{ "Event": { "analysis": "2", "date": "2017-01-18", "extends_uuid": "", "info": "OSINT - New Mac backdoor using antiquated code", "publish_timestamp": "1484768100", "published": true, "threat_level_id": "3", "timestamp": "1484768039", "uuid": "587fc1b5-fd10-42e7-8184-637702de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#6a0084", "name": "ms-caro-malware:malware-platform=\"MacOS_X\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1484767794", "to_ids": false, "type": "text", "uuid": "587fc232-0348-4488-a667-45b502de0b81", "value": "The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I\u00e2\u20ac\u2122ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1484767808", "to_ids": false, "type": "link", "uuid": "587fc240-a794-46ce-ac59-4b0a02de0b81", "value": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" }, { "category": "Payload delivery", "comment": "~/.client", "deleted": false, "disable_correlation": false, "timestamp": "1484767836", "to_ids": true, "type": "sha256", "uuid": "587fc25c-5fe0-40f7-84df-638002de0b81", "value": "ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044" }, { "category": "Payload delivery", "comment": "~/Library/LaunchAgents/com.client.client.plist", "deleted": false, "disable_correlation": false, "timestamp": "1484767837", "to_ids": true, "type": "sha256", "uuid": "587fc25d-0a48-44dc-a196-638002de0b81", "value": "83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3" }, { "category": "Network activity", "comment": "The perl script, among other things, communicates with the following command and control (C&C) servers:", "deleted": false, "disable_correlation": false, "timestamp": "1484767858", "to_ids": true, "type": "ip-dst", "uuid": "587fc272-e8ac-4372-83b6-4b2402de0b81", "value": "99.153.29.240" }, { "category": "Network activity", "comment": "The perl script, among other things, communicates with the following command and control (C&C) servers:", "deleted": false, "disable_correlation": false, "timestamp": "1484767859", "to_ids": true, "type": "hostname", "uuid": "587fc273-ecb8-47bc-ba0d-4aa102de0b81", "value": "eidk.hopto.org" }, { "category": "Payload delivery", "comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network", "deleted": false, "disable_correlation": false, "timestamp": "1484767908", "to_ids": true, "type": "sha256", "uuid": "587fc2a4-29fc-4bd5-bf7a-637a02de0b81", "value": "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55" }, { "category": "Payload delivery", "comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d,", "deleted": false, "disable_correlation": false, "timestamp": "1484767936", "to_ids": true, "type": "sha256", "uuid": "587fc2c0-2688-4d0a-8264-637f02de0b81", "value": "b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0" }, { "category": "Payload delivery", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.", "deleted": false, "disable_correlation": false, "timestamp": "1484767968", "to_ids": true, "type": "sha256", "uuid": "587fc2e0-9bec-4f9e-ade8-b06d02de0b81", "value": "94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647" }, { "category": "Payload delivery", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.", "deleted": false, "disable_correlation": false, "timestamp": "1484767969", "to_ids": true, "type": "sha256", "uuid": "587fc2e1-bcbc-4de8-a6d6-b06d02de0b81", "value": "694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1484767997", "to_ids": false, "type": "text", "uuid": "587fc2fd-7a88-4b6d-afb0-b06b02de0b81", "value": "OSX.Backdoor.Quimitchin" }, { "category": "Payload delivery", "comment": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044", "deleted": false, "disable_correlation": false, "timestamp": "1484768039", "to_ids": true, "type": "sha1", "uuid": "587fc327-b678-4803-b15f-b06d02de0b81", "value": "18957d7549b4e296fcaeb122ff241d9799804fa3" }, { "category": "Payload delivery", "comment": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044", "deleted": false, "disable_correlation": false, "timestamp": "1484768039", "to_ids": true, "type": "md5", "uuid": "587fc327-ffb8-420f-9174-b06d02de0b81", "value": "e4744b9f927dc8048a19dca15590660c" }, { "category": "External analysis", "comment": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044", "deleted": false, "disable_correlation": false, "timestamp": "1484768040", "to_ids": false, "type": "link", "uuid": "587fc328-feec-43dc-800c-b06d02de0b81", "value": "https://www.virustotal.com/file/ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044/analysis/1484569121/" }, { "category": "Payload delivery", "comment": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3", "deleted": false, "disable_correlation": false, "timestamp": "1484768041", "to_ids": true, "type": "sha1", "uuid": "587fc329-9298-4b1c-ac87-b06d02de0b81", "value": "cd42b88569faa946a4b9d6f7408b958dcbcf7554" }, { "category": "Payload