Elastic Detection Rule Development: OSX/Dok to Rule

OS/Dok Malware Example Lets take a example. If was working and got notification through Cyware social threat feeds and read the following malware research:

• OS/Dok [https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/]

After reading this research about this threat, I can automatically develop a couple (in “development”) rules for this specific threat [In the real world, I would sandbox the malware to trigger the rules for real], what I’m showing is just the process of the first go around of developing a rule based on malware research.

So this bundle name Truesteer.AppStore when it is ran, it copys itself to /User/Shared/ and execute again from that location

chmod +x /User/Shared/AppStore.app sleep 5 rm -fr “Users/%USER%/Downloads/Dokument.App” “/User/Shared/AppStore.app/Contents/MacOS/AppStore” Dokument

But to make the rule more general, you need to think about the possibly of a threat actors using this format, but changing certain things. Threat actors love to reuse old malware and modify it a little bit.

Rule query — chmod +x /User/Shared/AppStore.app process where event.type in (“start”, “process_started”) and process.name : “chmod” and process.args : “/User/Shared/*.app”

So the * in /User/Shared/*.app is now a wildcard, and this is incase a Threat Actor want reuse this setup, but change AppStore.app to something different.

Rule query — rm -fr “/Users/%USER%/Downloads/Dokument.App” process where event.type in (“start”, “process_started”) and process.name : rm and process.args : (“/Users//Downloads/.App” and “-fr”)

So the * in /Users//Downloads/.App is now a wildcard, and this is incase a Threat Actor want reuse this setup, but change Dokument.App to something different.

Now I will take the following queries above and build a sequence. I need to remember that one of the commands was sleep 5, with that said, I now know I need to make the sequence that last more than 5 seconds. So I make this one 30 seconds to be on the safe side.

Yara File

I will use the following Yara to help build the rules. rule osx_retefe_w0 { meta: author = “AlienVault Labs” type = “malware” description = “OSX/Dok” malpedia_reference = “https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe" malpedia_version = “20170602” malpedia_license = “CC BY-NC-SA 4.0” malpedia_sharing = “TLP:WHITE”

strings:
    $c1 = "/usr/local/bin/brew"
    $c2 = "/usr/local/bin/tor"
    $c3 = "/usr/local/bin/socat"
    $c4 = "killall Safari"
    $c5 = "killall \"Google Chrome\""
    $c6 = "killall firefox"
    $c7 = "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain %@"

condition:
    all of them

}

Rule Building

NOTE: I have not tested these rules out in a sandbox environment. Sandboxing these would allow the process of improving these rules in regards of detecting the malware. Rule 1: OSX/Dok Pre-LaunchAgents not process.args — Anything following this command will help quiet down false positives.

Rule 2: OSX/Dok — LaunchAgents event.type != “deletion” — That the event type is anything other than deletion.

• You can see the other event types on a website that I created that explains them here Event.Type | ELK [https://elk.wiki/en/ecs/event-type]

Rule 3 — OSX/Dok — Post-LaunchAgents

Conclusion: In the ideal scenario, these rules would trigger one after the other, which would verify the malware being present, but these set of rules would require extra testing.