# What is SafeFinder/OperatorMac campaign?

A new variant of adware was just discovered yesterday. It’s going viral on Twitter and other media, since they use valid Apple developer certificate to sign all packed samples. I’m quite overbusy these days but it got my interest when seeing the name stated in that certificate: “Quoc Thinh”, quite a unique Vietnamese name. So why not take a break from desperate thesis, toss adware in my lame automated MacOS analysis framework and see what our ‘countryman’ doing?

The sample was first noticed by Gavriel State‏ on Aug 7, then Thomas A Reed – the Mac malware boss hunter from Malwarebytes - confirmed it relates to OperatorMac on the next day. I think you all know the famous Mac free security tools’ author: Patrick Wardle, wrote an amazing report on objective-see.com in Aug 9. So I’m not going too deep in reverse engineering - static analysis, just throw in my Grey-cuckoo framework and grab results. In case somebody doesn’t know, it’s my thesis project and and soon to be released right after my judgment day - defense (hopefully).

From Patrick’s report we understand it’s an adware which installs lots of crabs. By default, cuckoo sandbox timeout is 120 sec. Let’s extend it a bit, 300 sec (5 min) would be enough.

First result we got, that Apple developer ID “Quoc Thinh”, and he got his certificate revoked from Apple today by the way 😄.

spctl -avv "Mughthesec-Player(dmg).dmg" Mughthesec-Player(dmg).dmg: **CSSMERR_TP_CERT_REVOKED**

From captured screenshots, we can see what this adware apparently executes: Install Adobe flash and offer you a bunch of PUA (potential unwanted applications) – Booking, Advanced Mac Cleaner, SafeFinder Safari extension, and AdBlock (in some relevant samples that will be discussed later).

Behavioral analysis shows the packed DMG sample invoked a ‘mac’ binary, thereafter ‘Mughthesec’ with a persistence ‘I’ binary. Screenshots below already included other analysis variant of this campaign.

Move on to the network DNS feature, we see a lot of queries and some domains look “suspicious”. Their DNS servers mostly are pointed to Akamai so I suggest we rather use domain as IOC than IP address, which could be different from viewers location. Filtering system calls logs with some rules of mine, there is no evasion technique been found. It’s quite surprising because Virustotal behavioral analysis shows a shorter execution trace than mine, which usually means its environment was detected at some point and malware stop running. In Patrick’s report he said there might be MAC address verification to detect VM (VM MAC usually starts with ’00:xx’). Fortunately, my VM framework MAC address was modified long ago since my colleague Yorick Koster at Securify used same trick to abuse my lame framework (thanks Yorick). I should add new rule – “MAC address check” later.

Additionally instead of execve(), MacOS sandbox policy usually invokes processes using XPCProxy or launchd services. So we got several processes created with posix_spawn(): delete Safari, iBooks, Mail cache (likely Advanced Mac cleaner doing its job), install mentioned PUAs and we got some new IOCs.

Other great things from Cuckoo sandbox are Network analysis and Dropped files. However previous report detailed it well enough, hence only some screenshots from these features will be showed:

Some dropped binaries like AMCleaner (93dd0c34a4ec25a508cd6d5fb86d8ccc0c318238d9fee0c93342a20759bf9b7e) already marked as malicious on VirusTotal (VT) 7/56, which could be an indication for vigilant users.

Also with some fancy nonsense statistic screenshots, intent to scare analyst (:p)

At this moment, we have got all indicators to make behavioral detection rule and go hunting for other similar adware samples. Reason why I call this blog post – “a campaign”: there are numerous similar packed DMG/Mac apps matched ‘my behavioral rule’: fake Adobe Flash installer, lots of PUAs from subdomain name [cdn, dl, api] and Vietnamese developer certificate ID.

Please note that VT score is an indicator only, people usually fail to judge hardworking AVs by looking at VT score. We can never know if AV would detect those adwares live running whether or not. Also instead of Mughthesec, other adware use different loader names such as SearchWebSvc, TrustedSafeFinder, etc. I don’t think OSX/Mughthesec would be appropriate for the adware name. I suggest it would be OperatorMac because all campaign packages call a simple loader “mac” binary.

Conclusion

Be vigilant, no one needs Flash nowadays it’s dead. Apple Mac is not virus-free even with those fancy Apple protection XProtect, GateKeeper, Mac sandbox, code signing, etc, many security researchers already warned.

It’s likely an affiliation advertising campaign, in which adware authors spent quite some money (~\$800) for these 8 Apple developer certificates and only 2 of them are revoked. Some of dropped MachO executables are not signed, and we don’t know what if those can be really dangerous (like the unsigned MachO executable from APT32 Ocean Lotus campaign targeted Vietnamese organizations lately is really a sophisticated one). Based on timeline and periods of certificate registration, and money they have spent, I doubt these adware creators are making lots of money. Last, let me remind you some incidents happened recently and could be related to this campaign:

Phamus

P/S: I confronted one famous hacker in cyber pirate community – “Quoc Thinh” aka G4mm4, he seriously admitted he’s behind the “crime”. Not sure that’s true or he was just kidding :)

IOCs:

appfastplay.com

Created

2017-04-08

New

-none-

198.54.117.212

2017-04-23

Change

198.54.117.212

198.54.117.215

2017-07-07

Change

198.54.117.215

198.54.117.210

Namecheap domain hosting @ USA.

mughthesec.com

198.54.117.210

SimplyEApps.com
198.54.117.210

(api./dl./cdn.)dynacubeapps.com

198.54.117.210

(api./dl./cdn.)cloudmacfront.com

(api./dl./cdn.)osxessentials.com

(api./dl./cdn.)api.vertizoom.com

(api./dl./cdn.)macgabspan.com

install.searchwebsvc.com

install.trustedsafefinder.com

searc.trustedsafefinder.com/h?_pg=XXXX-1234-67890

searc.trustedsafefinder.com/[email protected]@@&_pg=XXXX-1234-67890

~/Library/LaunchAgents/com.Mughthesec.plist

~/Library/Application Support/com.Mughthesec

~/Library/LaunchAgents/SearchWebSvc.plist

~/Library/Application Support/SearchWebSvc

~/Library/LaunchAgents/TrustedSafeFinder

~/Library/Application Support/com.TrustedSafeFinder.plist

phan anh 4f62cc7e6f923ffd3d01de7ed47c3a62593e8c245bfc6cb81783a70fb821ca3c

9e72aea77562c7d85950076f8acef12580050d2bfd199de9500cd9a3cf18e5ba

04343158bd4942f25f8ff4e39c5bc21fa08b2e98c9f4dd3391f017667a47e59e

b31baed2592708d5fb8227fc7d18faa339f813ff1db1aa32580f54d0601b08f0

5afe86f9ec0764f53721452199383a0732d262b679356f4e5c716ca5710502c8

4dcde58b6bd4b415eae924b62b1f0ce4e0b8d11a714fbcf99c4da553a66751d7

e0606875fb61db097f618b5e2ea9c140e3e5dff733ec3a30719af8452ca06aab

22ca8d75544d061d3e8b986b0af3dc2a462d9acfa29a4be5a5589fa51282dedb

0650ce68e2d3b1e9e53a72115f5da42120d6eff83a07aa309b1f04f11f55c1de

4f62cc7e6f923ffd3d01de7ed47c3a62593e8c245bfc6cb81783a70fb821ca3c

9e72aea77562c7d85950076f8acef12580050d2bfd199de9500cd9a3cf18e5ba

04343158bd4942f25f8ff4e39c5bc21fa08b2e98c9f4dd3391f017667a47e59e

b31baed2592708d5fb8227fc7d18faa339f813ff1db1aa32580f54d0601b08f0

5afe86f9ec0764f53721452199383a0732d262b679356f4e5c716ca5710502c8

4dcde58b6bd4b415eae924b62b1f0ce4e0b8d11a714fbcf99c4da553a66751d7

8690299992e9a1d8bf1b5184a3274619eb6c95c44a83b42f7ee455b419947d5d

e0606875fb61db097f618b5e2ea9c140e3e5dff733ec3a30719af8452ca06aab

f47246e7b4ae43d6aa284145292d67247d428d52f327c00a7f7af2dd65fb1c0b

22ca8d75544d061d3e8b986b0af3dc2a462d9acfa29a4be5a5589fa51282dedb

0650ce68e2d3b1e9e53a72115f5da42120d6eff83a07aa309b1f04f11f55c1de

52ac6206d109acb15547e8f655d1e522d28bbb39c9e40784126de5f27778f51c

15d796bd76339a0fbb430bc8c6cc9bcbd6a21f3aef619d0cb81fe0069552a29d

99c598ef5fe10347803296d20a37fb6c33d793f35443725dbcfc41382dbd9391

34886986af88810585238c2ecf44924e48a08f775b25794e553689f0f2585899

12effeff2bc280d144bd1432f9bbfae2efaae483731d20b6f0b061e8be505a0c

3460877be00af3632895539567b57647ca1e07363213b4f93d52ac80b17454ee

quoc thinh

f5d76324cb8fcae7f00b6825e4c110ddfd6b32db452f1eca0f4cff958316869c

63b9e81a0c3a57bcbaf2aac308ecc53035f7fff6a416a6752acf13f16352a94a

687def9ff3cd0fa8dab1a7d4da5fa04b0604292fa74a66f23a96fb1eb31cd2c2

pham huong

af1e6391dd48f84beac69fbd69dbbb20eefd7ca69d33c686ed4d5a85ba760254

7ce4d0ec31dc334388d2461b65617ba5dbdebf935da2ed2a7d65d8a9cc14148c

f995bd07e5f782cf823b45d226c63407695d4a1bfb06358f49621291f1629f60

a2bd399d8087752776762fa9a805429de6973994f26e17bdac9ca4130dcb87fb

bafe800c397e69e9e6859311c437e5c4b6cdd200f3ed832306e6c9f331eb6bae

nhien nguyen

3028aa7ece2f140f6fa28d348bf18156e6e4da4cb2f9208925d15ca7b564f35f

minh duc

17f39a0268ec97cf5528bcc9d871c7f7b428379a2549c3b01581440acd7ed8a5

dfc0b3618a3eb246ae6026c460596a102f45ff71660f7fdec39c5f105a3190cd

90d825d481297def07771865a5e719c4e55ed1109008721744608bf94841d7cc

tran phong

9acb781d19d6ed4c6ac6e10448d113fca868bba21f95496f535013005fe2d29e

f159c3dc2aa704d42a07f145985fa7b339cbd4bcdf7ff9783220b9dd3a9e097e

a1dc898586e1697bd19d6c6ec8421e1871ac918132bcbcf89db9b523e199664d

e537d868f9ab708e3c5a8427dd4036798570b7d6b55b3ef0e1be9775e64e9c9d

f7468d3af9267e9a6325fb981a5bd734dafeea32265d0318cb4793bd1b52f112

mai linh

c7c11ae9fdaeef0c359621de06d4de5264cc3d62929d5e8a1e2c3d2c08290e2f

202d7e5bd230c59051d5c21124e9af613f70576f3511a0a79c567f48844e5b45

thanh thuy

6494a2bd4e9da2f3000b0774a13682a3f9fcd17e7da8d0fd42bfa88d1dce14f5

aa556a1b27356c35be3890f7c6f022c431d48ff7b5c15b2a0586609b15e5d5f6

f86b4d24627d5dc9d806a3f89c03aea19aaa987bcedb44fc5635140bf9191d03

da329f9a9b2ea505fb5ffb4a8d08ff8755b3c960ce84c342c50ab7e808c835b5

22179b6701cf203abfa94eee9152495d409bcb9f5293fb5aa87fe342f7285a18

b3be9a9b5b6cd97815a1a2a5c14713b761b664e195a6e1384219a701ccc12036

22179b6701cf203abfa94eee9152495d409bcb9f5293fb5aa87fe342f7285a18

da329f9a9b2ea505fb5ffb4a8d08ff8755b3c960ce84c342c50ab7e808c835b5

22179b6701cf203abfa94eee9152495d409bcb9f5293fb5aa87fe342f7285a18

5b4703281a185e81113b303277e546c5f87ae599fba4565932a2638b3d40b41f

da329f9a9b2ea505fb5ffb4a8d08ff8755b3c960ce84c342c50ab7e808c835b5

5b4703281a185e81113b303277e546c5f87ae599fba4565932a2638b3d40b41f

5b4703281a185e81113b303277e546c5f87ae599fba4565932a2638b3d40b41f

b3be9a9b5b6cd97815a1a2a5c14713b761b664e195a6e1384219a701ccc12036

aa556a1b27356c35be3890f7c6f022c431d48ff7b5c15b2a0586609b15e5d5f6