delivery", "comment": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3", "deleted": false, "disable_correlation": false, "timestamp": "1484768042", "to_ids": true, "type": "md5", "uuid": "587fc32a-4528-458c-91a0-b06d02de0b81", "value": "9d9cca200dd0e5f9d59225131d5269b0" }, { "category": "External analysis", "comment": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3", "deleted": false, "disable_correlation": false, "timestamp": "1484768042", "to_ids": false, "type": "link", "uuid": "587fc32a-60a0-48d1-89d1-b06d02de0b81", "value": "https://www.virustotal.com/file/83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3/analysis/1484177653/" }, { "category": "Payload delivery", "comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55", "deleted": false, "disable_correlation": false, "timestamp": "1484768043", "to_ids": true, "type": "sha1", "uuid": "587fc32b-fcdc-4cec-b22d-b06d02de0b81", "value": "66e520e18accd92abb4722a6cd6a285981ac5bd1" }, { "category": "Payload delivery", "comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55", "deleted": false, "disable_correlation": false, "timestamp": "1484768044", "to_ids": true, "type": "md5", "uuid": "587fc32c-27ec-4800-bc47-b06d02de0b81", "value": "7bb4f5d962a5b3bb18db9ce08c0b6cbf" }, { "category": "External analysis", "comment": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55", "deleted": false, "disable_correlation": false, "timestamp": "1484768045", "to_ids": false, "type": "link", "uuid": "587fc32d-132c-4c51-9085-b06d02de0b81", "value": "https://www.virustotal.com/file/bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55/analysis/1484082473/" }, { "category": "Payload delivery", "comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0", "deleted": false, "disable_correlation": false, "timestamp": "1484768045", "to_ids": true, "type": "sha1", "uuid": "587fc32d-c1e0-4edb-8e5d-b06d02de0b81", "value": "3c4904832392e70e415b0520d45ff7a1c93c2c4e" }, { "category": "Payload delivery", "comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0", "deleted": false, "disable_correlation": false, "timestamp": "1484768046", "to_ids": true, "type": "md5", "uuid": "587fc32e-7b7c-4acc-a7d4-b06d02de0b81", "value": "f8e3c8e43593ecbd9b62f6e18c8d6474" }, { "category": "External analysis", "comment": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0", "deleted": false, "disable_correlation": false, "timestamp": "1484768047", "to_ids": false, "type": "link", "uuid": "587fc32f-b3c8-442a-9cda-b06d02de0b81", "value": "https://www.virustotal.com/file/b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0/analysis/1484326500/" }, { "category": "Payload delivery", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647", "deleted": false, "disable_correlation": false, "timestamp": "1484768048", "to_ids": true, "type": "sha1", "uuid": "587fc330-7248-49ef-ae67-b06d02de0b81", "value": "03ab5fdb40db260dbc35aadba202e920e57eb348" }, { "category": "Payload delivery", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647", "deleted": false, "disable_correlation": false, "timestamp": "1484768048", "to_ids": true, "type": "md5", "uuid": "587fc330-2b6c-4b22-bc05-b06d02de0b81", "value": "3adf6025eb710f2bf1918ee2f116153d" }, { "category": "External analysis", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647", "deleted": false, "disable_correlation": false, "timestamp": "1484768049", "to_ids": false, "type": "link", "uuid": "587fc331-05c4-482c-ad41-b06d02de0b81", "value": "https://www.virustotal.com/file/94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647/analysis/1484177008/" }, { "category": "Payload delivery", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26", "deleted": false, "disable_correlation": false, "timestamp": "1484768050", "to_ids": true, "type": "sha1", "uuid": "587fc332-6d4c-4786-a7d2-b06d02de0b81", "value": "1e493ebde7fa77d5ae503aa7758fac87d11da116" }, { "category": "Payload delivery", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26", "deleted": false, "disable_correlation": false, "timestamp": "1484768050", "to_ids": true, "type": "md5", "uuid": "587fc332-1ae4-4394-8893-b06d02de0b81", "value": "d4a14a1516d5ec9452a29de24ba85d0e" }, { "category": "External analysis", "comment": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26", "deleted": false, "disable_correlation": false, "timestamp": "1484768051", "to_ids": false, "type": "link", "uuid": "587fc333-f574-41dc-9c50-b06d02de0b81", "value": "https://www.virustotal.com/file/694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26/analysis/1484177158/" } ] } }