Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult.

However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows counterpart. (We detect this as OSX_CARETO.A.) It connects to a hardcoded command-and-control (C&C) server and runs /bin/sh to open a shell, which can then run commands sent from the C&C server. This particular backdoor is only approximately 88 kilobytes in size, which is not particularly large (especially since it contains both 32- and 64-bit code.) However, analysis of this malware is still not easy, due to the mentioned encoding and encryption. In this blog post, we look into the details of this encoding and encryption.

Figure 1. File structure of OSX_CARETO.A

Configuration Encoding

When this malware is run, it first decodes its configuration data. The encoding algorithm is pretty simple – every other byte is XORed with 0x7F and 0x10 alternately. Among the encoded information are its C&C server, a shared secret for network communication, and the program path for command shell. The C&C server used here is itunes212.appleupdt.com, which has now been sinkholed.

Figure 2. Configuration decoding

Figure 3. C&C Server

Network Traffic Encryption

The malware then connects to its C&C server (which was found in the decoded configuration) and sends two 20-byte SHA1 checksums. These are used as part of the AES encryption keys later. The first SHA1 checksum is created using the time and the process ID (PID). The second SHA1 checksum is created in a similar way – by using a new timestamp and PID+1.

The encryption keys for sending and receiving are different. They are created by calculating the SHA1 checksum of a shared secret and the two SHA1 checksums mentioned earlier. All succeeding network traffic is encrypted with AES using these two keys.

Figure 4. Generate checksum

Figure 5. AES encryption key

Figure 6. Shared secret for network traffic

Command Shell

The malware then sends out a 16-byte message as a challenge. to the C&C server. If it gets a correct response from the C&C server, it creates a shell by opening /bin/sh. Attackers can then control this machines by sending commands, which are then executed in the opened shell window.

Figure 7. Command shell

Figure 8. /bin/sh

Conclusion

Compared to its corresponding Windows version, this Mac version is not as sophisticated. It is fairly common nowadays for malware to encode their configuration data. This is an attempt to create multiple variants and circumvent security products (particular those still reliant on signatures).

However, unlike most modern Windows malware, only the configuration information is encoded, and the main program code is left intact and unobfuscated. It is likely that future Mac malware will see similar attempts at obfuscation, making analysis more difficult.

In addition to the Mac version of Careto, we also detect the Windows malware related to this attack (BKDR_CARETO.A, BKDR_CARETO.B, and BKDR_CARETO.D). The URLs used in this attack are also blocked by the appropriate Trend Micro products. In addition, network administrators may use DNS blacklisting in order to detect and protect their users. For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

The hashes of these files are as follows.

BKDR_CARETO.A:

087b7121546e4de28ec9f118d5f60fe7fe926118

0AEED3B0A049FB859A46AC9B8C64EF924AF4A924

224696022C6E7440ADA4F2549D4432CC9F9EAE04

29B643993C0A912A7268114ABF65915A5754B224

5E7833FA8EDC069443BB1239DE3291AA1E3FC9C8

B5ADDFF79E625183C30370A0CCE124FD1255BA7D

CCE60EB5D6997A2DE2EBD164A4C1C63D8DBB0738

BKDR_CARETO.B:

0081e20b4efb5e75f9ce51e03b2d2d2396e140d4

10086ca8864c87eb5eb179593d3b2c7c1bc6d042

3C4055CC39511D22EEDA71014FFE487BAD4CB264

7B9ED3549748BF5EBA72E6C10FF3C8D1E7294A8B

7C30DC5D96023A1AA018921b4f01e98960992cb9

77FF442653D662D17272F5BFD42F166D73E15DD2

83F5E4A6238F4EC83F982A0DC18DB969B6DC93E5

BKDR_CARETO.D:

11A56B3B8780A08889434B2D914DEBF7E2C8C999

43931A35886E3d820AAEC70a58CCDFE815f31E84

EDF95EE4CD6CB092F91A3781120F40F77E356f00

OSX_CARETO.A: