UPDATE — 24 April 2021: The second stage payload was shared with me by Peter Kruse (@PeterKruse) thanks to him. Please find the second stage payload analysis at the end of this document.
One hour ago, I became aware of this supply chain attack from a tweet by Kim Zetter. If you don’t follow her please do and subscribe to her blog for amazing cyber espionage related content : firstname.lastname@example.org
Why this quick analysis? well it’s Friday, and this news will worry a lot of people, and many would want to know what is this about and fast.
I got many requests after my last tweet on the discovery of a backdoored Electrum wallet, that was notarized by Apple !
The requests were about how I was able to extract the python sourcecode from a Py2App packaged Mach-O file and discover the backdoor code.
Here’s the hash to use for this morning quick tutorial : 313efd27555f2d024e56d88a31ffda045e0e0d13db868867e416f0330e3ba773 electrum-4.0.9.dmg
Below are the steps I followed
hdiutil mount electrum-4.0.9.dmg
After successful exploitation of CVE-2019–1367, malicious Magnitude Exploit Kit shellcode instructions are executed. First stubs are a simple shellcode loader that ultimately does the following:
We have different breakpoint options here to dump the loaded shellcode unmodified, we can set a breakpoint on CreateThread() and dump the memory pointer in the third argument which is the memory area containing the shellcode, in our testing environment it was at 0x1a60000:
In Part1 we explained CVE-2019–1367 vulnerability root cause. In this part we will discuss how this bug was exploited in the wild to achieve code execution.
We will focus on the exploits we found in the wild used by both Magnitude Exploit Kit and DarkHotel APT.
If needed, readers can go directly to Part3 for the Magnitude Exploit KIT shellcode analysis.
The following will present the type confusions and the exploit primitives that were built to achieve code execution in the CVE-2019–1367 exploits found in the wild.
For this bug class, an overlay of fake VARs was allocated on top…
In this section we will go through the process of extracting the exploit from the pcaps generously provided by malware-traffic-analysis.
Luckily for us the pcaps contain the traffic of a successful exploitation of a target!
This will help us to get what further network requests were made after a successful exploitation and shellcode execution, ultimately to get to the dropped payload (that is in the pcap as well!)
Looking at the first HTTP request, we can see Accept-Language: ko-KR, a good indication that it is targeting Korean users. This is in line with Magnitude Exploit Kit targeting :
There are some important aspects to know about CVE-2019–1367 before diving into the technical analysis including the intel around it and the series of events following the in-the-wild exploitations and Microsoft patches.
First of all, here is the bug class of this bug based on the Google P0 report:
JScript variable (represented as VAR structure) isn’t properly tracked by garbage collector
Looking at a recent Malvertising campaign detected by Confiant’s realtime Malvertising detection engine, we stumbled upon a slightly different piece of the macOS Bundlore Loader, so we thought it might be interesting for our readers to get some enlightening feedback on what our favorite Malvertising threat actors are up to these days. We are also going to share some techniques and tools that we specifically built for this exercise, and tools that can be used to analyze other macOS malware as well... so without further ado, let’s get started!
macOS malware is becoming a serious threat to mac users. Cyber criminals, APT groups, nation state actors, are extensively targeting Apple iOS/MacOS devices for various reasons: continuous innovation and development of Apple platforms leads ultimately to new attack surfaces (and more 0-days sold in the underground). Weak malware built-in security features: macOS ships with GateKeeper and XProtect, but both of these protections can be by-passed by new malware. Finally, Apple devices are trendy, sometimes considered as a wealth indicator, or simply becoming more useful in millions of people’s everyday life. …
Threat Intelligence @ConfiantIntel. Follow me on twitter @lordx64