[ Sharing ] Analysing macOS samples with “Added Features”

It’s being a while since i’ve last written anything at all.
Today i’ll go through quickly an interesting mac OSX signed sample that collected user’s privacy information and uploaded to a third-party server.
Surprisingly no AV flagged this.

The collected information are shown below:
QQ, Weixin, Mobile, Email, AppList, CPU, RAM, Mac Address, Public IP, Private IP, etc

[ Sample used in the analysis ]
MD5: faed65cdfac39d61ebd1079c50e80471
SHA256: 292bc285e35af31e0d3607c820fd60cb18ebbbc88ba1914d4af4b322af1d9ec2

[ Part 1 : Getting Started ]
For those who want to follow along.
Please do take note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A292bc285e35af31e0d3607c820fd60cb18ebbbc88ba1914d4af4b322af1d9ec2

As this is a Mac App, let’s take a look at the Mach-O inside it.
One thing to take note is that Mach-O binary has a series of headers that are used to perform certain operations when a binary is loaded.
On particular thing which i’m usually interested in is “LC_LOAD_DYLIB”
“LC_LOAD_DYLIB” header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time.

2 interesting things can be found in this Mach-O as shown below.

The image shows that the Mach-O loads two dynamic library files libcJFishPoolHook.dylib and libXMindHook.dylib
Let’s load libcJFishPoolHook.dylib to IDA Pro or Hopper.
Immediately after the Mach-O is loaded in IDA Pro , we can see this.

This confirm that this particular application is trying to get the following information from the unspecting user.
QQ, Weixin, phone number, email, OS, CPU type, RAM, MAC address, Public/Private IP address, user name, application list, device ID, Information, etc

If we were to look deeper, we can see that the application will upload all these information to “http://dataapi.makeding.com:27169/index.php/DataApi/data”

For those who have done forensics on QQ before, We can also see that in “getContact”, this application is trying to steal users’ contacts in QQ by accessing the data at
“/Library/Containers/com.tencent.qq/Data/Library/Application Support/QQ/”

Another thing we can find while auditing the binary, we can see that all the data which are being exfiltrated are AES encrypted and the password is “iMdpgSr642Ck:7!@” without the double quotes as shown below.

From how i see this from a static analysis point of view, the person behind this probably took legit apps and added “Extra Features” to it.
But why is it sending data back to “makeding[.]com”

So who signed this and who is this developer?

Based on the name of the developer’s name, i’ve found more apps that this developer have “pushed” out other apps with “Extra Features”
The following are the hashes by this Developer.

16d80a3931542a624953e99da788ebbe1916ba86a2ca8352b5827e733a8ae4e5
301f5b398ada9d3045cf47b0eb4be27968a9e142b5ac9034c3574e3fc9607db3
292bc285e35af31e0d3607c820fd60cb18ebbbc88ba1914d4af4b322af1d9ec2
3daa7654ed6709fe1e79c88f1653ca303840c3d0b2fa4c451801ea1ef8075d0a
2234d3b6df4ab1dff69ab266f22922de3df12b6da9566f897d9bbd76e23dc3fa

It’s almost 3am here. I’ll just end this abruptly and let you all have phun analysing this.

Have Phun
Jacob Soo

Article Link: http://www.vxsecurity.sg/2017/12/08/sharing-analysing-macos-samples-with-added-features/