Elastic Detection Rule Development: OSX/Dok Malware

Elastic Detection Rule Development: OSX/Dok Malware

OS/Dok Malware Example

Lets take a example. If was working and got notification through Cyware social threat feeds and read the following malware research:

After reading this research about this threat, I can automatically develop a couple (in "development") rules for this specific threat [In the real world, I would sandbox the malware to trigger  the rules for real], what I'm showing is just the process of the first go around of developing a rule based on malware research.

So this bundle name Truesteer.AppStore when it is ran, it copys itself to /User/Shared/ and execute again from that location

chmod +x /User/Shared/AppStore.app
sleep 5
rm -fr "Users/_%USER%_/Downloads/Dokument.App"
"/User/Shared/AppStore.app/Contents/MacOS/AppStore" Dokument

But to make the rule more general, you need to think about the possibly of a threat actors using this format, but changing certain things. Threat actors love to reuse old malware and modify it a little bit.

Rule query - chmod +x /User/Shared/AppStore.app

process where event.type in ("start", "process_started") and 
process.name : "chmod" and process.args : "/User/Shared/*.app"

So the * in /User/Shared/*.app is now a wildcard, and this is incase a Threat Actor want reuse this setup, but change AppStore.app to something different.

Rule query - rm -fr "/Users/%USER%/Downloads/Dokument.App"

process where event.type in ("start", "process_started") and 
process.name : rm and process.args : ("/Users/*/Downloads/*.App" and  "-fr")

So the * in /Users/*/Downloads/*.App is now a wildcard, and this is incase a Threat Actor want reuse this setup, but change Dokument.App to something different.

Now I will take the following queries above and build a sequence. I need to remember that one of the commands was sleep 5, with that said, I now know I need to make the sequence that last more than 5 seconds. So I make this one 30 seconds to be on the safe side.

Yara File

I will use the following Yara Rule to help build the rules.
rule osx_retefe_w0 {
        author = "AlienVault Labs"
        type = "malware"
        description = "OSX/Dok"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe"
        malpedia_version = "20170602"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

        $c1 = "/usr/local/bin/brew"
        $c2 = "/usr/local/bin/tor"
        $c3 = "/usr/local/bin/socat"
        $c4 = "killall Safari"
        $c5 = "killall \"Google Chrome\""
        $c6 = "killall firefox"
        $c7 = "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain %@"

        all of them

Rule Building

NOTE: I have not tested these rules out in a sandbox environment. Sandboxing these would allow the process of improving these rules in regards of detecting the malware.

Rule 1: OSX/Dok Pre-LaunchAgents

not process.args - Anything following this command will help quiet down false positives.

Rule 2: OSX/Dok - LaunchAgents

event.type != "deletion" - That the event type is anything other than deletion.

  • You can see the other event types on a website that I created that explains them here Event.Type | ELK

Rule 3 - OSX/Dok - Post-LaunchAgents


In the ideal scenario, these rules would trigger one after the other, which would verify the malware being present, but these set of rules would require extra testing.

Share Tweet Send
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.