Cyber Threat

OSX/Hydromac

ArrowArrow

June 8, 2021

Usually OSX/Tarmac has been dropping a legit copy of Adobe Flash Player as we reported before. This time, an unknown malware with the following sha-256:

919d049d5490adaaed70169ddd0537bfa2018a572e93b19801cf245f7fd28408

was downloaded and persisted in the location below, and installed as a launch daemon, the file to be executed at RunAtLoad is called MapperState.system.
tring Decryption:

This sample contains about 943 functions, debug symbols stripped, no identifiable strings or known encryption algorithm used. The only give-away of functionality is the imported functions. In fact, if there is a popen or a CFHTTPMessageSetBody then this malware will create a process, or will connect via HTTP to a C2 server respectively. only that arguments passed to these function are encrypted and hidden deeply in the malware functionality that only executes in a specific state of the runtime.

Debugging this malware won’t cover all the malware functionality. Analysts are left with the string decryption to get a real understanding of what this malware does.
This is known by the malware authors, and this is where malware authors invested all their efforts to obfuscate the functionality.

MapperState authors used a very confusing method to encrypt their strings to slow down our analysis.

For example, there is a block of code, copied and pasted 198 times (as many as strings to decrypt).
This is a classic slow-debugging technique, meaning if we had only one function decrypting all the strings setting a breakpoint in this function will suffice, but now there are 198 blocks where analysts should put breakpoints, and that’s not an option anymore. This exact same slow-debugging technique used in new version of OSX/Tarmac as well.

Block of code is responsible for string decryption and makes a heavy usage of SSE instructions.

The encrypted String is stored in the variable unk_100051700, the decoded string is “00000000–0000–0000–0000–00000000000” a string written by our IDAPython decoder script.
After investigation it seems the encrypted strings are referenced in the form of unk_ variables (as IDA Pro isn’t sure what type this is), and there’s always an integer value copied to the edx register that represent the encrypted string length.

In other words this block always takes two changing parameters, and we will use IDA Pro unk_ type to locate all these strings.

Rewriting the decryption routine in Python would take us a lot of time, so we decided to emulate this block, and decrypt all the strings while extracting them on the fly (taking into account the always changing length variable).

It is important to note, that we faced two difficulty with emulation. The encryption block calls some macOS APIs and those are not emulated by Unicorn Engine. so we have to emulate them as well.


Sign Up For The Threat Alerts

Receive a daily email with important information and simple remediation tips.

Loading...

More Threats

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

PuzzleMaker attacks with Chrome zero-day exploit chain

Jun 09, 2021

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...

PuzzleMaker attacks with Chrome zero-day exploit chain

Jun 09, 2021

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...

Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

OSX/Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

OSX/Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

SharpPanda: Chinese APT Group Targets Southeast Asian Government

Jun 07, 2021

Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office ...

Necro Python bot adds new exploits and Tezos mining to its bag of tricks

Jun 06, 2021

Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition ...

Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat

Jun 03, 2021

There is a honeypot that mimics a misconfigured Docker daemon and explore the data obtained between March and April 2021, including 33 different kinds of attacks with a total of 850 attacks. More...

US seizes domains used by APT29 in recent USAID phishing attacks

Jun 02, 2021

The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain acces...

APT Actors Exploiting Fresh Fortinet Vulnerabilities

Jun 01, 2021

The FBI published information about the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. In early April,...

A new ransomware enters the fray-Epsilon Red

May 31, 2021

In the past week, analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. The malware was delivered as the final executable payload in a hand-con...

New sophisticated email-based attack from NOBELIUM

May 30, 2021

A wide-scale malicious email campaign operated by NOBELIUM, was uncovered. NOBELIUM-the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware,...

TeamTNT targets Kubernetes, nearly 50.000 IPs Compromised in Worm-like Attack

May 27, 2021

Kubernetes is the most widely adopted container orchestration platform for automating the deployment, scaling, and management of containerized applications. Unfortunately, like any widely used ap...

Apostle Wiper to ransomware – striking targets in Israel

May 26, 2021

Dubbed Apostle, never-before-seen wiper masquerades as ransomware. Researchers say they have uncovered never-before-seen disk-wiping malware that is disguising itself as ransomware as it unleash...

MountLocker ransomware uses Windows API to worm through networks

May 25, 2021

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) wh...

BazarCall Method: Call Centers Help Spread BazarLoader Malware

May 24, 2021

BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follo...

Threat Actors Use MSBuild to Deliver RATs Filelessly

May 23, 2021

A campaign was discovered, in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine...

AHK RAT loader in unique delivery campaigns

May 20, 2021

There is a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language-a fork of the AutoIt l...

Snip3 – A Highly Evasive RAT Loader

May 19, 2021

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines. The Crypter is most commonly delivered through phishing ema...

Bizarro banking Trojan expands its attacks to Europe

May 18, 2021

Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. Users are being targeted in Spain, Portugal, France and Italy. Attempts hav...

Transparent Tribe APT expands its Windows malware arsenal

May 16, 2021

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco T...

Lemon Duck spreads its wings-Actors target Microsoft Exchange servers and incorporate new TTPs

May 13, 2021

Since April 2021, researchers have observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers an...

The Linux side of Darkside

May 12, 2021

A new sample of Darkside was found, this time it is a linux variant. Darkside develops their ransomwares to support both Windows and Linux regularly. It is unknown if this variant was the one t...

Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party

May 11, 2021

The emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was discovered in late 2020, has allowed several threat actors to carry out attacks...

