Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Mar10
    12:49 pm (UTC-7)   |    by

    Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult.

    However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows counterpart. (We detect this as OSX_CARETO.A.) It connects to a hardcoded command-and-control (C&C) server and runs /bin/sh to open a shell, which can then run commands sent from the C&C server. This particular backdoor is only approximately 88 kilobytes in size, which is not particularly large (especially since it contains both 32- and 64-bit code.) However, analysis of this malware is still not easy, due to the mentioned encoding and encryption. In this blog post, we look into the details of this encoding and encryption.

    Figure 1. File structure of OSX_CARETO.A

    Configuration Encoding

    When this malware is run, it first decodes its configuration data. The encoding algorithm is pretty simple – every other byte is XORed with 0x7F and 0×10 alternately. Among the encoded information are its C&C server, a shared secret for network communication, and the program path for command shell. The C&C server used here is itunes212.appleupdt.com, which has now been sinkholed.

    Figure 2. Configuration decoding

    Figure 3. C&C Server

    Network Traffic Encryption

    The malware then connects to its C&C server (which was found in the decoded configuration) and sends two 20-byte SHA1 checksums. These are used as part of the AES encryption keys later. The first SHA1 checksum is created using the time and the process ID (PID). The second SHA1 checksum is created in a similar way – by using a new timestamp and PID+1.

    The encryption keys for sending and receiving are different. They are created by calculating the SHA1 checksum of a shared secret and the two SHA1 checksums mentioned earlier. All succeeding network traffic is encrypted with AES using these two keys.

    Figure 4. Generate checksum

    Figure 5. AES encryption key

    Figure 6. Shared secret for network traffic

    Command Shell

    The malware then sends out a 16-byte message as a challenge. to the C&C server. If it gets a correct response from the C&C server, it creates a shell by opening /bin/sh. Attackers can then control this machines by sending commands, which are then executed in the opened shell window.

    Figure 7. Command shell

    Figure 8. /bin/sh

    Conclusion

    Compared to its corresponding Windows version, this Mac version is not as sophisticated. It is fairly common nowadays for malware to encode their configuration data. This is an attempt to create multiple variants and circumvent security products (particular those still reliant on signatures).

    However, unlike most modern Windows malware, only the configuration information is encoded, and the main program code is left intact and unobfuscated. It is likely that future Mac malware will see similar attempts at obfuscation, making analysis more difficult.

    In addition to the Mac version of Careto, we also detect the Windows malware related to this attack (BKDR_CARETO.ABKDR_CARETO.B, and BKDR_CARETO.D). The URLs used in this attack are also blocked by the appropriate Trend Micro products. In addition, network administrators may use DNS blacklisting in order to detect and protect their users.

    The hashes of these files are as follows.

    BKDR_CARETO.A:

    • 087b7121546e4de28ec9f118d5f60fe7fe926118
    • 0AEED3B0A049FB859A46AC9B8C64EF924AF4A924
    • 224696022C6E7440ADA4F2549D4432CC9F9EAE04
    • 29B643993C0A912A7268114ABF65915A5754B224
    • 5E7833FA8EDC069443BB1239DE3291AA1E3FC9C8
    • B5ADDFF79E625183C30370A0CCE124FD1255BA7D
    • CCE60EB5D6997A2DE2EBD164A4C1C63D8DBB0738

    BKDR_CARETO.B:

    • 0081e20b4efb5e75f9ce51e03b2d2d2396e140d4
    • 10086ca8864c87eb5eb179593d3b2c7c1bc6d042
    • 3C4055CC39511D22EEDA71014FFE487BAD4CB264
    • 7B9ED3549748BF5EBA72E6C10FF3C8D1E7294A8B
    • 7C30DC5D96023A1AA018921b4f01e98960992cb9
    • 77FF442653D662D17272F5BFD42F166D73E15DD2
    • 83F5E4A6238F4EC83F982A0DC18DB969B6DC93E5

    BKDR_CARETO.D:

    • 11A56B3B8780A08889434B2D914DEBF7E2C8C999
    • 43931A35886E3d820AAEC70a58CCDFE815f31E84
    • EDF95EE4CD6CB092F91A3781120F40F77E356f00

    OSX_CARETO.A:

    • 45AC81EFC6A8BC384AE8351656986A00FDB8C768
    • A2C4D5B2089E9783E3EB2AD154F71CECD594E841
    • EBE2B153A99A6E44BF7004EDBD5BF99EC79BA430




    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • MalwareMustDie, NPO

      Thank you for sharing the hashes!!



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice