A MacOS infostealer disguised as a dylib file named libsystd.dylib was discovered, designed to steal sensitive user data like keychain passwords and SSH configs and upload them to the attacker’s server. The malware uses Objective-C, AES encryption for C2 URLs, Grand Central Dispatch for scheduling, and executes scripts from a command and control server named appleprocesshub[.]com. #libsystd #appleprocesshub #MoonlockLab
Keypoints
- A suspicious macOS Mach-O file named libsystd.dylib was identified as an infostealer targeting private user data including bash and zsh histories, SSH info, GitHub configs, and keychain data.
- The initial dropper is an Objective-C binary using indirect method calls and Grand Central Dispatch to schedule tasks and handle network communications.
- The malware decrypts AES-encrypted base64 strings to reveal the C2 domain appleprocesshub[.]com used for downloading and uploading stolen data.
- Data exfiltration is achieved by executing a second-stage bash script named fSidEOWW.sh, which collects targeted files, compresses them, and uploads them to the attacker’s server.
- The malware uses NSUserDefaults to store a unique device identifier based on the system serial number for tracking purposes.
- The network communication employs an NSMutableURLRequest with completion handlers that reattempt connections if the server is unreachable or returns insufficient data.
- The analysis emphasizes the use of AES-128-ECB for simple decryption and the stealthy indirect invocation of key functions hindering static analysis.
MITRE Techniques
- [T1056] Input Capture – Steals information like bash/zsh history, SSH keys, and keychain data from macOS user environments.
- [T1071] Application Layer Protocol – Uses HTTPS communication to the C2 server appleprocesshub[.]com to download and upload stolen data (‘https://www.appleprocesshub[.]com/v1/resource’).
- [T1105] Ingress Tool Transfer – Downloads a second-stage bash script from the C2 server to execute on the infected host.
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Executes bash scripts using NSTask with arguments “/bin/sh -c”.
- [T1560.001] Archive Collected Data: Archive via Compression – Collects target files into a zip archive before exfiltration.
- [T1037] Boot or Logon Initialization Scripts – Tries to persist or repeatedly execute tasks using Grand Central Dispatch for scheduling ([Task request] method calls queued with dispatch_after()).
- [T1140] Deobfuscate/Decode Files or Information – Uses AES-128-ECB decryption to decode base64 encoded strings for C2 URLs and payloads (‘[Task aesd:] method decrypts strings’).
Indicators of Compromise
- [File Hash] Mach-O Initial Dropper – 3f86c4cc956a6df5ddfad5d03334ece07e78351dec3ca62390f203f82675e00f
- [File Hash] Second-stage Bash Script – 639e824e329c429a53d0e64f3a4f254131443a669da93a59a755fb7171d49745
- [Domain] Command and Control Server – appleprocesshub[.]com used for downloading scripts and exfiltrating stolen data
- [File Name] Suspicious dylib named libsystd.dylib masquerading as a legitimate dynamic library
Read more: https://blog.kandji.io/macos-appleprocesshub-stealer