Cybergang US Pipeline attack identified as DarkSide

May 10, 2021

DarkSide is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations billions of dollars in losses. The cyberextortion attempt that has forced the sh...

The UNC2529 Triple Double-A Trifecta Phishing Campaign

May 09, 2021

Trifecta Phishing campaign started with 28 organizations that phishing emails were sent to, though targeting was likely broader than directly observed. These emails were sent using 26 unique ema...

Codecov starts notifying customers affected by supply-chain attack

May 06, 2021

As of a few hours ago, Codecov has started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Code...

PortDoor New Chinese APT Backdoor

May 05, 2021

The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of t...

New Variant of Buer Loader Written in Rust

May 04, 2021

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April. Buer is a downloader sold on underground marketpl...

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

May 03, 2021

An aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by o...

N3tw0rm ransomware attack against organizations in Israel

May 02, 2021

The malicious actors behind it may be connected to previous campaigns of Pay2Key. This is a wave of ransomware attacks from a specfic group, identified as N3tw0rm. They use "commercial identity...

Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability

Apr 29, 2021

In January, appeared a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability. This appeared to be a new ransomware family du...

Phorpiex a multi purpose malware

Apr 28, 2021

Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to sending spam emails, to ransomware and c...

Shlayer malware abusing Gatekeeper bypass on macOS

Apr 27, 2021

Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is dist...

Emotet malware nukes itself today from all infected computers worldwide

Apr 26, 2021

Emotet, one of the most dangerous email spam botnets in recent history, is being uninstalled from all infected devices with the help of a malware module delivered in January by law enforcement. ...

New cryptomining malware builds an army of Windows, Linux bots

Apr 25, 2021

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads. ...

HabitsRAT Used to Target Linux and Windows Servers

Apr 22, 2021

A new malware written in Go, which is called HabitsRAT, targeting both Windows and Linux machines, was discovered recently. The Windows version of the malware was first reported on in attacks aga...

Lazarus APT Hackers are now using BMP images to hide RAT malware

Apr 21, 2021

Spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote acce...

Malware That Spreads Via Xcode Projects Now Targeting Apple M1-based Macs

Apr 20, 2021

Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSS...

New FormBook Variant Delivered in Phishing Campaign

Apr 18, 2021

Researches have recently captured a phishing campaign that was sending a Microsoft PowerPoint document as an email attachment to spread the new variant of the FormBook malware. FormBook is a well...

Iran’s APT34 Returns with an Updated Arsenal

Apr 13, 2021

Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34 (aka OilRig), against what appears to be a Lebanese target, employing a new backdoor variant that was du...

Saint Bot downloader

Apr 12, 2021

In late March 2021, Malwarebytes analysts discovered a phishing email with an attached zip file containing unfamiliar malware. Contained within the zip file was a PowerShell script masquerading as...

Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware

Apr 11, 2021

It was found a sample that we identified as one belonging to the SysUpdate malware family, also named Soldier, FOCUSFJORD, and HyperSSL. SysUpdate was first described by the NCC Group in 2018. ...

The leap of a Cycldek-related threat actor

Apr 08, 2021

In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate exe...

SynAck Ransomware Leverages Process Doppelganging for Evasion and Infection

Apr 06, 2021

SynAck ransomware family is the first to use Process Doppelganging to bypass known security solutions. While SynAck was discovered in September 2017 and Process Doppelganging presented in Decembe...

Phishing Trends With PDF Files

Apr 06, 2021

Palo Alto Networks noticed a dramatic 1,160% increase in malicious PDF files - from 411,800 malicious files to 5,224,056. PDF files are an enticing phishing vector as they are cross-platform and a...

Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool

Apr 05, 2021

Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Hancitor remains a threat and has evolved to use tools like Cobalt Str...

Malware hidden in game cheats and mods used to target gamers

Apr 04, 2021

Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems. The attackers mostly use social media channels ...

BazarCall malware uses malicious call centers to infect victims

Apr 01, 2021

The new malware was discovered being distributed by call centers in late January and is named BazarCall. Like many malware campaigns, BazarCall starts with a phishing email but from there deviates...

Anchor DNS strikes again

Mar 31, 2021

The AnchorDNS malware performs C2 over DNS to two specific domains The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to...

New Pay2Decrypt variant

Mar 30, 2021

New Pay2Decrypt variant that appends the .aes and .lck extension, encrypts target files with AES+RSA and demands a ransom of 0.0002 BTC. Originally written on AutoIt.

FatFace hit by Conti ransomware

Mar 29, 2021

British clothing brand FatFace has sent a controversial 'confidential' data breach notification to customers after suffering a ransomware attack. Customers began receiving data breach notificati...

CopperStealer Performs Widespread Theft

Mar 25, 2021

Investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity. The earliest dis...

Black Kingdom ransomware Targets MS Exchange servers

Mar 24, 2021

Another ransomware operation known as 'Black Kingdom' is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Over the weekend, security researcher Marcus Hutc...

Acer hit by 50 million dollar REvil ransomware

Mar 22, 2021

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000. Acer is a Taiwanese electronics and computer ma...

New macOS malware Targets Xcode Developers

Mar 21, 2021

Threat actors are abusing the Run Script feature in Apple's Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects. XcodeSpy is a malicious Xcode project that installs a custo...

NimzaLoader is a New Initial Access Malware

Mar 18, 2021

The TA800 threat actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware named NimzaLoader. One of NimzaLoader's distinguishing featu...

Pysa ransomware attacks on education organizations

Mar 17, 2021

The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

Dharma ransomware keeps on being spread

Mar 15, 2021

Researchers keep noticing more and more new Dharma variants.