Photo by Lorenzo Lamonica on Unsplash

At @ConfiantIntel we had some “luck” finding a new malware targeting the new Apple flagship M1 computers. I put “luck” between quotes, as we know when you do cyber, you don’t rely on luck to find stuff, but you look at places were most likely stuff like this is to be found.

This has to do with Confiant’s detection engine, and our unique position in the Killchain: scanning malicious ads as they load, on major publisher websites in the United States.

Not only do we see bad ads loading and we scan them, but we block them as well. In…

Photo by Claudio Schwarz | @purzlbaum on Unsplash

UPDATE — 24 April 2021: The second stage payload was shared with me by Peter Kruse (@PeterKruse) thanks to him. Please find the second stage payload analysis at the end of this document.

One hour ago, I became aware of this supply chain attack from a tweet by Kim Zetter. If you don’t follow her please do and subscribe to her blog for amazing cyber espionage related content :

Why this quick analysis? well it’s Friday, and this news will worry a lot of people, and many would want to know what is this about and fast.


Photo by Raul Cacho Oses on Unsplash

I got many requests after my last tweet on the discovery of a backdoored Electrum wallet, that was notarized by Apple !

The requests were about how I was able to extract the python sourcecode from a Py2App packaged Mach-O file and discover the backdoor code.

Here’s the hash to use for this morning quick tutorial : 313efd27555f2d024e56d88a31ffda045e0e0d13db868867e416f0330e3ba773 electrum-4.0.9.dmg

Below are the steps I followed

Step 1

  • Mount the .dmg file, and locate the packed mach-o file we want to extract the source code from :
hdiutil mount electrum-4.0.9.dmg

Shellcode Analysis

Extracting shellcode of Magnitude Exploit KIT

After successful exploitation of CVE-2019–1367, malicious Magnitude Exploit Kit shellcode instructions are executed. First stubs are a simple shellcode loader that ultimately does the following:

  • Allocates memory via a kernel32!VirtualAlloc with PAGE_EXECUTE_WRITECOPY permissions
  • Copies shellcode to the allocated memory using kernel32!RtlMoveMemory()
  • Launches the shellcode via via CreateThread()

We have different breakpoint options here to dump the loaded shellcode unmodified, we can set a breakpoint on CreateThread() and dump the memory pointer in the third argument which is the memory area containing the shellcode, in our testing environment it was at 0x1a60000:

breakpoint on kernel32!CreateThread()

In Part1 we explained CVE-2019–1367 vulnerability root cause. In this part we will discuss how this bug was exploited in the wild to achieve code execution.

We will focus on the exploits we found in the wild used by both Magnitude Exploit Kit and DarkHotel APT.

If needed, readers can go directly to Part3 for the Magnitude Exploit KIT shellcode analysis.

CVE-2019–1367 exploitation

The following will present the type confusions and the exploit primitives that were built to achieve code execution in the CVE-2019–1367 exploits found in the wild.

Type confusion

For this bug class, an overlay of fake VARs was allocated on top…

Extracting the Exploit from the PCAP

In this section we will go through the process of extracting the exploit from the pcaps generously provided by malware-traffic-analysis.

Luckily for us the pcaps contain the traffic of a successful exploitation of a target!

This will help us to get what further network requests were made after a successful exploitation and shellcode execution, ultimately to get to the dropped payload (that is in the pcap as well!)

Looking at the first HTTP request, we can see Accept-Language: ko-KR, a good indication that it is targeting Korean users. This is in line with Magnitude Exploit Kit targeting :


Photo by Darius Bashar on Unsplash

CVE-2019–1367 background and in-the-wild exploitations

There are some important aspects to know about CVE-2019–1367 before diving into the technical analysis including the intel around it and the series of events following the in-the-wild exploitations and Microsoft patches.

First of all, here is the bug class of this bug based on the Google P0 report:

JScript variable (represented as VAR structure) isn’t properly tracked by garbage collector

Is it important to understand the bug class. For example Google P0 will work on what they call a Variant Analysis, to discover additional vulnerabilities from the same bug class. …

Photo by Max Letek on Unsplash

Looking at a recent Malvertising campaign detected by Confiant’s realtime Malvertising detection engine, we stumbled upon a slightly different piece of the macOS Bundlore Loader, so we thought it might be interesting for our readers to get some enlightening feedback on what our favorite Malvertising threat actors are up to these days. We are also going to share some techniques and tools that we specifically built for this exercise, and tools that can be used to analyze other macOS malware as well... so without further ado, let’s get started!

Table of Contents:

Photo by Nahel Abdul Hadi on Unsplash

macOS malware is becoming a serious threat to mac users. Cyber criminals, APT groups, nation state actors, are extensively targeting Apple iOS/MacOS devices for various reasons: continuous innovation and development of Apple platforms leads ultimately to new attack surfaces (and more 0-days sold in the underground). Weak malware built-in security features: macOS ships with GateKeeper and XProtect, but both of these protections can be by-passed by new malware. Finally, Apple devices are trendy, sometimes considered as a wealth indicator, or simply becoming more useful in millions of people’s everyday life. …

taha karim

Dir. Threat Intelligence @ConfiantIntel. my twitter is @lordx64

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store