From the Front Lines | New macOS ‘covid’ Malware Masquerades as Apple, Wears Face of APT

Earlier this year, we reported on ESET’s discovery of OSX.DazzleSpy, an information stealer and backdoor likely targeted at Hong Kong’s pro-democracy activists. As part of our own threat hunting activities into DazzleSpy and related malware campaigns such as Zuru, Macma, Gimmick and pymafka, we recently came across a new malware sample that at first sight appeared to be a DazzleSpy variant. Further analysis, however, made that attribution tough to call, but the sample’s novel characteristics and use of multiple open-source projects should make it of interest to threat hunting and detection teams.

Dropper and Persistence

On 20th April, 2022, a DMG named ‘vpn’ was uploaded to VirusTotal.

malicious disk image on VirusTotal

Apparently unremarkable, further analysis showed that the disk image contained an application bundle called ‘vpn.app’, an application built with Platypus, an open-source toolkit that allows developers to turn scripts into Mac applications.

Platypus Mac Application

Platypus applications use a launcher executable in the app bundle to run the script in the bundle’s Resources folder. Since the script is simply a plain text file, it’s easy enough to examine to see what the “application” is really intended to do.

In this case, the script file (shown below) revealed that the supposed ‘vpn.app’ was really something quite different.

vpn malware script

The script begins by creating a hidden folder, ~/.androids, in the User’s home directory. It then checks to see if the host architecture is x86_64 or not via the uname utility.

Depending on the architecture, the script downloads one of two possible second stage Mach-Os from IP http[:]//46[.]137.201.254. Although we were only able to retrieve the x86_64 payload, we can assume that since the Platypus-built application only runs on macOS that the alternative payload would be an arm64 executable built for Apple’s M1 architecture.

The payload is installed in the invisible directory as ~/.androids/softwareupdated. This executable is the target for the persistence LaunchAgent that the script writes to ~/Library/LaunchAgents/com.apple.softwareupdate.plist.

After installing the persistence agent, the script downloads and executes a further payload, dropped with the name covid. This is written to the user’s home directory and neither attempts stealth nor persistence.

Softwareupdated

The choice of the name ‘softwareupdated’ is a masquerade of an Apple system binary of the same name that lives at /System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated.

Our initial assumption that this may have been a DazzleSpy variant stemmed from the fact that the persistence agent uses the same filename as DazzleSpy, i.e.,  ~/Library/LaunchAgents/com.apple.softwareupdate.plist, and an almost identical target executable name (DazzleSpy uses ‘softwareupdate’, rather than ‘softwareupdated’.). On top of that, both use a hidden folder in the user’s home directory to house the target executable (.local in the case of DazzleSpy, .androids here). However, those indicators might easily have been chosen to deliberately confuse attribution, and it is not beyond the realms of possibility that the indicators are merely coincidental.

Things become more interesting when we look at the payload. Static analysis of the malicious softwareupdated shows it to be a Sliver implant.

Sliver

Sliver is an open source red team framework written in Go that supports C2 communications over a variety of protocols, including TLS, HTTP, and DNS.

Sliver on github

While DazzleSpy used a mixture of open-source repos for various tasks, including  the tonymillion Reachability framework, YYModel, and GCDAsyncSocket, this is the first time we’ve seen Sliver used in malware masquerading as Apple binaries and using com.apple labels for persistence.

Sliver implants offer the operator multiple functions useful to adversaries, including opening a shell on the target machine. The softwareupdated binary periodically checks in with the C2 to retrieve scheduled tasks, execute them, and return the results. Sliver implants also have the ability to allow the operator to open an interactive real time session for direct tasking and exploitation.

Covid Binary

The covid binary is also a Go executable, this time packed with UPX. After unpacking, the binary turns out to be an NSApplication built using MacDriver, another open-source project available on Github that provides a toolkit for working with Apple frameworks and APIs in Go.

MacDriver

As with the Sliver implant, the covid executable reaches out to http[:]//46[.]137.201.254,  this time on port 8001, and checks for the number of logical cores via sysctl as a means to detect whether it is running in a virtual machine. Executing the covid binary pops a WebKit view in a standard macOS application window.

webkit in disassembly

More importantly, however, the covid binary uses a “fileless” technique to execute a further payload in-memory, evidenced by the tell-tale signs of NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been seen in a few campaigns in recent years, including by North Korean-linked APT Lazarus.

NSCreateObjectFileImageFromMemory

While presenting a distracting interface to the user, perhaps around the supposed ‘vpn’ capabilities, the covid binary retrieves and executes a third stage payload.

NSLinkModule

As the final payload was not available to us at the time of the analysis due to the C2 being offline, we are unable to say what the ultimate purpose of the covid binary was intended to be.

SentinelOne Detects and Protects Against New ‘covid’ Malware

SentinelOne customers are fully protected against all the known components of this malware through both static and behavioral detection. The SentinelOne agent also protects against DazzleSpy and other macOS malware families.

Conclusion

The indicators around this particular malware align neatly with what we might expect to see in a red team exercise – a red-teaming framework, singular (now offline) C2 hosted on Amazon, and the use of free and readily available open source tools like UPX, Sliver, MacDriver and Platypus, and, of course, binaries built from Go source code (an increasingly popular choice for malware authors of all stripes). We also note the lack of coherence and stealth used by the actors: an unsigned ‘vpn app’ dropping a payload called ‘covid’ in the User’s home directory doesn’t, at least without more context, make much sense of itself.

However, threat actors of all kinds can now easily imitate one another, and the use of indicators recently associated directly with the DazzleSpy campaign appears to be one of an unhappy accident, deliberate misdirection, or a genuine variant in a known campaign.

We also note that thanks to the use of free, publicly available software, this entire campaign targeting macOS devices was built without using any proprietary Apple tools or software, such as the Xcode IDE. For threat hunters and detection teams, we hope that awareness of the kind of TTPs reported here will aid detection of similar infection attempts, regardless of the nature of the threat actor.

Indicators of Compromise

Name SHA1
vpn.dmg 563d75660e839565e4bb1d91bc1236f5ec3c3da7
script fa2556765290b0a91df3b34e3b09b31670762628
softwareupdated 0cfde0edb076154162e2b21e4ab4deb279aa9c7b
covid (packed) d0eb9c2c90b6f402c20c92e2f6db0900f9fff4f7
covid (unpacked) b4ab73b52a42f995fbabacb94a71f963fc4cda01

File paths
~/covid
~/.androids/softwareupdated
~/Library/LaunchAgents/com.apple.softwareupdate.plist

Network
46[.]137.201.254

Open-Source or Publicly-available Software Used
Go
MacDriver
Platypus
Sliver
UPX