**Go to…** **▼** **[Home » Malware » OSX Malware Linked to Operation Emmental Hijacks User Network Traffic](http://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** ## OSX Malware Linked to Operation Emmental Hijacks User IIS 6.0 Vulnerability Leads to Code Execution Network Traffic� Winnti Abuses GitHub for C&C Communications **[Posted on: July 10, 2017](http://blog.trendmicro.com/trendlabs-security-intelligence/2017/07/)** **at 7:00** **[Posted in: Malware](http://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** **[Author: Rubio Wu (Threats Analyst)](http://blog.trendmicro.com/trendlabs-security-intelligence/author/rubiow/)** **MajikPOS Combines PoS Malware and RATs to Pull** **am** **Off its Malicious Tricks** **[New Linux Malware Exploits CGI Vulnerability](http://blog.trendmicro.com/trendlabs-security-intelligence/new-linux-malware-exploits-cgi-vulnerability/)** **19** **60** **[CVE-2017-5638: Apache Struts 2 Vulnerability](http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/)** **The OSX_DOK malware (Detected by Trend Micro as** **OSX_DOK.** **Leads to Remote Code Execution** **C) showcases sophisticated features such as certificate abuse and** **security software evasion that affects machines using Apple’s OSX** **Business Process Compromise** **operating system. This malware, which specifically targets Swiss** **banking users, uses a phishing campaign to drop its payload, which** **eventually results in the hijacking of a user’s network traffic using a** **Man-in-the- Middle (MitM) attack. OSX_DOK.C seems to be another** **version of WERDLOD (Detected by Trend Micro as** **[TROJ_WERDLOD), which is a malware that was used during the](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_werdlod.d)** **[Operation Emmental campaigns—an interesting development that](http://blog.trendmicro.com/trendlabs-security-intelligence/finding-holes-operation-emmental/)** **Attackers are starting to invest in long-** **we will tackle further in this blog post.** **term operations that target specific** **processes enterprises rely on. They scout** **_Arrival Method and Infection Flow_** **for vulnerable practices, susceptible** **systems and operational loopholes that** **they can leverage or abuse. To learn** **[more, read our Security 101: Business Process](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise)** **Compromise.** #### Business Email Compromise **How can a sophisticated email scam cause** **_Figure 1: OSX_DOK.C infection routine for Mac systems_** **more than $2.3 billion in damages to** **businesses around the world?** **OSX_DOK.C first arrives via a phishing email that contains certain files labeled as either .zip or .docx** **[See the numbers behind BEC](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/billion-dollar-scams-the-numbers-behind-business-email-compromise)** **files. The sample we analyzed was a purported message from a police inspector in Zurich allegedly** **claiming to unsuccessfully contact the recipient. The email also comes with two files attached claiming** #### Latest Ransomware Posts **to contain questions for the user: one is a .zip file, which is a fake OSX app, while the other is a .docx** **file used to target Windows operating systems using WERDLOD. Both of these samples work as** #### SLocker Mobile Ransomware Starts **Banking Trojans and provide similar functionalities.** **Mimicking WannaCry** **Some examples of the files used in the email attachment include the following:** **[Large-Scale Petya Ransomware Attack In](http://blog.trendmicro.com/trendlabs-security-intelligence/large-scale-ransomware-attack-progress-hits-europe-hard/)** #### Progress, Hits Europe Hard **Zahlungsinformationen 01.06.2017.zip** **Zahlungsinformationen digitec.zip** **[AdGholas Malvertising Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/adgholas-malvertising-campaign-employs-astrum-exploit-kit/)** #### Employs Astrum Exploit Kit **zip** **Dokument 09.06.2017.zip** **[Erebus Resurfaces as Linux](http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/)** #### Ransomware **Dokument 09.06.2017.docx** #### Analyzing the Fileless, Code-injecting **docx** #### SOREBRECT Ransomware **docx** **06.2017.docx** #### Recent Posts **Once the docx file included in the phishing email is clicked, a warning window will pop up:** **OSX Malware Linked to Operation Emmental** **Hijacks User Network Traffic** **[July’s Android Security Bulletin Addresses](http://blog.trendmicro.com/trendlabs-security-intelligence/julys-android-security-bulletin-addresses-continuing-mediaserver-qualcomm-issues/)** ----- **[Information Stealer Found Hitting Israeli Hospitals](http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/)** **[Large-Scale Petya Ransomware Attack In Progress,](http://blog.trendmicro.com/trendlabs-security-intelligence/large-scale-ransomware-attack-progress-hits-europe-hard/)** **This infographic shows how ransomware** **has evolved, how big the problem has** **become, and ways to avoid being a** **Large-Scale Petya Ransomware Attack In Progress,** **[Erebus Resurfaces as Linux Ransomware](http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/)** **[Analyzing the Fileless, Code-injecting SOREBRECT](http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/)** **[Analyzing Xavier: An Information-Stealing Ad Library](http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-xavier-information-stealing-ad-library-android/)** **[Mouse Over, Macro: Spam Run in Europe Uses](http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/)** **Hover Action to Deliver Banking Trojan** **[@polimi on #robot](https://www.twitter.com/polimi)** **security will be presented at #BHUSA:** **#ICS** **Here’s our in-depth feature on** **#cryptocurrencies, the threats that abuse** **them & some countermeasures:…** **Bithumb hack shows that #cryptocurrency** **faces unique threats. Details and best** **[bit.ly/2tP69pU](https://t.co/kNNoHtmC8a)** **Email Subscription** **Your email here** # bb **[Information Stealer Found Hitting Israeli Hospitals](http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/)** **[Large-Scale Petya Ransomware Attack In Progress,](http://blog.trendmicro.com/trendlabs-security-intelligence/large-scale-ransomware-attack-progress-hits-europe-hard/)** **Hits Europe Hard** #### Ransomware 101 **_Figure 2: Warning window on OSX_** **After this, the App Store on the system will be removed, followed by a full screen fake OSX update** **This infographic shows how ransomware** **has evolved, how big the problem has** **screen.** **become, and ways to avoid being a** **ransomware victim.** **[Check the infographic](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works)** #### Popular Posts **Large-Scale Petya Ransomware Attack In Progress,** **Hits Europe Hard** **[Erebus Resurfaces as Linux Ransomware](http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/)** **[Analyzing the Fileless, Code-injecting SOREBRECT](http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/)** **Ransomware** **[Analyzing Xavier: An Information-Stealing Ad Library](http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-xavier-information-stealing-ad-library-android/)** **on Android** **[Mouse Over, Macro: Spam Run in Europe Uses](http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/)** **Hover Action to Deliver Banking Trojan** **_Figure 3: Fake OSX update screen_** **Latest Tweets** **It will ask for a password to run command as root.** **[Our research with @polimi on #robot](https://www.twitter.com/polimi)** **security will be presented at #BHUSA:** **[bit.ly/2p2Rndh #ICS](https://t.co/e128LAWHiJ)** **[about 4 hours ago](http://twitter.com/TrendLabs/status/884577990050447361)** **Here’s our in-depth feature on** **#cryptocurrencies, the threats that abuse** **them & some countermeasures:…** **[twitter.com/i/web/status/8…](https://t.co/wcLE1QmIB5)** **[about 12 hours ago](http://twitter.com/TrendLabs/status/884457209433862144)** **Bithumb hack shows that #cryptocurrency** **faces unique threats. Details and best** **[practices: bit.ly/2tP69pU](https://t.co/kNNoHtmC8a)** **[about 15 hours ago](http://twitter.com/TrendLabs/status/884411895599575041)** **_Figure 4: Fake OSX update screen_** **The malware will begin to download other utilities. It relies on** **[Homebrew, an open source software](https://brew.sh/)** **package manager to install Golang and Tor.** **Stay Updated** **The malware will then install fake certificates in the system to perform a MitM attack without notifying** **Email Subscription** **the user.** **Your email here** **[The structure of the fake App Store matches the application bundle structure and provides both English](https://developer.apple.com/library/content/documentation/CoreFoundation/Conceptual/CFBundles/BundleTypes/BundleTypes.html#//apple_ref/doc/uid/10000123i-CH101-SW1)** **and German interfaces. The main executable is Dokument.app/Contents/MacOS/AppStore.** **The archive in Mac OSX looks like this:** ----- **_Figure 5: Fake document file_** **Mac OSX will run the application if it passes certificates. In this case, the malware is signed off by a** **“developer”, which may actually be a dummy account or that of a compromised user. In addition, the** **time stamp on the CA is new, which might mean that it was obtained specifically for this attack.