Introduction to the tool.
EvilOSX is an open-source, Python-written C2 tool designed specifically for macOS that can use its self-released Trojans to implement a range of integrated features, such as keylogging, file capture, browser history crawling, screen capture, and more. EvilOSX primarily uses the HTTP protocol to communicate, and the content of the communication is transmitted through Base64 encryption of data in a specific format. In order to circumvent detection, EvilOSX's communication response messages are all 404 not found pages.
Derivative Trojan analysis.
In the data builds directory, a file of the specified script type will be generated, the main part of which is a base64-encoded payload. The main analysis of the generated python loader --launcher-238346py
a. The loader carries a base64 encrypted python script (connectivity mode.).txt), after the script executes this encrypted data through python, it then uses rm -rf file to clear all py scripts in the current directory.
b、connectivity mode.The form of user-agent and cookie in the request header is defined in txt, where the cookie consists of two pieces of key data: a hexadecimal number consisting of the username and MAC address of the controlled computer as the session;Then, a piece of base64 data connected through "-" is decrypted to some information on the server and the controlled side. In addition, the script also defines that when the response code is 404, base64 is used to decrypt the base64 data in the response body: base64 =debug-->.
c. Capture the traffic when the controlled end is connected to the server, decrypt the debug data in it, and obtain another python script (connect.).py), this script registers a launch agent on macOS and writes it locally with base64 encoding. This payload will then be executed by the launch agent when the system starts. The path of payload is the current user's home directory by default, and is named by defaultarlprvu, the default file name of the launch agent file is ".com.apple.teuawwo
d、arlprvuThe content is an openssl AES-256-CBC encrypted ciphertext, and the key is the hexadecimal string carried in the previous session.
Traffic analysis. EvilOSX's process from implantation to data interaction can be described by the following flowchart
The following is a process flow analysis and interpretation:
When connected
After the client sends a GET request to the server, the request header cookie is the same as the decrypted base64 ciphertext in the original Trojan.
The server returns a 404 and carries the base64 data in the HTTP server body.
The data starts and ends with debug: base64 =debug-->.
The data carried in 404 means that the current computer username and unique identifier are obtained by the get uid function and concatenated into hexadecimal data, which is used to decrypt an encrypted ** in the next paragraph using the openssl command and execute it through the exec() function.
When the command is executed
When the original Trojan file on the target is executed, a py script file named arlprvu will be left in the same directory. The backconnect server also needs to execute it manually.
Test all modules and some common shell commands (ifconfig, ls -l).
Distinct features will be observed, as exemplified by the execution of the CVE-2020-3950 module.
In the POST request body, username is followed by base64 data
Once decrypted, it is the name of the module used, which can be found in the traffic except when the shell command is executed and the module is not enabled. And the response code must be 404
This passage is also reflected in the Trojan horse.
Product inspection. The ENS Encryption Threat Detection System is capable of detecting HTTP traffic generated by the EvilOSX tool.
Summary. In the process of using the EvilOSX-C2 tool, the Trojan file released by it will be uploaded first, which has a special format, and then the 404 page will be used to hide the real response during the communication process, but the encrypted threat intelligent detection system based on artificial intelligence, epidemic characteristics and TLS limited domain fingerprinting detection can detect such encrypted communication behavior. Nowadays, more and more attackers are using C2 tools, which are specific encrypted communication capabilities, to enhance the stealth of their attacks. The security research team of Guancheng Technology has been continuously tracking the latest developments of these C2 tools, and is actively researching and updating them to improve the detection technology of encrypted traffic.