Afterward, NSLinkModule is called to link the malicious image to the main executable's image library. Invoke a function called NSCreateObjectFileImageFromMemory to create an adware image from the Mach-O file in memory.The decryption routine of the _DATA._data section The decryption uses an XOR key that is incremented per cycle: for example, a 0xDD increment by 0x2A, 0xDD, 0x00, 0x2A, 0x54, 0x7E, 0xA8, 0xD2, 0xFC, 0x00, and so on.įigure 7. Decrypt the _DATA._data section to reveal the embedded Mach-O file, as shown in Figure 7.The disassembly of NukeSped (left column) vs. Bundlore (right column) samples Our study of the Bundlore samples showed that these utilize the same functions that were found unused in the NukeSped samples. As seen in Figure 5, these were obfuscated, as they were under random names when disassembled in IDA Pro. While the functions have some differences, the routine for in-memory file execution remains the same (Figure 6 and 8).įigure 6. Further investigation of these Bundlore samples from the VirusTotal query revealed that these were indeed using fileless routines, enabling Bundlore to execute a payload directly from memory. Among the Bundlore samples discovered, the oldest one dates back to May of last year. However, one of these Nukesped samples was verified as the parent of a Nukesped file from the previous search. Similarly, a search using VirusTotal's Retrohunt yielded 273 results most of these were Bundlore files and only three were Nukesped files. The results yielded only two NukeSped samples while the rest were Bundlore samples.įigure 3. The _resolve_symbol functions of NukeSped (left) vs. Bundlore (right) It also does not appear to be necessary, as evidenced in Figure 3. NukeSped typically retrieves and launches its payload from a web server, so it does not need the superfulous _resolve_symbol function, which locates data internally. As Figure 4 shows, searching for the operation codes of this function on VirusTotal led to its detection in 201 files. Moreover, the payload has a _resolve_symbol function that does not seem to be used. This function looks like it was based on code from the GitHub post however, there were no references that point to the _memory_exec function.įigure 2. The _memory_exec function copied from the GitHub post Using Interactive Disassembler Pro (IDA Pro) on the Ants2WhaleHelper file revealed its main payload as _mapBuffer (Figure 1), which appears to be a modified version of the _memory_exec function (Figure 2). Curiously, however, neither of these files seems to make use of this routine. Both contained a routine that looks to be based on a GitHub submission. Another file with NukeSped detection, unioncryptoupdater, was also found in VirusTotal. Our analysis of the file Ants2WhaleHelper used by Lazarus led us to detect it as NukeSped. The encrypted Mach-O file discovered in these samples has upgraded Bundlore - a malware family that installs adware in a target’s device under the guise of downloading legitimate applications - to a stealthier and memory-resident threat. Bundlore has also been known to target macOS devices and was linked to an attack on macOS Catalina users last year. There are multiple variants of NukeSped, which is designed to run on 32-bit systems and uses encrypted strings to evade detection. Recently, a more sophisticated form of this trojan called ThreatNeedle surfaced as part of a cyberespionage campaign by Lazarus. While investigating samples of NukeSped, a remote access trojan (RAT), Trend Micro came across several Bundlore adware samples using the same fileless routine that was spotted in NukeSped. The backdoor has been attributed to the cybercriminal group Lazarus, which has been active since at least 2014.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |