack. OSX_DOK.C seems to be another version of WERDLOD (Detected by Trend Micro as TROJ_WERDLOD), which is a malware that was used during the Operation Emmental campaigns—an interesting development that we will tackle further in this blog post.

Arrival Method and Infection Flow

Figure 1

Figure 1: OSX_DOK.C infection routine for Mac systems

OSX_DOK.C first arrives via a phishing email that contains certain files labeled as either .zip or .docx files. The sample we analyzed was a purported message from a police inspector in Zurich allegedly claiming to unsuccessfully contact the recipient. The email also comes with two files attached claiming to contain questions for the user: one is a .zip file, which is a fake OSX app, while the other is a .docx file used to target Windows operating systems using WERDLOD. Both of these samples work as Banking Trojans and provide similar functionalities.

Some examples of the files used in the email attachment include the following:

  • Zahlungsinformationen 01.06.2017.zip
  • Zahlungsinformationen digitec.zip
  • zip
  • Dokument 09.06.2017.zip
  • Dokument 09.06.2017.docx
  • docx
  • docx
  • 06.2017.docx

Once the docx file included in the phishing email is clicked, a warning window will pop up:

Figure 1

Figure 2: Warning window on OSX

After this, the App Store on the system will be removed, followed by a full screen fake OSX update screen.

Figure 1

Figure 3: Fake OSX update screen

It will ask for a password to run command as root.

Figure 1

Figure 4: Fake OSX update screen

The malware will begin to download other utilities. It relies on Homebrew, an open source software package manager to install Golang and Tor.

The malware will then install fake certificates in the system to perform a MitM attack without notifying the user.

The structure of the fake App Store matches the application bundle structure and provides both English and German interfaces. The main executable is Dokument.app/Contents/MacOS/AppStore.

The archive in Mac OSX looks like this:

Figure 1

Figure 5: Fake document file

Mac OSX will run the application if it passes certificates. In this case, the malware is signed off by a “developer”, which may actually be a dummy account or that of a compromised user. In addition, the time stamp on the CA is new, which might mean that it was obtained specifically for this attack.

The fake certificate imitates the COMODO root certificate. Take note that the fake certificate does not contain a COMODO Certificate Authority seal that certifies its validity, as seen in the comparison below:

Figure 1

Figure 6: Comparison of a Fake COMODO (left) root certificate vs a genuine COMODO certificate (right)

We noticed that this malware will not work for Mozilla Firefox or Google Chrome since these two browsers have their own root certificates. Of all the major browsers, only Safari uses the system’s certificates.

We observed the attacker targeting both Windows and Mac OSX in the same spam mail on June 9, 2017. There is a file shortcut embedded in the malicious .docx file—one that will download an executable file from Dropbox—that executes once clicked by the user. The functionalities are similar to the malicious app provided, which includes installing tor and proxy.

We have already notified Dropbox about the use of its service for this malware. Dropbox has already taken down the links.

The malware will install two proxies running on local host port 5555 and 5588. All of the traffic will be hijacked into the first proxy (port 5555) with the victim’s external IP address as parameter.

Figure 1

Figure 7: Installing proxies on local host port 5555

The first (port 5555) proxy first finds the IP parameter. If it is not in Switzerland, the traffic will proceed as normal. If it detects an IP located in Switzerland, the malware will run an obfuscated JavaScript code and find its visiting domain. If the domain is in the target, the malware will perform a MitM attack and redirect the traffic to the second proxy (port 5588), which routes the traffic to the Tor network. The purpose of these steps is to target users in Switzerland and hijack their traffic

After deobfuscating the malware, we found the target domains:

Figure 1

Figure 8: Hardcoded list of target banking websites in Switzerland

The target domain’s visitors will be redirected into an e-banking login page that looks and acts normally, but is located on dark web sites.

However, once the victim enters an account and password. A window will pop out.

Figure 1

Figure 9: Hijacking connection to EKR bank

The pop-out window is just smoke and mirrors, where nothing actually happens once the countdown timer reaches zero.

We analyzed the webpage and found attackers injecting a script into the webpage. Once the user enters an account and password, it will initiate POST using AJAX. The POST message is sent to the same site as the fake login page—which an attacker can control inside the Tor network.

Figure 1

Figure 10: Post message carrying argument

We decoded the data section and found not only the account and password, but that it also fingerprinted the user’s browser and system information.

