apt32 document

The APT32 multi-stage macOS Trojan innovated Crimeware scripting technology

On the same week that Microsoft disclosed that the APT32 (a.k.a. “OceanLotus,” “Bismuth,” “SeaLotus”) team deployed Cryptominer software like a common criminal software competitor, Trend Micro researchers released details of an update to the APT32 macOS backdoper program. It also seems to have learned from commodity authors. The backdoor uses a novel delivery method that echoes the techniques of other threat actors and adds some interesting new behavior. In this article, we’ll review some of the details from earlier reports and add some new IoCs and observations that haven’t been mentioned yet.

A disguised application bundle for delivery
The is an application masquerading as an MS Office Word document.

apt32 document

Previous studies have suggested that the deploys a novel technique to prevent MS Office from trying to launch a disguised application as a doc by embedding Unicode characters in a file name. This causes the startup service to call “Open” on the file instead of the default .doc.

At startup, the replaces the malicious application package with the actual MS Office document: the same file name is used, but the hidden Unicode character is now subtracted. After baiting and switching, this document is started and presented to the user.

The entire technique is not visible to the user, who will only see documents with the same name as the double-clicked document. At the same time, the second stage payload is stored in the /tmp folder and starts running to install hidden persistence agents and phase iii malicious executables.

The Shell executable contains The Base64 encoded Mach-O
This technique is accompanied by borrowing a technique that is popular among commodity adware and publishers. That is, use shell scripts as the primary executable within the application bundle and as a tool for discarding the payload of embedded base64 encoding.

Note that line 4 defines a variable that has base64 encoded data of approximately 850Kb. On line 40, the data is piped through the base64 utility, then placed in a subdirect directory, and/tmp is started as a second-stage payload by giving executable permission chmod.

Importantly, by line 40, the script had taken steps to address two macOS security features: App Translocation and File Isolation. The former is a security feature introduced by Apple to prevent executable files from accessing external resources through relative paths and bypassing Gatekeeper checks. But, like Gateway itself, App Translocation relies on executable files that use com.apple.quarantine bit tags.

In this case, the script actively attempts to remove all isolation bits, and if any of these bits fail and the malware finds itself in the read-only file path, it executes it through its MD5 hash and attempts to execute it from the unmoved path on disk.

The hidden persistence mechanism of the second stage payload
Once dumped out of the coded base64, the second stage payload is a generic FAT binary that contains Mach-O for i386 and x86_64 architectures. The source code is written in C.

As previous studies have pointed out, this phase is responsible for removing persistent agents with the “com.apple.marcoagent.voiceinstallerd” label and its program parameters mount_devfs “mount_devfs”.

However, we also note that this phase has code to test the UID and determine whether the executable is running as a root user. If so, write the persistence mechanism to / Library / LaunchDaemons instead of the user’s Library LaunchAgents folder.

In both cases, the program parameters are the same, pointing to a custom sub-folder in the Library folder called User Photos and an executable file mount_devfs so like a generic FAT binary containing Mach-O written in C.

Another point not mentioned in earlier studies is that starting a proxy or starting a daemon is written using the “hidden” flag, so users won’t see it in Finder by default.

Phase III payload and hard-coded calling cards
According to earlier research, malicious “mount_devfs” files provide participants with backdoing features, including the ability to leak information and download files to the target computer.

For download, the actors used the same built-in dylib libcurl.4.dylib as Lazarus APT.

The third-stage payload has the ability to collect data about the device and its environment, including the computer host name.

Curiously, the example has two hard-coded strings that might be called “call cards” or have some internal implications for malware developers:

“Jasyndurthe King’s Hand”
” CagliostrothePrecise”

Detection and mitigation
Although the static signature engine was unaware of the samples until this week’s study was published, the malware can already be detected by behavior.

The first stage attempts to remove the isolated bits/from the user’s home directory and on each file. From a detection point of view, this is incredibly “noisy” because no legal process is likely to result in this behavior.

When a second-stage payload attempts to achieve persistence, it can trigger detection of MITER TTP T1150 and T1160.

Apple has now revoked the sample’s code signature, although the malware can still be executed by removing the signature or re-signing it with another developer ID or temporary signature.

Defenders can look for the “team identifier” “UD9UN593Z4” used to sign malware, as well as the bundled identifier “com.apple.files” for the initial malicious application. The persistent mechanism’s labels “com.apple.marcoagent.voiceinstallerd” and the executable path “mount_devfs”

In the sample we tested, malware C2 is the URL mihannevis located in the following domain. Com:

http [:] // mihannevis.com/joes/NAZALgEyGj7b3jNYzbypYX8a/manifest[.] Js.

The static reputation engine is not currently aware of the phase III payload, so defenders should use behavioral metrics to ensure detection.

Although many macOS malware is often written very simple or unskilled, the actors behind this multi-stage backdoor Trojan have deployed some novel techniques and improved techniques in commodity malware such as Shlayer and adware such as Bundlore. This shows that they have both the skills and the resources to imitate and innovate in order to achieve their goals.




[~]/Library/User Photos/mount_devfs

C2 Servers