April 11, 2019

MaMi - Mac Malware

MaMi - Mac Malware

As someone interested in computer security and who uses Mac os on a daily basis, I am a huge fan of Partick Wardle @ https://objective-see.com/malware.html

In a recent stream, he goes through the malware of 2018. One malware in particular is MaMi, one he was able to name. I downloaded MaMi to take a look at it.

I have been playing around with jtool lately, I like the output. With it I can dump the headers.

# jtool -h MaMi
Magic:      64-bit 
Mach-OType: executable
CPU:	    x86_64
Cmds:	    27
size:	    4176 
bytesFlags: 0x218085

Unfortunately jtool can not do Intel disassembly

# jtool -d MaMi
Intel Disassembly not supported yet. Patience, little grasshopper (you can, however, dump __TEXT.__cstring, and CFStrings)

So lets dump those string...

# jtool -d __TEXT.__cstring MaMi
Dumping C-Strings from address 0x100038180 (Segment: __TEXT.__cstring)..
0x100038180: START
0x100038186: |START|+
0x10003818f: AppVersion: %@\rAppBuild: %@
0x1000381ab: 1.1.0
0x1000381b1: 0
0x1000381b3: uZmgulcipekSbayTO9ByamTUu_zVtsflazc2Nsuqgq0dXkoOzKMJMNTULoLpd-....73g2dsNG-qDuVi8i
0x100038aac: dnsChanger
0x100038ab7: initConfigurationFinished
0x100038ad1: |CONFIG|+
0x100038adb: time_report
0x100038ae7: |time_report|+
0x100038af6: |setupDNS|+
....

There is a lot more to the output but already you can see a string that might make you go huh? 0x100038aac: dnsChanger

We can use jtool to dump any objective-c classes

#jtool -d objc MaMi
AppDelegate
SBMaMiSettings
SBConfigManager
SBSharedStorage
ASIDataCompressor
ASIFormDataRequest
ASIDataDecompressor
SBParamUnit
SBNetwork
SBPayload
SBDataAppender
SBUtilities
ASIHTTPRequest
SBReportManager
SBSystemInfo
SBErrorCenter
SBFileSystem
ASIInputStream
SBMaMiManager
SBCryptoSystem
ASIDownloadCache
ASINetworkQueue

jtool is really nice to use. However even just dumping strings for this binary, its pretty clear it is up to no good. I have clipped the output for brevity.

# strings MaMi
...
setRequestDidReceiveResponseHeadersSelector:
setRequestDidFailSelector:
setRequestDidFinishSelector:
setQueueDidFinishSelector:
setBytesUploadedSoFar:
setTotalBytesToUpload:
setBytesDownloadedSoFar:
setTotalBytesToDownload:
resetProgressDelegate:
...
loadMaMiAtPath: %@ %d
/bin/launchctl load -w %@
load -w %@
unloadMaMiAtPath: %@ %d
unload -w %@
...

The launchctl load is important as that has to do with its persistence.  

I would like to spend more time on this, but its just a hobby. I haven't really proved what it actually does here, just showed some ways to look at what a binary is up to.

For more information check out Patrick Wardle's video on osx malware in 2018 here, really interesting.

And you can find jtool here

http://www.newosxbook.com/tools/jtool.html