** **The fake certificate imitates the COMODO root certificate. Take note that the fake certificate does not** **contain a COMODO Certificate Authority seal that certifies its validity, as seen in the comparison below:** **_Figure 6: Comparison of a Fake COMODO (left) root certificate vs a genuine COMODO certificate_** **_(right)_** **We noticed that this malware will not work for Mozilla Firefox or Google Chrome since these two** **browsers have their own root certificates. Of all the major browsers, only Safari uses the system’s** **certificates.** **We observed the attacker targeting both Windows and Mac OSX in the same spam mail on June 9,** **2017. There is a file shortcut embedded in the malicious .docx file—one that will download an** **executable file from Dropbox—that executes once clicked by the user. The functionalities are similar to** **the malicious app provided, which includes installing tor and proxy.** **We have already notified Dropbox about the use of its service for this malware. Dropbox has already** **taken down the links.** **The malware will install two proxies running on local host port 5555 and 5588. All of the traffic will be** **hijacked into the first proxy (port 5555) with the victim’s external IP address as parameter.** ----- **_Figure 7: Installing proxies on local host port 5555_** **The first (port 5555) proxy first finds the IP parameter. If it is not in Switzerland, the traffic will proceed** **as normal. If it detects an IP located in Switzerland, the malware will run an obfuscated JavaScript code** **and find its visiting domain. If the domain is in the target, the malware will perform a MitM attack and** **redirect the traffic to the second proxy (port 5588), which routes the traffic to the Tor network. The** **purpose of these steps is to target users in Switzerland and hijack their traffic** **After deobfuscating the malware, we found the target domains:** **_Figure 8: Hardcoded list of target banking websites in Switzerland_** **The target domain’s visitors will be redirected into an e-banking login page that looks and acts normally,** **but is located on dark web sites.** **However, once the victim enters an account and password. A window will pop out.** **_Figure 9: Hijacking connection to EKR bank_** **The pop-out window is just smoke and mirrors, where nothing actually happens once the countdown** **timer reaches zero.** **We analyzed the webpage and found attackers injecting a script into the webpage. Once the user** **enters an account and password, it will initiate POST using AJAX. The POST message is sent to the** **same site as the fake login page—which an attacker can control inside the Tor network.** ----- **_Figure 10: Post message carrying argument_** **We decoded the data section and found not only the account and password, but that it also** **fingerprinted the user’s browser and system information.** **While Operation Emmental was able to bypass two-way authentication by tricking its victims into** **installing a fake app, we have not observed OSX_DOK.C doing this. However, since they can inject** **code into the webpage, it means they have the ability to do this as well.** **_Performing static analysis on OSX_DOK.C_** **We performed static analysis on the sample and found it packed by Ultimate Packer for Executables** **[(UPX), an open source executable packer that can often be abused by malware. We successfully](https://upx.github.io/)** **unpacked the initial sample we found dropped by the UPX unpacker.** **The malware is not obfuscated so we easily found interesting strings here. We can see that the** **malware relies on bash shell for most of its setup.** **_Figure 11: OSX_DOK.C strings_** **We were not able to unpack the sample discovered after June 9, 2017. The UPX gave a warning** **message about memory buffer overflow. The malware author seemingly made unpacking the malware** **more difficult to slow down or even evade the antivirus engine’s scanning process. The packer is the** **same but the malware tries to exploit the undiscovered bug in the UPX library that causes unpack** **failure. We have reported the issues to the UPX team, and they have already fixed it.** **[The impacted versions of the UPX library are 3.94, 3.93, and 3.92. This technique enables the malware](https://upx.github.io/upx-news.txt)** **to efficiently run while evading unpacking techniques from the AntiVirus-integrated UPX library.** **_Connecting OSX_DOK.C with WERDLOD_** **As mentioned earlier, we believe that OSX_DOK.C might be the MAC OSX version of WERDLOD, an** **online banking malware that used the same techniques as Operation Emmental. Other research have** **[also connected the OSX malware and Retefe (the external term used for WERDLOD) via similarities in](http://brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same)** **their behavior.