Security researcher and former NSA hacker Patrick Wardle has demonstrated a way to modify state-created Mac malware to run his own code instead of the payloads from the government servers.
The sophistication of the malware makes re-purposing it attractive to other attackers, including other governments …
ArsTechnica reports that Wardle made the argument during a conference presentation.
“There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that’s fully featured and also fully tested,” Wardle said during a talk titled “Repurposed Malware: A Dark Side of Recycling.”
“The idea is: why not let these groups in these agencies create malware and if you’re a hacker just repurpose it for your own mission?” he said.
The sophisticated malware is able to defeat the protections built into macOS.
Wardle was able to make other tweaks to his repurposed pieces of code so they would bypass malware mitigations built in to macOS. For instance, because the Xprotect malware scanner is based on file signatures, changing a single byte of reused code is sufficient for it to completely escape detection. And when Apple-issued signing certificates have been revoked, it’s trivial to unsign the software and sign it with a new certificate. And to remove warnings displayed when users try to execute code or install apps downloaded from the Internet, it’s easy to remove the programming flags that make those warnings appear.
The way this type of malware works is to upload captured data to servers owned by the government which created them, and to download additional malware from these servers. Wardle was able to crack the encryption used and to point the malware to his own server instead.
The repurposing caused the malware to report to command servers belonging to Wardle rather than the servers designated by the developers. From there, Wardle had full control over the recycled malware. The feat allowed him to use well-developed and fully featured applications to install his own malicious payloads, obtain screenshots and other sensitive data from compromised Macs, and carry out other nefarious actions written into the malware.
He said that in addition to the risk of other hackers doing this, there are two reasons other governments might sometimes hijack another government’s malware instead of using their own.
It may allow attackers, particularly those from state-sponsored groups, to infect high-risk environments, such as those that are already infected and under the eye of other malicious software actors. In that position, many nation-state hacking groups will forgo deploying their crown-jewel malware to keep proprietary tactics, techniques, and procedures private.
Repurposing someone else’s malware might be a suitable alternative in these scenarios.
In the event that the malware infection is detected and forensically analyzed, there’s a good chance that researchers will misattribute the attack to the original hackers and not the party that repurposed the malware.
This is, he says, already happening. For example, there is evidence that malware developed by the NSA has been used by China, North Korea, and the Russian Federation. Something to bear in mind when the US government is asking Apple to create a compromised version of iOS for use by US law enforcement.
You can watch Wardle’s presentation below, see the slides here and get a good description of how Wardle pulled off the hijack in the full ArsTechnica report.
It should be noted that Wardle is describing state-created Mac malware made possible through effectively unlimited resources; most Mac malware out there is more nuisance than threat.
FTC: We use income earning auto affiliate links. More.
Comments