SAN FRANCISCO—Malware developers are always trying to outdo each other with creations that are stealthier and more advanced than their competitors. At the RSA Security conference this week, a former hacker for the National Security Agency demonstrated an approach thats often more effective: stealing and then repurposing a rivals code.
Patrick Wardle, who is now a security researcher at the macOS and iOS enterprise management firm Jamf, showed how reusing old Mac malware can be a smarter and less resource-intensive approach for deploying ransomware, remote access spy tools, and other types of malicious code. Where the approach really pays dividends, he said, is with the repurposing of advanced code written by government-sponsored hackers.
“There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware thats fully featured and also fully tested,” Wardle said during a talk titled "Repurposed Malware: A Dark Side of Recycling."
“The idea is: why not let these groups in these agencies create malware and if youre a hacker just repurpose it for your own mission?” he said.
Hijacking the hijackers
To prove the point, Wardle described how he altered four pieces of Mac malware that have been used in in-the-wild attacks over the past several years.
The repurposing caused the malware to report to command servers belonging to Wardle rather than the servers designated by the developers. From there, Wardle had full control over the recycled malware. The feat allowed him to use well-developed and fully featured applications to install his own malicious payloads, obtain screenshots and other sensitive data from compromised Macs, and carry out other nefarious actions written into the malware.
Besides saving time and resources, malware repurposing provides two key benefits:
- It may allow attackers, particularly those from state-sponsored groups, to infect high-risk environments, such as those that are already infected and under the eye of other malicious software actors. In that position, many nation state hacking groups will forgo deploying their crown-jewel malware to keep proprietary tactics, techniques, and procedures private. Repurposing someone else's malware might be a suitable alternative in these scenarios.
- In the event that the malware infection is detected and forensically analyzed, there's a good chance that researchers will misattribute the attack to the original hackers and not the party that repurposed the malware
Theres no shortage of evidence that the repurposing of rivals malware is already a common practice among nation-state hackers. WannaCry and NotPetya—the worms that wreaked worldwide computer shutdowns in 2017 and are widely attributed to North Korea and the Russian Federation respectively—spread rapidly from computer to computer with crucial help from EternalBlue, the Windows exploit developed by, and later stolen from, the National Security Agency. Researchers at security firm Symantec found a hacking group widely tied to the Chinese government reused NSA malware that gets installed by EternalBlue, in March 2016, 14 months prior before the powerful NSA hacking tools were published. This 2017 article by freelance reporter Kim Zetter reports that files published by Wikileaks showed CIA hackers recycling techniques and snippets of code used in previous attacks for use in new projects. A few years ago, according to evidence unearthed by Symantec, the Russian-speaking hacker group known as Turla hijacked the servers of OilRig, a rival outfit connected to Irans government. Turla then used the infrastructure to attack a Middle Eastern government.
One of Wardles repurposings involved AppleJeus.c, a piece of recently discovered malicious code embedded in a fake cryptocurrency trading app for macOS. The sample was notable for being the first, or at least among the first, known malware specimens for macOS to use an in-memory, or fileless, method to execute second-stage malicious payloads onto targeted Macs.
By executing malicious code solely in memory—rather than using the more common route of saving the code to disk and then executing it—AppleJeus.c significantly lowered the chances antivirus programs and other forms of endpoint security would detect the infection or be able to capture the second-stage payloads. Researchers have tied the malware to Lazarus, a hacker group working for the North Korean government.
Rather than develop his own fileless payload installer for macOS, Wardle made just one minor modification to AppleJeus.c: instead of obtaining the fileless payload from the server originally hardcoded into AppleJeus.c, the modified malware now got the payload from a server he controlled.
“This means that when the [first stage of the] malware is executed, it will now talk to our server instead of the hackers original infrastructure, and it will create the custom command and control server that packages off the payload,” Wardle said.
The first step was to thoroughly analyze the inner workings of AppleJeus.c. Among the things he observed were the malwares capabilities and the protocol it used to communicate with the original developers command and control server. Using a disassembler, for instance, he observed the malware using a cryptographic hashing function and a decryption function to load and then execute the second-stage payload.
By using a debugger to stop the malware just before it ran the hashing function, he found the string
VMI5EOhq8gDz, which when passed to the hash function turned out to be the decrpytion key. He then used the disassembler and debugger to discover the decryption cipher and parameters in a similar way.
Next, Wardle used a hex editor to change the original versions hard-coded control server domain to the address of the server under his control. He designed this new control server to use the same communication protocol and to interact step by step with each function of the malware.
To get the modified version of AppleJeus.c to accept the second-stage payload, Wardles control server had to, among other things, encrypt it with the same key and cipher he observed during hRead More – Source