Threat Thursday

SCYTHE Library: #ThreatThursday - SpeakUp

Written by Jorge Orchilles | Sep 3, 2020 4:00:00 AM

This #ThreatThursday we are releasing our first macOS threat to the SCYTHE Community Threats GitHub. As more and more customers migrate to Apple products, we want to provide adversary emulation plans that work against macOS as well. SCYTHE has the ability to create campaigns for Windows, Linux, and macOS. This post will look at emulating a macOS threat known as SpeakUp.

Cyber Threat Intelligence

SpeakUp is documented and mapped to MITRE ATT&CK in its own software page. SpeakUp has a Linux and a macOS variant and we will focus on emulating the macOS variant. The main reference to this threat actor comes from research at CheckPoint.

SpeakUp uses POST and GET requests over HTTP to talk to its command and control server, and does some interesting things with the User Agent as well as with POST requests. The initial POST packet will send a victim ID so that it can register the victim on the C2 server. Once registered, the implant will look to pull more information on the victim through the use of common discovery commands such as “uname -a” and “ifconfig -a”. The implant also has a fixed “knock” interval that it uses to communicate with the C2 server for new commands.

As for the User Agent, SpeakUp uses three specific User-Agents for communication with its C2 server. Two of the User Agents are MacOSX while the third is a hashed string of the word liteHTTP

  • Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/BADDAD
  • Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
  • E9BC3BD76216AFA560BFB5ACAF5731A3

One of SpeakUp’s main features is its ability to serve another payload post-infection. We have seen SpeakUp serve XMRig miners to its infected servers to mine Monero coins. It should be able to just as easily serve another type of miner or something even more destructive.

Figure 1: SpeakUp ATT&CK Navigator Layer

Adversary Emulation Plan

To emulate SpeakUp, we’ll first use SCYTHE’s default heartbeat since SpeakUp has a fixed knock interval when communicating with the C2 Server. We’ll also use one of the two MacOSX User-Agents for this MacOS campaign. 

Here is an adversary emulation profile for SpeakUp. The emulation plan can be downloaded from the SCYTHE Community Threats Github and imported to your SCYTHE instance.

 

Tactic

Description

Summary

SpeakUp is a macOS malware variant used to establish command and control and drop cryptominers.

Credential Access

T1110 - Brute Force

T1110.001 - Password Guessing

Command and Control

T1071 - Application Layer Protocol

T1071.001 - Web Protocols

T1132 - Data Encoding

T1132.001 - Standard Encoding

T1105 - Ingress Tool Transfer

Execution

T1059 - Command and Scripting Interpreter

T1059.006 - Python

T1203 - Exploitation for Client Execution

T1053 - Scheduled Task/Job

T1053.003 - Cron

Defense Evasion

T1070 - Indicator Removal on Host

T1070.004 - File Deletion

T1027 - Obfuscated Files or Information

Discovery

T1046 - Network Service Scanning

T1082 - System Information Discovery

T1016 - System Network Configuration Discovery

T1049 - System Network Connections Discovery

T1033 - System Owner/User Discovery


To set the User Agent, it is as simple and adding parameters for the Communication Modules:


As mentioned in the Cyber Threat Intelligence portion, SpeakUp looks to register the victim information onto the C2 server through the use of a number of discovery commands. 


Since SpeakUp is also able to serve an additional payload, we will be using the downloader module to grab a benevolent file, save it as a shell script, then cat it as a proof of concept. This will allow us to stay non-destructive with our emulation.

Defend against SpeakUp

The primary tool in the defending against SpeakUp comes from a common source: the network traffic. As of the reporting, we can see that SpeakUp reliably uses specific user agents, and heartbeat intervals for its C2. For example, in SpeakUp’s HTTP traffic, a network monitor would reliable see the strings: “Mobile/BADDAD”, “Mobile/7B405” and “E9BC3BD76216AFA560BFB5ACAF5731A3, together these create some very clear IOC to look at from the network layer.

As for the behaviors and progoation, defense can be found by monitoring and logging of accounts for strange or unexpected behavior. The ability to detect when users (and especially root) are performing commands without your intent is critical in catching threats such as SpeakUp early. Finally, the regular auditing of cron is critical, as this is SpeakUp’s primary mechanism for persistence. 

Conclusion

In this #ThreatThursday, we looked at our first macOS community threat. We started by consuming Cyber Threat Intelligence about SpeakUp and learning about the macOS malware variant. We created an adversary emulation plan using the same User-Agent and C2 profile as SpeakUp, shared it in our Community Threats Github, and showed how to emulate it yourself. Lastly, we covered how to defend against macOS threats. We hope you enjoyed it!

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io