LABScon Replay | InkySquid: The Missing Arsenal

InkySquid (aka Group123, APT37) is an infamous threat actor linked to North Korea that has been active for at least 10 years. This actor is known to use social engineering in order to breach targets and exploit n-day vulnerabilities in Hangul Word Processor (HWP), as well as browser-based technologies.

One of the most documented intrusion sets used by this actor is RoKRAT, a Windows RAT using cloud providers as C2 servers. In this presentation, Paul Rascagneres discusses a macOS port of RoKRAT. Paul describes the internal mechanisms and different espionage features of the malware, as well as built-in attempts to bypass macOS security features and embedded exploit code based on n-day exploits.

InkySquid: The Missing Arsenal: Audio automatically transcribed by Sonix

InkySquid: The Missing Arsenal: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Yeah. First of all, I'm really impressed to be here in front of you, and the venue is amazing. So thank you for, for the program committee who accept my talk first and for the organizer for for organizing the event. The content is very good, til now, and. And. Yeah, so I'm French. And you, as you can hear and I work at Volexity and I work on the threat intelligence team. Previously I work for Kaspersky Great Cisco TALOS and I mainly work on CTI and malware analysis and this topic will be about this topic, malware analysis, and more specifically about macOS malware. And if you want to contact me after the presentation, if you have questions or if you want some file or stuff like that, you can contact me on Twitter. My DM are open or on Keybase and I would be happy to to share what you need. It's not a problem.

So let's speak about the agenda. I will speak about a macOS malware I worked on on April this year, and I was really excited by working on this case because I don't often work on macOS malware because, you know, malware does not exist on macOS. So I was really excited about that. And the presentation will be about the workflow. So the first stage, the download, the second stage, the malware itself is a different capability and the last part will be more about the attribution and why we linked it to InkySquid and why we think in fact it's a macOS version of RokRAT.

And before starting, I need to mention this thing, so I work on it on April. We published a private report at the beginning of May. Middle of May, I replied to the call for paper and beginning of July I received the mail. I'm accepted. And in middle of July, Marc Etienne published a blog post about the malware I was working on. So I was a little bit sad. I discussed with Juan to know if I need to cancel my talk, if I need to find something else to discuss with my colleagues. And Rene's friend told me something very funny for me. He told me, you know, being scooped by ESET is probably the proof your research is solid. So I decided to do it, and I decided to speak a little bit more about the attribution and why we think it's the macOS version of RokRAT, because it's not mentioned on the ESET publication.

So ESET named the malware CloudMensis, we name it BaDRAT on the presentation. I will use our name because that's the name we use on our report before the publication, but it's the same malware. So. Yeah.

First, let's discuss a little bit about InkySquid. So it's also name at APT 37 by Mandiant, ScarCruft by Kaspersky Group123 by Cisco TALOS. And it's a North Korean threat actor. And mainly from my knowledge many target defectors or people linked to this domain like lawyers and stuff like that. A big issue for for us and when you want to to follow this specific threat actor is most of the time they target a personal computer so they don't target company. They target directly the users.

They are known to use spear phishing and water holing and they often use a couple of N-Day exploits. So I think they use once a zero day for a few years ago, but most of the time it's not zero days its N Days and we will see if they do exactly the same thing on this case and we already published two stuff about this specific threat actor.

Yeah, just for information as ESET already published something, we won't do it. We won't publish anything after the publication. So if you you want something feel free to ping me, I will give you what you need. But I don't think we will publish something. It won't be super interesting after ESET publication.

So why we name it BaDRAT and it simply on the computation path on the sample you have 'BaD' in the name. You also have a name which is LeonWork and you have a system. So here it's version 29. We think it's 2.9 in fact, but it means it's here for for a couple of time. We only discovered it on April this year, but it's it's year four for a long time. So it's macOS malware and it's support x86 architecture and ARM architecture. Also you have both binary compile and. Yeah.

The first stage is a downloader. So as you can imagine, it download something and as a downloader it uses pcloud. So you have an API key in the binary. It download the next stage on pcloud and in fact it download two step, no it download one step the final malware BadRAT and it also drop a persistence file. So.

Here is the persistence file. So it's simply a classical macOS daemon. It's nothing really complicated. But yeah, and the purpose is to execute something named WindowsServer, which is funny for macOS malware.

Something interesting in the downloader so it doesn't do anything except downloading something droppings to file. But the developer forget old code so it's not executed, but it's still here and it's an old exploit from 2017. So I think they remove it because it doesn't work anymore. It's too old, but they remove the code, but they don't remove the the code itself and it's a privilege escalation. So it's something public and it was probably used after the publication on GitHub because you really have a copy paste of a GitHub project. So it's probably an N-day used by this actor.

So if we look at the malware itself, you really have all the capability of something for espionage. So the malware is able to execute arbitrary command to provide a remote share to the attackers, to perform screenshot, to perform killing. I put a screenshot of the of the keylogging, to make some exfiltration based on file extension. So he has a dictionary of file extensions and it will exfiltrate all the files with this extension.

Something interesting is if you plug a USB device, it will use this extension list to exfiltrate all the documents from this USB device.

And there is also an email parsing mechanism. So it passed this user username library email repository and exfiltrate all the attachment received by the user always based on these extensions.

And Zytiga is able to execute Applescript directly on the malware. So something interesting is. There is absolutely no obfuscation. So everything is in text plain. You can almost read it. The only obfuscation is a configuration file, which is kind of more important because you have the API key, etc.. And here I implemented the algorithm as implemented it. Finally, it's a simple XOR, but they make a lot of weird stuff to do XOR. So it's basically XOR implementation.

