apt32 document

The APT32 multi-stage macOS Trojan innovated Crimeware scripting technology

On the same week that Microsoft disclosed that the APT32 (a.k.a. “OceanLotus,” “Bismuth,” “SeaLotus”) team deployed Cryptominer software like a common criminal software competitor, Trend Micro researchers released details of an update to the APT32 macOS backdoper program. It also seems to have learned from commodity authors. The backdoor uses a novel delivery method that echoes the techniques of other threat actors and adds some interesting new behavior. In this article, we’ll review some of the details from earlier reports and add some new IoCs and observations that haven’t been mentioned yet.

A disguised application bundle for delivery
The is an application masquerading as an MS Office Word document.

apt32 document

Previous studies have suggested that the deploys a novel technique to prevent MS Office from trying to launch a disguised application as a doc by embedding Unicode characters in a file name. This causes the startup service to call “Open” on the file instead of the default .doc.

At startup, the replaces the malicious application package with the actual MS Office document: the same file name is used, but the hidden Unicode character is now subtracted. After baiting and switching, this document is started and presented to the user.

The entire technique is not visible to the user, who will only see documents with the same name as the double-clicked document. At the same time, the second stage payload is stored in the /tmp folder and starts running to install hidden persistence agents and phase iii malicious executables.

The Shell executable contains The Base64 encoded Mach-O
This technique is accompanied by borrowing a technique that is popular among commodity adware and publishers. That is, use shell scripts as the primary executable within the application bundle and as a tool for discarding the payload of embedded base64 encoding.

Note that line 4 defines a variable that has base64 encoded data of approximately 850Kb. On line 40, the data is piped through the base64 utility, then placed in a subdirect directory, and/tmp is started as a second-stage payload by giving executable permission chmod.

Importantly, by line 40, the script had taken steps to address two macOS security features: App Translocation and File Isolation. The former is a security feature introduced by Apple to prevent executable files from accessing external resources through relative paths and bypassing Gatekeeper checks. But, like Gateway itself, App Translocation relies on executable files that use com.apple.quarantine bit tags.

In this case, the script actively attempts to remove all isolation bits, and if any of these bits fail and the malware finds itself in the read-only file path, it executes it through its MD5 hash and attempts to execute it from the unmoved path on disk.

The hidden persistence mechanism of the second stage payload
Once dumped out of the coded base64, the second stage payload is a generic FAT binary that contains Mach-O for i386 and x86_64 architectures. The source code is written in C.

As previous studies have pointed out, this phase is responsible for removing persistent agents with the “com.apple.marcoagent.voiceinstallerd” label and its program parameters mount_devfs “mount_devfs”.

However, we also note that this phase has code to test the UID and determine whether the executable is running as a root user. If so, write the persistence mechanism to / Library / LaunchDaemons instead of the user’s Library LaunchAgents folder.

In both cases, the program parameters are the same, pointing to a custom sub-folder in the Library folder called User Photos and an executable file mount_devfs so like a generic FAT binary containing Mach-O written in C.

Another point not mentioned in earlier studies is that starting a proxy or starting a daemon is written using the “hidden” flag, so users won’t see it in Finder by default.

Phase III payload and hard-coded calling cards
According to earlier research, malicious “mount_devfs” files provide participants with backdoing features, including the ability to leak information and download files to the target computer.

For download, the actors used the same built-in dylib libcurl.4.dylib as Lazarus APT.

The third-stage payload has the ability to collect data about the device and its environment, including the computer host name.

Curiously, the example has two hard-coded strings that might be called “call cards” or have some internal implications for malware developers:

“Jasyndurthe King’s Hand”
” CagliostrothePrecise”

Detection and mitigation
Although the static signature engine was unaware of the samples until this week’s study was published, the malware can already be detected by behavior.

The first stage attempts to remove the isolated bits/from the user’s home directory and on each file. From a detection point of view, this is incredibly “noisy” because no legal process is likely to result in this behavior.

When a second-stage payload attempts to achieve persistence, it can trigger detection of MITER TTP T1150 and T1160.

Apple has now revoked the sample’s code signature, although the malware can still be executed by removing the signature or re-signing it with another developer ID or temporary signature.

Defenders can look for the “team identifier” “UD9UN593Z4” used to sign malware, as well as the bundled identifier “com.apple.files” for the initial malicious application. The persistent mechanism’s labels “com.apple.marcoagent.voiceinstallerd” and the executable path “mount_devfs”

In the sample we tested, malware C2 is the URL mihannevis located in the following domain. Com:

http [:] // mihannevis.com/joes/NAZALgEyGj7b3jNYzbypYX8a/manifest[.] Js.

The static reputation engine is not currently aware of the phase III payload, so defenders should use behavioral metrics to ensure detection.

Conclusion.
Although many macOS malware is often written very simple or unskilled, the actors behind this multi-stage backdoor Trojan have deployed some novel techniques and improved techniques in commodity malware such as Shlayer and adware such as Bundlore. This shows that they have both the skills and the resources to imitate and innovate in order to achieve their goals.

IOCs
MD5
ecffbd1687bacaf5f766c92097435f14
e8a588b4a8ac95d4295b3bea94229131
0e4384a57ed3e1293501f7d9a98edb2f

SHA1
c2e0b35fd4f24e9e98319e10c6f2f803b01ec3f1
9f84502cb44b82415bcf2b2564963613bdce1917
4f6d34cf187c10d72fb3a2cd29af7e3cb25bc3aa

SHA256
cfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420
05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3
fd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737

FilePaths
[~]/Library/User Photos/mount_devfs
/Library/LaunchDaemons/com.apple.marcoagent.voiceinstallerd.plist
~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist

C2 Servers
mihannevis[.]com
mykessef[.]com
idtpl[.]org