Deconstructing APT28's XAgent for OSX

[Music]

okay so hi everyone i'm tibero saxinter from bdefender and today i'm going to talk about apt-28 on mac apt-28 is a known thread in the industry but it's relatively new for the mac ecosystem and we will focus uh this present presentation on the backdoor component of apt-28 on mac which is x agent as an agenda for the presentation first we will take a look at the apt-28 on all platforms and then we will try to follow the apt-28 attack flow on mac os and after that we will dissect and analyze the x-agent component of this attack starting with the communication between the agent and the cnc servers then we will see the list of commands

that the malware can execute on the infected machine and the most important part important part we will analyze every spying module that this backdoor has and in the end we will conclude with a comparison between the mac version of x agent and x agent from all the other operating systems so apt-28 was studied by many vendors from the industry and generally speaking most of them seem to agree that behind those attacks there's a russian-based threat actor responsible for multiple campaigns against a vast number of countries and organizations countries from all around the globe um covering most of the continents like north and south america africa europe and asia targeting institutions and organizations from the eurospace

government energy defense and even media sectors so according to some early publications about apt-28 it seems like it has been operating since as early as 2004. uh the 2014 uh is the year that the first linux sample was discovered followed up by the ios sample in 2015. uh 2016 was the year that the first android and the first mac component of apt-28 was discovered the mac component actually is the downloader for the x agent component that we've discovered last year so the apt-28 attack flow on mac has three stages first it starts with a video with uh in an email attachment where with which is a pdf document that when opened by the victim it will be displayed on the

screen with the title russian federal space programs projects and here are a few pages from that document that includes aerospace research information satellite placement and so on but uh actually the execution will continue in the background with the second stage of the attack which is the downloader this sample has download execute and persistence on the system for the third and the final stage of the attack which is um x agent and uh all these three stages sums up as a spear phishing attack okay so uh x agent is the final payload of a successful apt-28 attack on mac and it is used for data exfiltration so we will separate our analysis in three major parts first

we will analyze the communication between the malware and the cnc servers second we will see the command list that the model can receive from the server and third and most important the spying modules that the attacker will have after a successful attack with apt-28 on a mac machine so first let's take a quick look at the communication between the agent and the cnc servers the cnc server list was hard coded in the sample and it consists of four domain names that try to impersonate april domain names and the one ip address when we analyze the sample the domain names were not registered and were used only for as a backup but the ap address was

up and running um from a host from the united states and um actually another ip address from the same network was used by the apt-28 group for external payload for an attack against the democratic national committee the communication process between ex-agent and the cnc server consists of three main threads uh a get thread used to fetch co to get commands from the server and insert them in the command queue a second and a post thread used to get the data from the data exploration queue and send it to the cnc server and the third and the main thread that will execute those commands and then insert the results in the data exfiltration queue so in order to communicate

with the cnc server x agent uses a protocol based on http post and get messages the url is generated for every message and includes an identifier for the victim the body of the http message is used to send and receive data from the server and this data is encrypted with rc4 and on top of that encoding with base64 so uh let's take a look at the how data is received for is sent to the server is excellent rated here is a post request message uh which actually is the hello message that the malware sends to the server just after it was executed so if you we take a quick look on how the url is generated uh first um a

domain name and a var are chosen from two hard-coded lists and then a marker and a token are appended to this url for victim identification and in the end a random number of parameters with random generated base64 values are appended to the url the marker and the data token are our base64 strings and we if we decode those strings we obtain 15 bytes which starts with four bytes used to equip encrypt the next 11 bytes and if we decrypt those we obtain a data token used for message integrity and the first four bytes from the unique machine identifier from a mac machine um okay so now you we've seen how the url is generated let's take a look quick

look at the data it's also a base64 string and if we decode that string we obtain a buffer that starts with a four byte key used to encrypt a data token and in agent id also for message integrity and victim identification and then we have an rc4 encrypted buffer prepended by a checksum for that buffer so if we take a look at data buffer the data buffer is encrypted with rc4 algorithm with a 54 byte length key where the the first 50 bytes of the key are hard coded in the sample and the last four bytes are generated every time a new message is sent to the server so if we decrypt that message packet

we obtain a module id which is a two sequence number the first byte represents an identifier for x agent and the second byte is the x agent's version with which in our case on mac is version number three a command id which is two for the hello message and then a sequence of bytes that represent uh every spying module that x agent have registered on the infected machine also a data size and a priority for that message okay so this is how data is sent to the server let's see how it can request commands from the cnc server so his here is a get message that the malware does in order to receive a command from the cnc server and it will

