A

You're listening to the Cyberwire Network, powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.

Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

C

So we have some different live hunt rule set up and this one actually stumbled about because of a way in which it was performing shell outs to collect process information. And we sort of said hey, like there's a lot going on with this executable than just collecting processes, right? It's doing some really interesting stuff.

B

That's Jaron Bradley, director of JAMF Threat Labs. The research we're discussing today is titled Chilly Hell A Deep Dive into a modular macOS backdoo.

C

So that's kind of what initially caught our attention and then the more we looked at it and, and kind of observed observed it, we saw it aligned with, with a report that had been, that had been previously done by Mandian is a private report that they shared at one point that they gave us permission to kind of, you know, share a little bit of additional detail on when we release the blog post.

B

Well, I mean let's dig into the details here together.

D

What is Chilly Hell?

B

What is it setting out to do here?

C

Yeah, so Chilly Hell is really, if you, even if you look at the, the strings of it, it's a pretty obvious back door. As soon as you start glancing it, if you're familiar with, you know, reverse engineering or anything like that, it jumps out immediately as kind. I don't know, it looks a bit cyber crimey right off the get go, there's, there's strings inside of the executable that just say welcome to chilly hell. And like caps and exclamations, you know, like it's just kind of interesting right off the bat. But it is a back door that's, that's definitely set up to give give attackers access in the background on a Mac computer. And I believe there was different variants of it as well. At jamf we're geared kind of heavily focused on the Apple side. So that's the sample that we went and took a look at. But I believe it comes in multi platform written in C.

But that's ultimately what it's doing is it's connecting back to an attacker kind of in a stealthful manner.

D

And how would someone find themselves contending with this? How does it find its way onto somebody's Mac?

C

We think it's relatively targeted in terms of the attacker and the creator given like I said, we kind of found this in VirusTotal.

We don't know exactly who's been hit by it or been affected by it. We know that it came out.

In 2021 is when it was kind of notarized, which I can speak to in a second. But that, that to say it's been around for a long time and it's, it's very difficult to tell how many people have maybe been hit by it because it's being used by again an actor that kind of seems like they're perhaps cybercrime focused but maybe also still a bit targeted in terms of who they'd actually go after.

D

Well, you noted that this is Apple notarized. It was also developer signed. You all pointed out in research here. What's the significance of that?

C

Yeah, definitely. So if you're not familiar with the process of kind of how Apple carries out their, their app distribution process, essentially you kind of, you pay for a Apple developer certificate. You pay that through the Apple developer program generally and you get this signing certificate where you're able to basically build an app and then you sign it cryptographically saying hey, like I developer XYZ built this app, I'm, I'm assigning it to my account. And in order for like an app nowadays to open without any hiccups, without any pop ups, without anything that says Apple was unable to scan this app. Are you sure you know what you're opening? You know, stuff like that, without, in order to not cause any of those pop ups, you have to be signed and notarized by Apple. Your app does so a lot of what we've been seeing on the malware side from Apple, Apple or Mac, focused malware has been unsigned malware that attackers often include some type of instructions in terms of how to execute. Right. Maybe they pop something up that says in order to install this you must run it in the terminal. And some users fall for this. But the appropriate way to actually, to actually pass all the checks and rouse the least amount of suspicion is to sign it as though you were a real developer. So sometimes developers or sometimes attackers get their hands on these signatures, sometimes they apply for them for these certificates and then they're able to cryptographically sign that malware. So that's what we saw in this case, which I would say this is a bit of an anomaly these days because we just, we don't often see it getting signed. But even more rare, this one was submitted to Apple and it passed that notarization check. So the second portion that I kind of referred to was notarization where the before distribution, again for no hiccups to go off, you have to upload your app to the Apple notarization service where they perform some type of scan. It's a black box, we don't know what it is. It's just something on their side where they run your app through a number of checks and they tell you whether or not you get a result on whether or not it's notarized and if it failed that test that you generally get a message why. So this being notarized in 2021 would have been around the time Apple was setting up this process. I can't remember the exact year that Apple kind of added this notarization step, but it would have been pretty early. It would have been pretty early in the process. But it's just a bit surprising to still find this kind of completely unmarked in virus. Total completely signed and notarized even to.

D

Today, I'd say yeah, it's an interesting observation. I mean, given as you said earlier that how overt this was in kind of calling itself out as being perhaps up to no good and yet still managed to make its way through multiple layers of both being developer signed and Apple notarized.

C

Yeah, and that's kind of one of the plus sides of this whole process that Apple has set up is like, yeah, as soon as the executable is found it can be unnotarized. Right. And that'll essentially cause all those pop ups to occur on your system.

