Welcome back to another entry in our Triage Thursday update blog series! This week we have another batch of family detection updates for you, covering a selection of Windows and macOS families:
- Updated IcedID configuration extractor
- Tweaks to Redline configuration extractor
- Fix for Gozi configuration extractor
- New family detection for Klingon RAT
- Added detection for Netfilter rootkit
- New detections for several macOS families
If you missed it over the last few weeks, we are also currently hiring a Go developer to join the Hatching team and help build the future of Triage. If you think this might be of interest to you or someone you know, the full job listing can be found here - feel free to reach out with any questions.
As usual, you can also contact us with any feedback or suggestions about Triage or its analysis results. It’s a big world of malware out there and there can always be things we miss! If you notice anything not behaving as expected please do reach out and report it to us. You can contact us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account.
Updated IcedID Configuration Extractor
IcedID is a banking trojan which targets financial information on infected machines. It’s a family in very active development, with new versions regularly popping up in the wild. As such it has been a regular feature in past blogposts, and reappears this week with another small tweak to account for a variant we’ve recently observed in public Triage submissions
This change should mean that our extractor works as expected on even more examples of the family, and as usual we’ll be continuing to monitor for any new versions which aren’t parsed correctly.
Updated Redline Configuration Extractor
Redline is a stealer family which has seen a lot of activity since it came to prominence in early 2020. Featuring an extensive feature set for data theft and specialised C2 communications, the family has become a popular choice among cybercriminals. It has been observed to be deployed in a number of different ways including sideloading with legitimate applications, masquerading as applications like Telegram, or regular phishing attacks.
We recently observed some samples of the family where the configuration was not being properly extracted by Triage. We have reviewed a large number of Redline analyses and made some tweaks to ensure they correctly trigger the extractor. You can find a selection of examples linked below.
Fix for Gozi Configuration Extractor
Researcher @fumik0_ recently reached out to us reporting that in some recent cases our configuration extractor was returning incorrect values for the RSA key section. On review internally, we discovered that the embedded RSA public key is encrypted and for a couple of specific build versions - 250206 and 250204 - they had introduced a custom 16 byte value used to decrypt the RSA pubkey.
Additionally, the encryption algorithms in use are not always consistent, with one of the variants mentioned using AES while the other implements the Serpent algorithm.
We have now made changes to our extractor logic and these variants are handled correctly. Thanks again to Fumik0 for bringing this to our attention.
Family Detection for Klingon RAT
Klingon is a new RAT which has appeared in the wild recently, with Intezer publishing the first analysis of it just last week, although they suggest that it may have been active since 2019. The family is written in Golang and is generally well-built with robust persistence and privilege escalation methods included. It has an extensive feature set, allowing most interactions up to and including total control of an infected machine.
In addition to the base payload, the family deploys a handful of 3rd party tools post-infection to handle additional tasks, while slipping under the radar due to being commonly used as legitimate administration tools. These are
Foxmail. More information is available in the Intezer writeup linked above.
We have reviewed samples available and implemented initial signatures for the family. You can find examples below.
Family Detection for Netfilter Rootkit
Last week, researcher Karsten Hahn reported a new rootkit which reached out to C2 infrastructure in China. The samples uncovered by Karsten and others are signed by Microsoft, with the earliest examples going back to March 2021.
☢️Network filter rootkit that connects to this IP in China:— Karsten Hahn (@struppigel) June 17, 2021
It does not look like Moriya (signature will be corrected asap)
File is signed by Microsoft.#rootkit #netfilterhttps://t.co/lhvmmgHn6w
Florian Roth has created a spreadsheet with a list of all currently known samples - this can be found on Google Docs here.
Early analysis suggests that the family is mostly interested in web injection-style attacks, with the main functionality revolving around intercepting and spying on SSL/TLS connections. We have examined the samples which have been reported so far, and implemented initial detection for the family. Examples Triage analyses are available below.
- 210618-3wnsf3rf26 (Dropper)
- 210618-8ztgznhm72 (Dropper)
- 210618-8snkh9kp1s (Payload)
- 210618-mmn1rw4zbj (Payload)
- 210618-scf2g1k15a (Payload)
New Detections for macOS Families
At the start of the month we released the first iteration of macOS analysis support on Triage. Since then we have been looking to expand on the handful of detections we included at launch, with this week seeing 5 more additions to the roster. Below we’ll give a quick introduction to each family, and provide links to examples for your reference.
EvilQuest has been around for approximately a year, having been first reported on Twitter in June 2020.
#macOS #ransomware impersonating as Google Software Update program with zero detection.— Dinesh_Devadoss (@dineshdina04) June 29, 2020
522962021E383C44AFBD0BC788CF6DA3 6D1A07F57DA74F474B050228C6422790 98638D7CD7FE750B6EAB5B46FF102ABD@philofishal @patrickwardle @thomasareed pic.twitter.com/r5tkmfzmFT
As stated in the tweet, the family is a ransomware which targets only macOS systems. The initial samples impersonated Google Update software, and were found to be distributed via pirated versions of popular software for macOS available through torrent sites. This has proved to be an effective distribution vector for a few macOS families, as users will generally be less cautious of warnings around unsigned software when they are installing pirated programs.
A detailed writeup of the family can be found here.
GMera is a trojan stealer reported in late 2019. The family was observed being distributed as a fake stock trading application imitating the well-known macOS app
The family comes in 2 main variants, using different infection methods but with the same end goal. Both reported versions spoof the Stockfolio app, with a legitimate version of it bundled alongside the malware to run when the sample is launched and give the user the impression that the program is working as expected. However the malware itself also runs in the background.
A detailed writeup of the family can be found from TrendMicro here.
GravityRAT is a cross-platform malware reported on by Cisco Talos back in 2018. It exclusively targeted systems operated by the Indian armed forces, and this along with some indicators within available samples has led many to attribute it to Pakistani threat actors.
SecureList reports that the family initially only supported Windows systems and potentially goes back as far as 2015. In 2018 it added support for Android systems, and in 2020 this was extended further to include macOS. A writeup of the macOS variant specifically is available on objective-see.com here.
A much more recent family than those covered so far, HydroMac is a multi-stage malware which functions as a full-featured RAT and backdoor. First reported by Confiant earlier this month, it targets Apple’s M1 computers.
Thanks to information leaked from a flashcards application, Confiant was also able to discover details of the family’s C2 infrastructure and the commands used to carry out actions. More details on that can be found at the link above.
Like EvilQuest above, Shlayer is commonly distributed via cracked/pirated software available through popular torrent sites. The samples masquerade as Flash player installers/updates, acting as a downloader for additional payloads via shell scripts. Most of the scripts observed were code-signed, making it easier to get them through mac-based protection mechanisms.
The family includes no functionality of its own besides its dropper role, but naturally this means that it can pose a significant threat to a system.