** **While OSX_DOK.C is designed for MAC OSX, which is a Unix-like system, WERDLOD is designed for** **Windows. But in terms of features and behaviors, these two malware are very similar. Here is a list of** **their similarities.** **_Both malware kill all current browsers before installing fake certificates:_** **Both WERDLOD and OSX_DOK.C are designed to kill the browser process before installing fake** **certificates. While WERDLOD kills processes for Internet Explorer, Firefox, and Chrome, OSX_DOK.C** **does the same on Safari, Firefox, and Chrome.** **_Both malware share the same proxy settings and script:_** **While WERDLOD and OSX_DOK.C use different codes (since they target different operating systems),** **they have similar proxy settings and script formats. In particular, WERDLOD uses scripts running on** **hxxp://127.0.0.1:555/#{random_string}.js?ip=#{my_ip} as proxy:** ----- **_Figure 12 : Local Area Network (LAN) settings_** **Comparing it to OSX_DOK.C, we can see that it uses the same script format:** **_Figure 13: OSX_DOK.C network settings_** **_Both malware have similar targets:_** **Both WERDLOD and OSX_DOK.C targeted financial institutions, with a particular focus on banks in** **Switzerland. Further analysis of both malware revealed that their main targets are very similar, as seen** **in the screenshot below. While it’s possible that this is a coincidence, the rest of the evidence makes it** **unlikely for these two malware to target the same organizations by chance.** **_Figure 14: OSX_DOK.C target banks_** **Given the connection between WERDLOD and OSX_DOK.C, it is reasonable to assume that the latter** **is also a part of the Operational Emmental campaign. To further illustrate, here is a timeline of** **Operation Emmental and its potential relationship to OSX_DOK.C:** ----- **_Figure 15: Connecting Operation Emmental with OSX_DOK.C_** **_Mitigation and Trend Micro Solutions_** **Despite phishing incidents for Mac devices being rarer than their Windows counterparts, users should** **still be aware that attackers can target them at any moment. By implementing best practices for** **phishing-type attacks—such as refraining from downloading files unless they are absolutely certain that** **they come from trustworthy sources—users can avoid being victimized by malware such as** **OSX_DOK.C that prey on users who lack awareness of phishing strategies.** **In addition, end users can also benefit from security solutions such as** **Trend Micro Home Security for** **Mac, which provides comprehensive security and multi-device protection against viruses, ransomware,** **malicious websites, and identity thieves. It also provides secure storage of passwords and other** **[sensitive information. Trend Micro™ Mobile Security for Apple devices (available on the App Store) can](https://www.trendmicro.com/us/home/products/mobile-solutions/iphone-ipad-security/)** **monitor and block phishing attacks and other malicious URLs.** **[For enterprises, Trend Micro’s Smart Protection Suites with XGen™ security, which support Mac](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html)** **systems, infuse high-fidelity machine learning into a blend of threat protection techniques to eliminate** **security gaps across any user activity and any endpoint.** **_With additional analysis from Yi-Jhen Hsieh (DSNS lab, National Chiao Tung University)_** ### Related Posts: **[A Rising Trend: How Attackers are Using LNK Files to Download Malware](http://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/)** **[DressCode Android Malware Finds Apparent Successor in MilkyDoor](http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor-milkydoor/)** **[Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files](http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-crylocker-ransomware-sends-user-information-as-png-files/)** **[Network Solutions to Ransomware – Stopping and Containing Its Spread](http://blog.trendmicro.com/trendlabs-security-intelligence/network-solutions-ransomware-stopping-containing-spread/)** **Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:** **[ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html)** **»** **[SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html)** **»** **[HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html)** **»** ----- **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, 中国, ⽇本, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, 台灣](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2017 Trend Micro Incorporated. All rights reserved.** -----