Once they've reversed revoked that notarization or the team ID in general. They can revoke that as well. The signing certificate. And now anything that creator has made will essentially be broken across all Apple devices and it won't work. So the response can be very speedy. But when something does slip through like this.

Even analysts might be more likely to kind of dismiss it, saying, ah, well, that's signed and notarized, right? That doesn't look like malware. And maybe, maybe that's something that occurred in this case. Who knows? But yeah, I'd agree that it was pretty surprising that this just kind of hid for for so long.

B

We'll be right back.

AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping, and often specific to industries, geographies or regulations. That's why Black kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use. It's global, research driven, built to evolve with the threat landscape, and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com.

A

This episode is brought to you by indeed. You're ready to move your business forward, but first you need to find the right team. Start your search with Indeed Sponsored Jobs. It can help you reach qualified candidates fast, ensuring your listing is the first one they see. According to Indeed data, sponsored jobs are 90% more likely to report a hire than non sponsored jobs. See the results for yourself. Get a $75 sponsored job credit at Indeed.com podcast. Terms and conditions apply.

B

Well, let's dig into some of the.

D

Details of how Chillihell works.

B

My understanding is it profiles the host.

D

And tries to blend into a system.

C

Yeah, it uses.

A lot of file names that would not attract a lot of suspicion, which is something we see pretty regularly in, well, malware in general, but especially on the Apple side. You got so many files on the operating system that are just called Com, Apple this or that, or you have so many services running at the same time. And this malware, it definitely, definitely took the creator took a look at, you know, what, what exists on the operating system and tried to create different file. If it had to create files, it would do it to try and blend in. Definitely with file names that wouldn't rouse too much suspicion. But. But yeah, it did a lot of that. It did some profiling of the user that was on the system. You know, pretty typical, like stuff that malware does as soon as it runs and sends that sort of sends those details back up to the attacker where that's then kind of saved and they're able to identify the computer should they need to determine whose computer that is or try to pinpoint a certain computer. But those are the first steps that it does. I'd say some of the really interesting stuff is some time stomping that it does. This is particularly interesting to me kind of as a security analyst on the Apple platforms, because we don't see a whole lot of that, that kind of anti forensics approach on the Apple side. It gets done and we're seeing a little more of it here and there. But that's a technique that this particular malware was doing that I don't feel like we've seen in a lot of malware that we've reversed as of late. And then it would even do that at a programmatic level where it would try to do it without shelling out to a bunch of commands, which can be kind of a giveaway that your malware or that you might be a malicious process if you're doing really weird shell commands. Right. And we see it doing that kind of in a more stealthful manner. So that was something pretty interesting to see I think from this specific sample.

D

For folks who aren't familiar, can you describe to us what time stomping is?

C

Yeah. So in the, in the Mac world when it comes to malware, this is I think for sure most common with when you're dropping persistence on the system, at least in the context that I've seen it. Attackers like to try and ensure that those persistence items, because they're such good kind of indicators of usually where malware is pointed and what it's trying to run at startup. A lot of times they will try to adjust the timestamps on those daemons so that it looks like they're tied to or they were installed at the same time as another service and that they match the timestamps timestamps of another service. So I've seen that quite a bit from, from malware again, tiny or sorry chilli hell does that in a, in kind of a more stealthful manner than I've seen seen it done by other malware. But yeah, that's essentially it. You're adjusting the metadata timestamps of files to try and make it cause to jump out less for to forensic analysis and incident response.

B

Right.

D

So these files that it installs just looks like any of another handful of other system files that got installed with the OS that Sort of thing.

C

Yeah. The big technique is usually to take another installed service and take the exact timestamps of that service and apply it to your newly installed malicious service.

D

I see. Well, let's talk about command and control here. How does Chilehel communicate with its operators?

C

Yeah, so essentially it does this by entering a loop. You know, a lot of malware does this from the daemon perspective, but the loop that we identified in this case is it's retrieving task, it's making sure that there's not an existing instance already running of that task check. And then so long as there's not, it's going to execute and then it's going to sleep for a random number between 60 and 120 seconds. And that's just so to kind of make it once again another kind of anti detection technique. Right. A lot of times analysts and threat hunters may be able to identify malware if it's doing an exact sort of check every X number of seconds. That's sometimes a good way to detect beaconing through frequency analysis. And so it picks a random sleep and it that way, you know, number between 60 and 120, it's not always going to be consistent and it won't look as obvious from a beaconing perspective.

D

So yeah.

You mentioned in the research that there's a modular design here. Why is that significant? What are some of the modules that you all were able to find?

