# From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win **[sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/](https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/)** May 9, 2022 **By Dinesh Devadoss and Phil Stokes** Researchers looking into a new APT group targeting gambling sites with a variety of cross[platform malware recently identified a version of oRAT malware targeting macOS users and](https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html) written in Go. While neither RATs nor Go malware are uncommon on any platform, including the Mac, the development of such a tool by a previously unknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising occurrence of Macs among their intended targets and victims. In this post, we dig deeper into the technical details of this novel RAT to understand better how it works and how security teams can detect it in their environments. ----- ## oRAT Distribution The oRAT malware is distributed via a Disk Image masquerading as a collection of Bitget [Apps. The disk image contains a package with the name Bitget Apps.pkg and the distribution](https://mothersruin.com/software/SuspiciousPackage/) identifier `com.adobe.pkg.Bitget .` ----- The disk image and installer package are notable for two reasons: neither has a valid developer signature, and the latter doesn’t actually install any files and only contains a preinstall script, a succinct bash shell script whose purpose is to deliver a payload to the ``` /tmp directory, give the payload executable permissions, and then launch it. ``` Precisely what kind of lure the threat actors use to convince targets to download and launch the dropper is unknown at this time, but given that the target would need to override default [security warnings from Gatekeeper, it is likely either that the users are sourcing the malware](https://www.sentinelone.com/blog/the-complete-guide-to-understanding-apple-mac-security-for-enterprise-read-the-free-ebook/) from an environment where this is typical (e.g., a 3rd-party software distribution site that regularly delivers unsigned software) or users have been pre-groomed to bypass Gatekeeper during a social engineering engagement of some kind. In either case, the fact that there’s no deliverable from the user’s perspective is a risky gamble on the part of the threat actors. After running the installer and finding that it did not provide whatever they were expecting, users are likely to become suspicious. This might suggest the campaign was broadly targeted and that the threat actors were playing a numbers game, happy to sweep up opportunistic infections as they occurred. ## The oRAT Payload ----- Things get more interesting when we examine the `darwinx64 payload dropped in the` ``` /tmp folder. The binary doesn’t define any Symbols, and outputting the list of Sections tells ``` us that the file has been packed with UPX. Packed files like this are opaque to static analysis, but fortunately standard UPX is very easy [to unpack thanks to the UPX utility itself.](https://upx.github.io/) [Dumping the strings tells us that it was packed with](https://www.sentinelone.com/blog/how-to-reverse-macos-malware-part-two/) UPX 3.96, the most recently released version available. The packed binary is around 3MB in size, but after unpacking we are presented with a massive ~10MB file. Such large file sizes are typical of cross-platform malware, particularly when binaries are compiled in Go, since they contain the entire run-time for the language along with a number of supporting libraries. Fortunately, from a reverse engineering perspective, we can easily ignore most of the standard code that is common to all Go bins and focus on what is unique to the sample at hand. For IDA Pro users, [see here; for](https://www.sentinelone.com/labs/alphagolang-a-step-by-step-go-malware-reversing-methodology-for-ida-pro/) [r2 users, we can start by printing out a list of the](https://www.sentinelone.com/labs/6-pro-tricks-for-rapid-macos-malware-triage-with-radare2/) functions flagged with `sym._main .` ----- In Go binaries, the program code entrypoint is at main.main, and we can work our way through there to see what other functions, packages and modules are called. Below, we see that the main.main function calls out to another custom package, `orat_utils .` The `orat_utils package contains several interesting functions and gives us an entry into` understanding how the RAT works. Of particular interest is the `LoadConfig function. This is used to parse a blob of data` appended to the binary which turns out to be an encrypted malware configuration. The encrypted data at the end of the unpacked binary occupies 166 bytes and consists of the data an AES key and two bytes representing the entire blob size ----- Once decrypted, the blob turns out to contain configuration data for the malware C2. After the malware decodes the config, it calls into `sym._orat_cmd_agent.app and begins` a number of loops through `sys._orat_protocal.Dial . Depending on the config, it will call` one of `orat_protocol.DialTCP,` `orat_protocol.DialSTCP or` ``` orat_protocol.DialSUDP to establish a connection. The TCP protocols leverage smux ``` [while the SUDP protocol leverages QUIC. The malware loops with a sleep cycle of 5](https://github.com/lucas-clemente/quic-go) seconds as it waits for a response. The `sym._orat_cmd_agent.app contains the primary RAT functionality of the malware and` defines the following functions. ----- ``` orat/cmd/agent/app.( App).DownloadFile orat/cmd/agent/app.(*App).Info orat/cmd/agent/app.(*App).Join orat/cmd/agent/app.(*App).KillSelf orat/cmd/agent/app.(*App).NewNetConn orat/cmd/agent/app.(*App).NewProxyConn orat/cmd/agent/app.(*App).NewShellConn orat/cmd/agent/app.(*App).Ping orat/cmd/agent/app.(*App).PortScan orat/cmd/agent/app.(*App).registerRouters orat/cmd/agent/app.(*App).run orat/cmd/agent/app.(*App).Screenshot orat/cmd/agent/app.(*App).Serve orat/cmd/agent/app.(*App).Unzip orat/cmd/agent/app.(*App).UploadFile orat/cmd/agent/app.(*App).Zip ## Detecting oRAT in the Enterprise ``` The SentinelOne agent detects the oRAT payload as malicious when it is written to disk, protecting SentinelOne customers from this threat. The SentinelOne agent also detects the malware on execution. ----- For those not protected by the SentinelOne platform, security teams are advised to hunt for artifacts as listed in the Indicators of Compromise section at the end of this post. ## Conclusion The oRAT malware targets macOS users using a combination of custom-written code and public Golang repos. The developers are clearly familiar with using sophisticated features of Go for networking and communications, but due to the simplistic way the malware dropper was packaged, unsigned and with no observable install to distract the victim, it would seem they are less experienced with the challenges of infecting Mac users. Unfortunately, other threat actors have provided plenty of examples from which this new player can learn, and security teams should expect to see any future campaigns from this actor using more sophisticated droppers. ## Indicators of Compromise **Filename** **SHA1** bitget-0.0.7 (1).dmg 3f08dfafbf04a062e6231344f18a60d95e8bd010 Bitget Apps.pkg 9779aac8867c4c5ff5ce7b40180d939572a4ff55 preinstall 911895ed27ee290bea47bca3e208f1b302e98648 `darwinx64 (packed)` 26ccf50a6c120cd7ad6b0d810aca509948c8cd78 `darwinx64 (unpacked)` 9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6 ----- **Paths** /tmp/ darwinx64 -----