![]() Python ObfuscatorsĪpple removed support for Python 2.7 on macOS devices running Monterey 12.3 and later in 2022, and as a result the language has become a less attractive option for attackers than it once was. However, only behavioral solutions will be able to distinguish between benign code and those with malicious intent. SHC compiled binaries can be detected statically and marked as suspicious, as the compiler produces a distinctive string signature. The only way to discover what an SHC-compiled binary does is to detonate it in a sandbox and observe its behavior. Its great advantage from an attacker’s point of view is it makes it extremely simple to write malicious scripts which cannot be read via static analysis and which, thanks to the -e option, can have endlessly different hash values. SHC was heavily used by XCSSET malware and has been seen more recently obfuscating Linux payloads. One useful side-effect of this is that the same script will produce binaries with different hashes if compiled with different values for -e. The -e option allows the author to set an expiry date after which the program won’t run. The -U option attempts to make the binary untraceable with ptrace. SHC comes with some compilation options that are useful to malware authors. Although these binaries aren’t entirely independent – they still require the execution environment to have available the shell specified in the shebang – if the script uses a shell that is found by default on the target OS (e.g., /bin/sh/ on macOS), execution should not be an issue. The source code is then compiled and linked to produce a stripped binary executable. ![]() Shell Script Compiler is a Github repo known as SHC for short, which takes a script and produces obfuscated C source code. SentinelOne detects such script-based malware, with this particular payload identified as Bundlore.E, a well-known commodity adware and PUP delivery platform. This information is next posted to a C2 and a further payload is returned, mounted and launched. Like '%s3.%' order by LSQuarantineTimeStamp desc limit 5' ![]() 'select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString It also reads the local LSQuarantine file to check the source of the downloaded disk image, searching for URLs containing %s3.%, suggesting that this version of Bundlore is using AWS to deliver the first stage disk images. The malware queries a number of system and environment variables to ascertain if it is running in a virtual machine. bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k \'$archive\' After creating a directory inside /tmp with a random 12-character name, it ultimately decrypts, runs and deletes an executable extracted from the data file located in the same directory. On mounting the disk image, the user is presented with a two-step graphical instruction on how to open the malware and bypass the built-in macOS Gatekeeper restriction.Įxamining the disk image in the Finder with hidden files displayed, it’s clear that the Install PKG icon the user is urged to right-click on is an alias to a shell script file located in a hidden directory called, appropriately enough. The sample 2070b149b7d99cd4b396a8b78de5a28c1f2b505a provides a representative example. Others drop the script directly into a disk image file and encourage the user to execute it through an alias. Some malware families use the script as an executable in an app bundle, such as this one. We take a look at scripts, the SHC shell script compiler, obfuscated Python, Go implants as well as some rare sightings of obfuscated Cobalt Strike beacons seen in some recent macOS-targeted campaigns.Ī method first popularized by Shlayer malware, commodity adware and PUP platforms continue to leverage shell scripts delivered in disk images, often through content lures. In this post, we continue our exploration of modern macOS malware by looking at different kinds of payloads that are either common or are emerging, with an emphasis on those that attempt obfuscation and evasion. In our recent post, 7 Ways Threat Actors Deliver macOS Malware in the Enterprise, we discussed some of the popular mechanisms currently in use by threat actors to achieve initial compromise on a macOS system.
0 Comments
Leave a Reply. |