also receive a command packet with which structure is formed by a command a parameter and the size for that parameter this data is also encrypted with rc4 and then on on top of that encoded with base64. so this is how x agent communicates with the cnc server now let's take a look at the commands that it can receive from the server so here is the table with all the possible commands that the malware can receive for the cnc server each command is a one byte size command and for every command that it receives x agent will call a function from a spying module and these commands are also also complement each other like for example

the cnc server can send a command to x agent to take screenshots on that infected machine and then can send another command to upload those screenshots to ftp server so now that we've seen how exigent communicates how it exfiltrates data how it can receive commands from the server now let's take a look at the spying module that it has under capabilities so boot x loader is the main module of the x agent which is the entry point first it will check if a debugger is present and if so it will break the execution then it will check for internet connectivity against the google dns and after that it it will start those two main main threads that we've talked

about uh and a main thread used for the logic of the back door and also that will load all the other spying modules using the launcher module the malware can re-launch itself first it will move the sample to a different location on the disk which is generated in the current user directory and it will choose a random directory name from a list that also impersonate apple directory names and it will start with a dot so it will be hidden from finder so file explorer on mac and then it will choose a new file name and in the end it will start a new process from the newly created path on the disk using the info os

module x agent will gather information about the infected machine such as operating system version the unique machine identifier the current username and also the current process list and all this information is html formatted before it's sent to the server so the attacker must have an html based interface where he can see all the infected machines using the http channel module x agent communicates with the cnc server those two get imposed threads and a class called http channel that stores some fields like this this is the active channel for communication arrays for commands and arrays for data to be exfiltrated this channel also before sending in every any message it will encrypt any code using the

encoder and encrypter modules the encoding is done using a base64 url friendly where minus is replaced with plus sorry and the underscore is replaced with slash and the encryption module uses an rc4 algorithm with a 54 byte length key where the first 50 bytes are hardcoded in the sample and the last four bytes are generated every time a new message is sent to the server using the also using the file system module x agent can list create delete files and directories on the disk but it can also execute the newly downloaded files from from the cnc server also using the ftp manager module x agent can connect to a ftp server using credentials received from the

cnc server and this with this module it can exfiltrate data but it can also update the already registered spying modules on the infected machine x agent also can register can record all your keystrokes using the core graph event upgrade and then it will also format as html this log file and then it will send it to the cnc server using the password module x agent can read all your firefox passwords from the logins.json file and by using the network security service libraries can decrypt those passwords and then it will also send them to the cnc server it can also take screenshots using core graphics apis it will collect those screenshots at every 10 second interval then it will

resize them to an 800 by 500 resolution and then by using the ftp module it will upload them to the cnc server the 10 second interval can be modified as requested by the server x agent can also inject code into the running applications first it will list the application names and if one application matches with any applications from a hard-coded list then it will force applescript to load in that that application and by using applescript events it will inject code in the bundle applications as a side note uh in 2015 as part of a massive hack hacking team a private intelligence contractor who develops and sells hacking tools to government around the world was hacked and then their remote

code system including the mac implant source code was leaked on github and one interesting features in the leaked code was application injection using april script events and if we compare their code with the one from the x agent component that we found we can see that it's basically identical even the class names and the method names are the same so this can be another example of malware writers reusing the hacking teams leaks code from the github another module called remote shell can be used by the attacker to remotely execute shell commands on the affected machine but this module has an interesting function called check backup ios device folder and by using this that x agent will list

all your ios backup folders that you have on your mac it will send that list to the cnc server then the server will choose ios backup and request the x agent to upload it to an ftp server so in an ios backup there's a lot of sensitive information like all your messages all your contacts all your calendar events safari data and browsing history and also coal history so as we know apt-28 attacks targeted targets high-profile individuals and if such an attack succeeds it can see uh where a person is from the calendar events who is he talking to from call history or what business it conducts from the messages and all this information from an is backup is very very sensitive

there was another module called camera shot but it wasn't implemented in this version maybe in the future ones so uh that were the spy modules that x x-agent has now to finish with a comparison between the mac version and the linux and ios versions of x agent communication wise they are basically identical url generation and tokens used to identify the victim are basically the same and we if we com even compare the code between ios and x agent there are the same class names and method names but if we compare the spine modules between mac and linux we can see that there are a few that are common like the http channel the encryption module the

encoding module but the mac version has way more spying modules than all the other platforms so as a summary for the presentations we've discovered the sample last year in 2017 uh ex-agent completes the apt-28 attack as a puzzle that was missing or piece was missing we only have the dropper render downloader from the 2016 and as we seen the mac version has the most spying capabilities so we cannot say anymore that max can get model right thank you [Music] [Applause] okay thank you so much for your talk in the name of adobe and visai and let me give you the gift from us thank you thank you for having me have a nice day [Applause]

you