Sunday, April 15, 2018

Writing Query Packs to Detect APT32's macOS Malware Variants: Part One

Recently, I decided to learn how to write my own query packs for osquery.  I’ve been spending a lot of time lately learning about macOS malware and osquery has proven to be a useful tool.  When I saw a report from Trend Micro of a new malware variant targeting macOS, it seemed like a good opportunity for some practice.

In this first part of a two three part post, I will go over some query pack basics and some info about macOS malware variants.  In part two I'll go over details on writing queries. In part three, I’ll go more in-depth about how I used osquery to find the indicators, and how to use the same technique for threat hunting on macOS.  

Query Packs

Osquery can be used in two modes, interactive and as a daemon.  When running as a daemon, lists of rules, supplied as external json files called query packs, can be applied. These query packs are applied by simply adding a file path to the “packs” section of the configuration file, /var/osquery/osquery.conf.

Before I started writing my own pack, I first checked the osx-attacks pack in osquery’s github master branch.  I didn’t find a signature for the new variant, but I figured this query pack would give me a good template to start from.

The Malware

The next step was to decide what signatures to include in my query pack and to find samples of the malware.  The variant reported in early April was attributed by Trend Micro to the activity FireEye dubs  Advanced Persistent Threat (APT) 32 / Ocean Lotus.  

I am usually pretty skeptical about both the value and accuracy of attribution in open-source “threat intelligence”.  Since the goal of this endeavor was simply to learn to build signatures for osquery, I decided to accept the community consensus and focus on putting together an “Ocean Lotus” query pack.

According to a FireEye report:

Since at least 2014, FireEye has observed APT32 associated ttps and malware targeting foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors...In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013...

OK, so now that we know a little bit about APT32 activity, what malware is associated with it?  I was able to locate four variants of malware, specifically targeting macOS, publicly attributed to APT32 Ocean Lotus. 

The first variant is a trojan Mach-O binary disguised as a Flash update (SHA-256 12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888).  This file in turn writes another binary, named "corevideosd" to disk (SHA-256 3d974c08c6e376f40118c3c2fa0af87fdb9a6147c877ef0e16adad12ad0ee43a).  For more information on activity related to these samples, refer to the Alien Vault post.

The second variant is a .zip archive containing a trojan Mach-O binary disguised as a Word document. (SHA-256 b33370167853330704945684c50ce0af6eb27838e1e3f88ea457d2c88a223d8b). This variant writes to disk a persistent Mach-O binary, "servicessl" (SHA-256 07154b7a45937f2f5a2cda5b701504b179d0304fc653edb2d0672f54796c35f7).  For more info, see the Unit 42  post.

The third variant was a trojan Mach-O binary, this time disguised as a PDF (SHA-256

Lastly, we have the most recent variant, a malicious Word document (SHA-2562bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a) which drops the malicious Mach-O "spellagentd" (SHA-256 673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f). A detailed analysis was posted by Trend Micro.

Luckily, Patrick Wardle has posted samples of most of these variants on his Objective-See blog. For the remaining sample, a hat-tip goes to @acalarch for helping me out.

The query pack can be found on Github, I hope you'll stick around for Part Two.

Part Two, Writing the Rules

No comments:

Post a Comment