Writing Rules for Non-Objective C Malware
Contents
Writing Rules for Non-Objective C Malware
Today we're going to inspect another DPRK malware family ported to MacOS: Dacls AKA Mata. Unlike RokRAT/CloudMensis that we previously inspected, this is not written in Objective C, so it'll change our workflow a bit. Mostly that means less intermediate tools and more time in a disassembler This comes in a DMG package that we can assess at another time; we'll focus on the embedded payload. A number of entities have discussed this particular sample:
MalwareBytes
Patrick Wardle
Phil Stokes
Kaspersky GREaT
SentinelLabs
Kaspersky GREaT
Lets jump right into it! Off the bat, checking the section names we can tell this is not written in Objective-C. Let's go right into the strings, including some function names! As we discussed yesterday, we can also check out whats in the __LINKEDIT segment to get function names, referenced symbols in the code, and more! MATA's __LINKEDIT segment contains a ton function names, both from the …
Today we're going to inspect another DPRK malware family ported to MacOS: Dacls AKA Mata. Unlike RokRAT/CloudMensis that we previously inspected, this is not written in Objective C, so it'll change our workflow a bit. Mostly that means less intermediate tools and more time in a disassembler This comes in a DMG package that we can assess at another time; we'll focus on the embedded payload. A number of entities have discussed this particular sample:
MalwareBytes
Patrick Wardle
Phil Stokes
Kaspersky GREaT
SentinelLabs
Kaspersky GREaT
Lets jump right into it! Off the bat, checking the section names we can tell this is not written in Objective-C. Let's go right into the strings, including some function names! As we discussed yesterday, we can also check out whats in the __LINKEDIT segment to get function names, referenced symbols in the code, and more! MATA's __LINKEDIT segment contains a ton function names, both from the …