Offensive malware analysis: dissecting OSX/FruitFly via a custom C&C server

Wednesday 4 October 16:00 - 16:30, Green room

Patrick Wardle (Synack)



Creating a custom command-and-control (C&C) server for someone else’s malware has a myriad of benefits. If you can take over a domain, you may then be able to fully hijack other hackers’ infected hosts. A more prosaic benefit is expediting analysis. While hackers and governments may be more interested in the former, as responsible malware analysts, we’ll focus on the latter.

FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk we’ll begin by analysing the malware’s dropper, an obfuscated Perl script. As this language is rather archaic and uncommon in malware droppers, we’ll discuss some debugging techniques and fully deconstruct the script. We’ll then dive into analysing the ‘B’ variant of FruitFly which, even now, is only detected by a handful of security products. However, instead of fully reversing the sample, the talk will focus on an initial triage and show how this was sufficient for the creation of a custom C&C server. With such a server, we can easily coerce the malware to reveal its full capabilities. For example, the malware invokes a handful of low-level mouse & graphics APIs, passing in a variety of dynamic parameters. Instead of spending hours reversing and debugging this complex code, via the C&C server, we can simply send it various commands and observe the effects. Of course, this approach hinges on the ability to closely observe the malware’s actions. As such, we’ll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a ‘mouse sniffer’ that observes locally and decodes commands sent from the malware to the OS, in order to control the mouse). While some of this talk is FruitFly and/or macOS-specific, conceptually it should broadly apply to analysing other malware, even on other operating systems.

 

 

Patrick-Wardle-web.jpg

Patrick Wardle

Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of macOS and mobile malware. In his personal time, Patrick collects macOS malware and writes free macOS security tools.

@patrickwardle


   Read paper    Watch video

VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

2017 PÉTER SZŐR AWARD


Other VB2017 papers

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.