C

Yeah, so a lot of them are ones that you would expect to find built into malware. But the modular design and basically kind of making the malware expandable should the developer want to, is certainly something that we take interest in. And it means, you know, there might be new iterations of this malware in the future with more modules. Right. So.

Connecting back to a shell, obviously a very popular feature to have in your malware where you can run direct shell commands. And that includes doing it.

In a pretty well designed way. From the Unix side, Obviously part of macOS is this sort of, it's very Unix feeling, that BSD side of the operating system. Right. So the way that it was developed was pretty knowledgeable in terms of how to create that shell. A lot of attackers will do something very hacky and just kind of just do this thing where you pass a single command over the network, the malware sees that command and then it just sort of spews it out and sends all the output back. This was done by actually creating a pseudo terminal which generally, generally you're taking the time to do it correct. If you do it that way. So that to me is always an interesting feature in malware because it kind of dictates how familiar the creator was with the operating system they were going after.

D

Well, how does Chile Hell compare to the typical macOS malware that you all study?

C

Yeah, great question.

I think from a stealth perspective of the executable itself, the second we looked at it, it was pretty obvious. So maybe not super obfuscated or stealthy in that perspective, but.

I think in terms of the design of it. And again, this design in C.

It'S not Go or Nim or some of these other langu that we're seeing lately that kind of have this inherent sort of obscurity when you compile the executable. So maybe that was one of the reasons that it felt so simple to reverse compared to other samples we're seeing as of late. But from the setup and from the attacker knowledge of kind of the UNIX side, I'd say it's a little more advanced from the design perspective. On that side. We did also see some noisy stuff like a password cracker being included.

As one of the modules that you're referring to. And that's kind of a noisy approach.

To a solution is to actually crack passwords on the system because you're obviously going to be using a lot of CPU and resource intensive operations to do that. So again, not the stealthiest of malware that we've encountered as of late, but it's still fairly well developed piece of malware.

D

Yeah.

B

Well, what are your recommendations then?

D

I mean, how should folks best protect themselves here?

C

Yeah, it's funny because a lot of the recommendations that we used to see coming along from the Windows side, right. As the, the malware market like just kind of exploded on the Windows side a long time ago as Macs are becoming more popular. Like a lot of those recommendations are still the same, they're just coming later than they originally came on the Windows side. So in this case, just with this particular malware and what the actors were seen historically doing, it comes down to knowing what you're installing, right? So even in this, in this campaign where the actor, in the original campaign, the actor was responsible for installing, basically taking over websites as more of a watering hole attack type of approach, right. And which makes it very complicated. Like you're on a website you think you trust and what you're installing you think you think you're doing legitimately. Right. So it can be very difficult. But ultimately what the attacker was having you install was something very pointless that if you took the second to ask like, all right, I'm on this website. I trust the website. It wants me to install this. What is it? You have no idea. Like, maybe, maybe you could just second guess you actually need to install it, right? Or take the time to discover what you're installing. So it's a very basic solution, one that just taking the extra second to knowing whether or not you're installing something, figuring that out now.

From the perspective of what can we as security folks do? Right? It comes down more towards the telemetry side, knowing what's being installed, knowing what your employees are installing out there, and making sure you have visibility into those types of questions so that you can identify attacks like this.

That becomes more the solution is making sure you have the right visibility.

D

And I say this as a Mac user with my tongue in my cheek that perhaps when it comes to malware, our sense of smug superiority needs to be a thing of the past.

C

Right? Yeah, absolutely. And that's something that I've been speaking to a lot lately. Again, we've just been seeing the market shift a little more, even in terms of. Yeah, we went on this journey since the year 2000.

Where we've gone from the single, maybe the executive team at a company using an Apple device or a couple Apple devices to all of a sudden.

The entire engineering team is using Apple devices. Your engineering team holds access to so many important computers and so many different important processes.

At your company, most likely. So this thing where we're like, well, they're on max, so we're probably fine like that is as that market share continues to shift a little more, it's getting. We have to ask ourselves that a little more and more as Macs become more prevalent and in our. In our environments.

B

Our thanks to Jaron Bradley, director of jamf's Threat Labs, for joining us. The research is titled Chilly A Deep Dive into a modular macOS backdoor. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes, were mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Limu Emu and Doug.

E

Here we have the Limu Emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating. It's accompanied by his natural ally, Doug.

C

Uh, Limu is that guy with the binoculars watching us?

E

Cut the camera. They see us.

B

Only pay for what you need@libertymutual.com Liberty Liberty. Liberty. Liberty Savings Ferry Unwritten by Liberty Mutual Insurance Company Affiliates excludes Massachusetts.