The resulting ciphertext is then encoded using XAgent's base64 encoding routine that starts by building the following encoding alphabet:ĪBCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_Īs you can see, this is not the standard base64 alphabet, rather it is the "URL and Filename safe" Base 64 Alphabet from RFC 4648, as the "+" in the standard alphabet is replaced with "-" and the "/" replaced with "_". For instance, the following 15 bytes were used to generate an HTTP parameter during our analysis: The first DWORD in the data is a random value that the Trojan will use as an XOR key to encrypt the constant value and the agent_id. The constant value in the data structure is a 7 byte string that is hardcoded to "\x56\x0E\x9F\xF0\圎B\x98\x43", followed by the agent_id value ("0000" in our case). The data structure used to transmit the agent_id to the C2 is as follows: This parameter transmits the agent_id to the C2 server to obtain commands the actor wishes to execute on the compromised system. When generating the URLs within the HTTP POST and GET requests, XAgent sets one HTTP parameter using a specific data structure that contains this agent_id value. The Trojan uses the first four bytes of this hardware ID as a unique identifier for the system, which in our case was "0000".įigure 3 Hardware ID used by XAgent to uniquely identify compromised hosts The value is derived using the IOService to access the IOPlatformUUID property, which is equivalent to the "Hardware UUID" listed in the system information application, as seen in the Figure 3 screenshot of our analysis system. The XAgent OSX Trojan generates a system specific value that it refers to as an "agent_id", which is a unique identifier for each compromised host. XAgent also will choose several parameters names from the following list when finishing the construction of the C2 URL: When generating the URL for the HTTP requests issued to the C2 server, the Trojan chooses a random folder from the following to include within the URL path:
The C2 URLs generated by XAgentOSX are very similar to those created by its Windows-based counterpart. We are still analyzing this Trojan to determine the specific structure of the data sent between the Trojan and the C2 server however, it does appear that the Trojan is using the RC4 algorithm to encrypt data sent to the C2 server within HTTP POST requests. The Trojan uses HTTP POST requests, as seen in Figure 1 to send data to the C2 server, and GET requests to receive commands from the server, as seen in Figure 2.
XAgent uses HTTP requests to communicate with its C2 servers, which allows the threat actor to interact with the compromised system. The macOS variant of XAgent has ability to receive commands from threat actors via its command and control channel, but is also capable of logging key strokes via its keylogger functionality.
LIST OF MAC OS X PROCESSES 2017 INSTALL
We believe it is possible that Sofacy uses Komplex to download and install the XAgentOSX tool to use its expanded command set on the compromised system. XAgent OSX: /Users/kazak/Desktop/Project/XAgentOSX Komplex: /Users/kazak/Desktop/Project/komplex
It appears the same actor developed both the Komplex and XAgentOSX tools, based on similarities within the following project paths found within the tools:
The backdoor Trojan authors have called it XAgentOSX, which shares the name XAgent with one of Sofacy’s Windows-based Trojan and references Apple’s previous name for macOS, OS X. During our continued research on Sofacy’s Komplex Trojan, we have found a sample of a backdoor Trojan that we believe the Sofacy group uses when targeting individuals running macOS systems.
0 kommentar(er)