And on the configuration file, you have the version. 29 in our sample, which means a couple of different versions can live together because each version will have its own configuration file. So yeah.

So configuration file contains a lot of detail on the infected machine, so the malware will connect the IP country username, adware hostname, so a full image of the infected system. This information will be sent to the attackers at the first connection and the API key for the cloud provider and the malware support three cloud providers. So Dropbox, pCloud and Yandex in our sample.

Something interesting is. The cloud provider is identified by an integer and it starts at two. So we assume the past they had one because nobody start counting at two. So they probably supported another provider in the past, but it was removed in this sample.

And from a good point of view, the three cloud provider, the code is here. It's simply the configuration file which say, I will use this code or this that you have the implementation embedded in the file for the three providers. It will also contain a path where the malware put is temporary stuff. The extension, we will see the extension a little bit after so that the extension I mentioned previously and generated ID to identify the victim. We will see it's it's used on the C2 server and a zip password. So everything is exfiltrated by using zip and a password and the password is derived from the randomly generated ID.

So that's a protocol. It's really simple. So everything is based on the repository and file on the cloud provider. So the algorithm is exactly the same for all the provider, all the cloud provider. And yeah, so basically all the information are sent to January and after everything is done on February, so the malware reads the repository check for file for him. So you have the bot ID so he knows where he need to go. And if there is a file with a command executes a command, if you need to exfiltrate something it will fix exfiltrate all the good repository. For the shell, the interaction is also done by file, so the attackers put the command on the file, the malware hit the command, execute and push the output on file. So everything is filed in the repository.

So there is a feature which is interesting is on macOS. You have the transparency, consent and control. So basically when an application want to be able to do, for example, screenshot, you have a popup saying this application, want to do screenshot, do you allow this capability, this feature? And the attackers found some trick to bypass it. So everything is done database which is named TCC.db And its a SQLite database. And so. One approach is to directly perform a SQL request to the file and said I authorize my malware to do screenshots, screenshot to do key logging, etc. etc. but this file is protected by SIP, which is system integrity protection. So normally you cannot edit this file. You cannot perform SQLite query on this file directly, so the malware has to branch which one is the first one is okay, SIP is disabled so I can edit the file. I don't have any issue. So in this case it directly perform a sqlite query and if it's enabled, the malware will exploit a vulnerability to edit the file. And if nothing works, it doesn't do anything and the user will receive the popup and and yeah, they need to enable some feature manually.

But in this case the CVE is a little bit more recent than the one that was in the downloader. This one is 2020. So yeah, no. If we look at similarities between RokRAT, it's also name DOGCALL by Mandiant I think, which is a Windows malware and it's one I think it's the main malware used by this group on Windows system.

And if you look at I put a small table about the two malware for, for Windows and macOS, and the two malware use the same cloud provider. So it's the same three cloud providers. And the way the developer implemented it is exactly the same. You have the code of the three cloud providers and you have a flag somewhere in macOS it's a configuration file, on Windows it's a little bit different, but it's a flag saying I will use this cloud provider with this API key. So it's exactly the same thing.

If we look at the extension targeted by the attacker. So it's first thing they have a list of extensions, both malware, it's not exactly the same. If you if you look. The main difference between the Windows version from last year and the macOS version of this year is first, the new version support the extended document like docx, xlsx, etc. but you can see the hip extension, which is an Google word processor. It's the word used in South Korea. So it's kind of specific. And you also have very uncommon file typically I think about which one in the list here amr so .amr. It's a compressed audio file used by, you know speech coding when you speak and it directly writes your text. So it's very specific and and yeah so it's not exactly the same extension but it's very close.

The design of the malware is really, really similar. It obviously it's macOS and Windows, so if you compare the code it's different but the logic is very similar and. And the way so protocol used on the cloud provider, it's not exactly the same on Windows, it doesn't choose months, etc., but it's it's it's based on file and repository. So we have something very, very similar. So that's why we estimate that BadDRAT is the RokRAT version for for macOS.

So for for conclusion, we have a threat actor which is more than probably based in North Korea. He's active for more than ten years and he's still active. Before it was mainly known for using RokRAT implant on Windows. Today we know that they also have a macOS version of of the malware. They are known to use social engineering and exploit and N-Day vulnerabilities.

So in this case, we don't have the infection vector, so we don't know how the malware is deployed. But if we would have to bet to guess, we will not be surprised if they use Waterholing and the exploit to to deploy the malware at least the download there and after everything is installed. But we don't know.

So yeah. Thank you for for your time. If you have questions, feel free to to write me. If you need a sample or whatever, feel free to to, to ping me. And if you have question, we have 2 minutes.

Silas has.

So interesting thing. I think it also is there are wildly overlaps from the goal back board games that do overlap between the two. But the question I have is. Any work or anything that's going.

Can you repeat the question?

Yeah. So, yeah, the short version of the question, did we see an Android version? So no, we didn't. But for us at least, it's kind of complicated because Android generally, they speak on WhatsApp directly with the target and like a date or something like that and install the application. So if it's not on for us, it's kind of difficult to to, to have the answer. Maybe you should ask to people at Google. They will probably have the answer. They're also using Google and Microsoft. Yeah.

All right. I heard that fireball is good for jet lag. So cheers.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including upload many different filetypes, automatic transcription software, transcribe multiple languages, world-class support, and easily transcribe your Zoom meetings. Try Sonix for free today.

About the Presenter

Paul Rascagneres is a principal threat researcher at Volexity. He performs investigations to identify new threats, and he has presented his findings in several publications and at international security conferences.

About LABScon

This presentation was featured live at LABScon 2022, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.