Tuesday, July 2, 2019

Analyzing WaningCrescent aka OSX/CrescentCore

  /     /   No comments   


This post deals with analysis of 02cf933fbc8e12b93e8ccc8d7883adc4, a sample of malware OSX/CrescentCore. Lets get started.
Lets check VT first. Here are some interesting facts
Type
      Macintosh Disk Image
Detection ratio
      1 / 57
First submission
      2019-06-24 20:51:46 UTC ( 1 week ago )
Signature size            9056
Authority                   Developer ID Application: Sanela Lovic (5UA7HW48Y7)
Authority                   Developer ID Certification Authority
Authority                   Apple Root CA
Timestamp                 Jun 17, 2019 at 3:14:07 PM
Info.plist entries        26
TeamIdentifier          5UA7HW48Y7
Signature verification Valid Signature
Signing Certificates
[+] Apple Inc.
[+] Apple Inc.
[+] Sanela Lovic

So, what do we learn:
·      DMG File
·      Signed, Sanela Lovic (5UA7HW48Y7)
·      Low detection (ESET only) even thought it’s been there for more than a week.

Now let’s download the file and see what’s inside.
As soon as we mount DMG, the label is Player. So, it can be imitating Flash player. Now when you open the DMG, there is one Player.app inside. The app has disable sign on it, which indicates that it won’t run on the Mac OS X version I’m using (using my old 10.8 image and I’ve a new one too). This can be easily determined by looking at the plist inside the app. The following key and value pair:
LSMinimumSystemVersion
10.11
The key is self-explanatory. If we change the string to 10.8, the disable sign is no more, but the application crashes as it is not meant to be run on 10.8. Before going to 10.11+, we’ll look some more artifacts if we can find.
The copyright is for company called Lights:
NSHumanReadableCopyright
            Copyright © 2019 Lights. All rights reserved.
Bundle Identifier is wiered (no offense):
CFBundleIdentifier
            com.l.r.l.m
There is one more interesting file inside Resources directory, antiviruses.json. It contains json array with entries of AV and one shouldSearch field, in this format:
[
  {
    "name": "Bitdefender",
    "shouldSearch": true
  },
  {
    "name": "Intego",
    "shouldSearch": true
  },
  …………….
  {
    "name": "Webroot",
    "shouldSearch": true
  }
]
Total of 18 entries are there.

Along with antiviruses.json, there is another file virtualmachines.json, with following entries:
[

    {

        "name": "VirtualBox",

        "shouldSearch": true,

        "shouldStop": true

    },

    {

        "name": "VMware Workstation",

        "shouldSearch": true,

        "shouldStop": true

    },

    {

        "name": "VMware Fusion",

        "shouldSearch": true,

        "shouldStop": true

    },

    {

        "name": "Hyper-V",

        "shouldSearch": true,

        "shouldStop": true

    },

    {

        "name": "Parallels",

        "shouldSearch": true,

        "shouldStop": true

    },

    ……………

    {

        "name": "ceBox",

        "shouldSearch": true,

        "shouldStop": true

    }

 ]

Also, there is one Update.zip file in Resources, which contains Updatee.app, which might be update module for the malware. The copyright for the updater is: Copyright © 2019 com.lights.oblivion. All rights reserved.

Couldn’t find anything more interesting in app directory.

Bad news, I was not able to run the sample, as this is crashing. Tried few tricks and on multiple machines, but it’s not running. I got more hashes from Intego’s blog:
638004ee6a45903dcbf03d03e31d2e83c6270377973a64188f0b89d4062f321e
b111891b698dfdafb6952b0cf89aaebde51c5c1758df316e6b843624ed2db205
8938e48a0b0f8765a017d2e25ed5a68bd7954d220e460c5aa4b1c59763ec5a8d
But these are either corrupted or not available publicly. I’ve asked them if they have some samples. Meanwhile, we’ll do some static work, like strings on the Binary File. Let’s see if we find something.
/Users/mehdira/Desktop/WaningCrescent/WaningCrescent/Utils/TextUtils.swift
/Users/mehdira/Desktop/WaningCrescent/WaningCrescent/Networking/Service/PixelRequest.swift
/Users/mehdira/Desktop/WaningCrescent/WaningCrescent/Models/VirtualMachines.swift
https://px-storage.com/index.php
https://refererhider.com/?http://www.vuimvox.pw/gkiw/ypwy?ci=15537909241698037507125201614113712&p2=298097
http://cdn.macclean-pro.com/mcp/builds/mcp_mcpcnsppi.dmg

Here is the link https://file.io/geAJQK for string file, if anyone wants to have a look, I'm pretty sure, I've missed something.
So there are some interesting things, mehidra is trying to Create WaningCrescent project in Swift. Also, there are some URLs which I’ll analyze and post later(don’t have access to dirty net right now), if I found anything.
It’s a shame that this app is crashing on VM, I do wanted to reverse and analyze that. But I’ll definitely see if I can find any alternate app.


Meanwhile, following conclusions can be drawn from the static analysis of the app:
·      It belongs to a legit dev or the cert is stolen (most likely), so it can bypass gatekeeper.
·      It may try to evade any antivirus present in the system as it is highly probable that it will scan for them, as we saw the json files
·      It might also try to see if, either its being run in VM (exciting) or there is VM installed on the system.
·      The username is most likely mehdira, and project name is WaningCrescent
·      There are references to some URLs, macclean-pro being highly suspicious. Vuimvox.pw also seems suspicious, but don’t have any info on it as of now.
Till next time. :)
-->

0 comments:

Post a Comment