While Operation Emmental was able to bypass two-way authentication by tricking its victims into installing a fake app, we have not observed OSX_DOK.C doing this. However, since they can inject code into the webpage, it means they have the ability to do this as well.

Performing static analysis on OSX_DOK.C

We performed static analysis on the sample and found it packed by Ultimate Packer for Executables (UPX), an open source executable packer that can often be abused by malware. We successfully unpacked the initial sample we found dropped by the UPX unpacker.

The malware is not obfuscated so we easily found interesting strings here. We can see that the malware relies on bash shell for most of its setup.

Figure 1

Figure 11: OSX_DOK.C strings

We were not able to unpack the sample discovered after June 9, 2017. The UPX gave a warning message about memory buffer overflow. The malware author seemingly made unpacking the malware more difficult to slow down or even evade the antivirus engine’s scanning process. The packer is the same but the malware tries to exploit the undiscovered bug in the UPX library that causes unpack failure. We have reported the issues to the UPX team, and they have already fixed it.

The impacted versions of the UPX library are 3.94, 3.93, and 3.92. This technique enables the malware to efficiently run while evading unpacking techniques from the AntiVirus-integrated UPX library.

Connecting OSX_DOK.C with WERDLOD

As mentioned earlier, we believe that OSX_DOK.C might be the MAC OSX version of WERDLOD, an online banking malware that used the same techniques as Operation Emmental. Other research have also connected the OSX malware and Retefe (the external term used for WERDLOD) via similarities in their behavior.

While OSX_DOK.C is designed for MAC OSX, which is a Unix-like system, WERDLOD is designed for Windows. But in terms of features and behaviors, these two malware are very similar. Here is a list of their similarities.

Both malware kill all current browsers before installing fake certificates:

Both WERDLOD and OSX_DOK.C are designed to kill the browser process before installing fake certificates. While WERDLOD kills processes for Internet Explorer, Firefox, and Chrome, OSX_DOK.C does the same on Safari, Firefox, and Chrome.

Both malware share the same proxy settings and script:

While WERDLOD and OSX_DOK.C use different codes (since they target different operating systems), they have similar proxy settings and script formats. In particular, WERDLOD uses scripts running on hxxp://127.0.0.1:555/#{random_string}.js?ip=#{my_ip} as proxy:

Figure 1

Figure 1

Figure 12 : Local Area Network (LAN) settings

Comparing it to OSX_DOK.C, we can see that it uses the same script format:

Figure 1

Figure 13: OSX_DOK.C network settings

Both malware have similar targets:

Both WERDLOD and OSX_DOK.C targeted financial institutions, with a particular focus on banks in Switzerland. Further analysis of both malware revealed that their main targets are very similar, as seen in the screenshot below. While it’s possible that this is a coincidence, the rest of the evidence makes it unlikely for these two malware to target the same organizations by chance.

Figure 1

Figure 14: OSX_DOK.C target banks

Given the connection between WERDLOD and OSX_DOK.C, it is reasonable to assume that the latter is also a part of the Operational Emmental campaign. To further illustrate, here is a timeline of Operation Emmental and its potential relationship to OSX_DOK.C:

Figure 1

Figure 15: Connecting Operation Emmental with OSX_DOK.C

Mitigation and Trend Micro Solutions

Despite phishing incidents for Mac devices being rarer than their Windows counterparts, users should still be aware that attackers can target them at any moment. By implementing best practices for phishing-type attacks—such as refraining from downloading files unless they are absolutely certain that they come from trustworthy sources—users can avoid being victimized by malware such as OSX_DOK.C that prey on users who lack awareness of phishing strategies.

In addition, end users can also benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against viruses, ransomware, malicious websites, and identity thieves. It also provides secure storage of passwords and other sensitive information. Trend Micro™ Mobile Security for Apple devices (available on the App Store) can monitor and block phishing attacks and other malicious URLs.

For enterprises, Trend Micro’s Smart Protection Suites with XGen™ security, which support Mac systems, infuse high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.

With additional analysis from Yi-Jhen Hsieh (DSNS lab, National Chiao Tung University)

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

OSX Malware Linked to Operation Emmental Hijacks User Network Traffic

Read more: OSX Malware Linked to Operation Emmental Hijacks User Network Traffic

Story added 10. July 2017, content source with full text you can find at link above.