macOS Malware Analysis Lets Defend Challenge
🔗app.letsdefend.io/challenge/macos-malware
Mac StealthWare has recently emerged as a new and formidable threat in the world of MacOS security. Unlike typical malware, Mac StealthWare is highly sophisticated and uses advanced evasion techniques to avoid detection by traditional security measures.
The malware is typically distributed through malicious email attachments, fake software updates, or compromised websites. Unsuspecting users inadvertently download and run the malware, believing it to be legitimate software.
We should open our file and commence our investigation.
QUESTION 1:
How many web browsers does this malware target for data extraction?
Hint: Search in the “main” function about browsers.
How to use Ghidra — a free open source reverse engineering tool to solve this question.
❖Launch Ghidra: Open the Ghidra application on your computer. If Ghidra isn’t installed yet, download it from the official website.
❖Create a new project: Name and locate your project, then click “OK” to create it.
❖Import the binary file: Navigate to “File” > “Import File…” and choose your binary file. Click “Next” without changing settings.
❖Wait for analysis: Ghidra will analyze the file; a progress bar will show the analysis status.
We have identified that the web browsers targeted by the malware for data extraction are specified within the “_main” section of the binary code. Based on the image provided above, we can identify the following web browsers: Google Chrome, Mozilla Firefox, Brave Browser, Microsoft Edge, Vivaldi, Opera, and Opera GX.
ANSWER: 7
QUESTION 2
How many different cryptocurrency wallets are targeted by malware?
Hint: Check the wallets targeted by malware in the “main” function.
Upon investigation, we’ve discovered the web browsers that the malware aimed to compromise. Continuing to scroll down within the “_main” function reveals additional targets, including various cryptocurrency wallets exploited by the malware.
We have identified that the different cryptocurrency wallets targeted by the malware for data extraction are specified within the “_main” section of the binary code. Based on the image provided above, we can identify the following cryptocurrency wallets: Electrum, Coinomi, Exodus, Atomic and Binance.
ANSWER: 5
QUESTION 3
What is the specific part of the file path that follows the user’s home directory that is related to Coinomi and is used by the malware?
Hint: Check the wallet paths on the “main” function.
Given our analysis indicating that Coinomi is one of the cryptocurrency wallets targeted by the malware, it should be relatively straightforward to identify the specific portion of the file path that corresponds to the user’s directory.
Let’s delve deeper into the main function of the binary code to investigate this matter.
The provided code snippet illustrates the malware’s process of constructing file paths by copying and combining strings. Initially, it duplicates the content of local_418, which likely represents the user's home directory path, into local_1278. Subsequently, it appends "/Coinomi/wallets/" to local_1278, creating the full file path associated with Coinomi.
ANSWER: Coinomi/wallets/
QUESTION 4
What is the Telegram identifier that is used by malware?
Hint: Look for the telegram path in the “main” function.
The phrase “Telegram identifier” likely refers to a special code or number used by the malware to connect with Telegram, a messaging app. This code helps the malware communicate with other computers or servers through Telegram. It’s like a secret password that allows the malware to send and receive messages or commands. So, when someone asks about the “Telegram identifier used by malware,” they’re asking about the specific code that lets the malware talk to Telegram.
In order to answer the question, let’s follow the hint given to us.
The given code excerpt showcases the addition of a directory path to the string contained within the variable local_1cc8. In particular, it extends the string in local_1cc8 by appending the directory path "/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram/appstore/".
ANSWER: 6N38VWS5BX.ru.keepcoder.Telegram
QUESTION 5
What IP address is used by malware to send data over HTTP?
Hint: Search for the function used by malware to send the stolen data.
How to use IDA Freeware a disassembler and debugger software tool used for reverse engineering binary executables.
❖Open the Malware Binary in IDA Freeware: If IDA Freeware isn’t installed yet, download it from the official website. Launch IDA Freeware and open the malware binary file by navigating to File > Open.
❖Analyze the Binary: Let IDA analyze the binary. This process might take some time depending on the size and complexity of the malware.
The initial step is to identify the function responsible for sending data, located within the “function name” column.
Once you’ve selected the “_send_data_via_http” function, a panel will appear on the right side. Navigate to that panel, right-click, and proceed to the text view option.
This segment of the code loads the IP address “91.103.252.213” into memory and converts it to a format suitable for network communication through the _inet_addr function. It suggests that the malware utilizes the IP address “91.103.252.213” to transmit data over HTTP.
ANSWER: 91.103.252.213
QUESTION 6
What is the offset of the function used to grab chromium?
Hint: Find the function that has grabbed chromium using the function name in IDA and then click to view the address.
Navigate to the “_SearchAndGrabChromium” section and select the function button next to it to reveal the right panel. Scroll through the panel to locate and access the offset information.
The offset of the “_SearchAndGrabChromium” function is 100022DF0, which is situated at memory address which is determined by the memory layout of the executable binary. It serves as the entry point for the Chromium-grabbing function within the binary, reflecting its starting position in the disassembled code and memory layout. However, offset typically starts from 0x because memory addresses in most computer systems are represented in hexadecimal format.
ANSWER: 0x100022DF0
QUESTION 7
What is the offset of the “send_data_via_http” function used by the malware?
Hint: Search for Send API and click on xref to see the Send function.
Let’s repeat the process we used to locate the Chromium-grabbing function.
Navigate to the “Send_data_via_http” section and select the function button next to it to reveal the right panel. Scroll through the panel to locate and access the offset information.
The offset of the “_send_data_via_http” is 100021DF0
ANSWER: 0x100021DF0
QUESTION 8
What command is used by the malware to obtain information about hardware components on the MacOS system?
Hint: Look for the function called “userinfo”.
Malware targets macOS hardware information to customize its actions, exploit weaknesses, or avoid detection. This data shapes payloads, instructions, and evasion tactics, while also aiding in identity theft or evasion through unique identifiers.
Navigate to the “_userinfo” section and select the function button next to it to reveal the right panel. Scroll through the panel to locate and access the offset information.
This code is designed to secretly gather hardware information from Mac computers, akin to a covert spy. Initially, it sets up to request details about the computer’s hardware, such as its processor type and memory usage. Then, it sends a command to the computer, instructing it to collect this information. Once the computer provides the requested data, the program stores it in the computer’s memory. Finally, it cleans up after itself to avoid leaving any traces of its presence, akin to a spy covering its tracks.
ANSWER: system_profiler SPHardwareDataType
_________________________________________________________________
In conclusion, malware targeting macOS systems has become increasingly sophisticated, often aiming to steal sensitive information, exploit vulnerabilities, or perpetrate various forms of cybercrime. These malicious programs leverage tactics like social engineering, exploiting software vulnerabilities, or tricking users into installing them unknowingly. As macOS continues to gain popularity, it becomes a more attractive target for attackers, necessitating robust security measures and user vigilance to mitigate the risks posed by malware.
Thank you for taking the time to read my post. If you found it informative, please consider sharing it with your social networks and friends. Spreading knowledge about cybersecurity helps empower others to stay safe online. Together, we can create a more secure digital environment for everyone.
INSTAGRAM: @itsdanielpius
X (Twitter): @itsdanielpius
