hoakley March 5, 2023 Macs, Technology

Last Week on My Mac: KeySteal, Honkbox and BadGacha

Over the last ten days we’ve had two significant updates to macOS malware protection. As Apple has at last decided to revert to using plain rather than obfuscated names for the new malware these protect against, I thought it might be worthwhile to review how those updates affect us.

The first of the two updates brought XProtect to version 2166 on 22 February. This added four new detections, covering KeySteal A and three variants of Honkbox. These should now be detected and blocked immediately if you were to try running any of those on your Mac.

The second update brought XProtect Remediator to version 91 on 2 March. This added two new scanner modules for KeySteal and something named BadGacha, whose identity and nature remains unknown outside Apple, for the moment at least. These should enable periodic scans to detect and remove KeySteal and whatever BadGacha might be.

KeySteal

Although this first appeared at least a couple of years ago, it seems to have reappeared last autumn/fall, and has been described in full detail by Luis Magisa and Qi Sun of Trend Micro. It has been found as a malicious version of the ResignTool app, used to change code signatures. As its name implies, it mines for keychains and exfiltrates their contents, so could make off with very sensitive information. It may well be correctly signed, and in one case was presented in an Installer package that had the correct type of Developer Distribution signature for that.

Like all successful malware, it achieves persistence, in this case using two distinctive property lists at /Library/LaunchDaemons/com.apple.googlechrome.plist and ~/Library/LaunchAgents/com.apple.googleserver.plist. Ventura should report those in notifications should it attempt to install them.

Clearly Apple considers this is now a significant threat to macOS users, and its detection by both XProtect and XProtect Remediator is notable.

Although the signature used by KeySteal’s installer has been revoked, and that stops it from being run, it’s likely that its developers are already using a different signature.

XProtect Remediator 91 now detects and remediates KeySteal effectively if it does manage to get past Gatekeeper.

Honkbox

This too goes back to 2019, when it was first reported, but seems to have reappeared more recently. It has been described in research by Matt Benyo, Ferdous Saljooki and Jaron Bradley of Jamf Threat Labs, and more recently in an update by Phil Stokes of SentinelOne.

Honkbox has been delivered in pirated software, including copies of Final Cut Pro, through PirateBay; whoever is responsible for providing these may also use other similar commercial products to install Honkbox. This is classed as a cryptominer or cryptojacker, and displays evasive behaviour when Activity Monitor is open.

Because the malicious software is embedded within an app that’s already signed, that signature fails when macOS checks it properly. Prior to Ventura, unless the quarantine flag is set on the app, a full signature check by Gatekeeper may well not take place, allowing the malware to install itself. Ventura changes that, as full Gatekeeper signature checks are now run even when there’s no quarantine flag set, so macOS 13 should block this successfully. Added support for detection by XProtect should ensure that it’s reliably blocked on earlier macOS as well.

Honkbox is compelling evidence for the avoidance of hacked apps from sources such as PirateBay: it’s not unusual for them to contain malware, and they’re often obtained using apps and tools that avoid setting the quarantine flag, so reducing the chances of their being detected by macOS, at least prior to Ventura.

Honkbox has received limited attention, and little seems known about it. Clearly Apple’s assessment is that it’s now a significant threat.

BadGacha

All I can tell you about this is that its name is derived from gacha, referring to a family of games based on toy vending machines. I have no idea whether we’ll ever discover what this is in terms of Mac malware, but will let you know if and when a researcher does.

As ever, I’m very grateful to the Objective-See Foundation and Patrick Wardle for providing the sample of KeySteal.

10Comments

Add yours

1

Matt Benyo on March 10, 2023 at 2:45 am

Funny enough, with Honkbox, it doesn’t seem that it ever really went away, but rather found ways to go undetected for a couple of years.

As you mentioned here, a lot of these tampered/cracked applications are downloaded via torrent clients that avoid adding quarantine (which suddenly matters much less in Ventura). Last night, I was reading one of your write ups on quarantine and read the part about overrides in the exceptions plist and you mentioned that Transmission is basically forced to add quarantine xattr. This was puzzling to me, because when I was researching Honkbox, I downloaded some of the samples via Transmission and noted that the DMGs we not getting the quarantine xattr and even said as much in our write-up. However, in taking a closer look at it, I realized that the Honkbox torrents were being delivered/downloaded as directories that contained the DMG and often a readme.txt. Turns out the *directory* gets the quarantine xattr, but it isn’t being applied recursively. As far as I can tell uTorrent is skipping quarantine altogether.

LikeLiked by 1 person
- 2
  
  hoakley on March 10, 2023 at 8:59 am
  
  Thank you – that’s a valuable observation. I too thought that this problem should have been sorted out. It’s no surprise that it’s not as robust as it sounds, and so easy to bypass.
  Yet another excellent reason never to go near a torrent.
  Howard.
  
  LikeLike
3

John Gilbert on May 5, 2023 at 11:17 pm

For the past 2 days, XProCheck is reporting:
2023-05-06 04:18:32.400 BadGacha ⚠️ FailedToRemediate time 0.0003070 {“caused_by”:[],”status_message”:”FailedToRemediate”,”status_code”:24,”execution_duration”:0.00030696392059326172}

Not obvious that anything is wrong. The BadGacha references in the logs refer to files in the folder: /System/Library/AssetsV2/com_apple_MobileAsset_LinguisticData

Are you seeing this?

LikeLiked by 1 person
- 4
  
  hoakley on May 6, 2023 at 12:19 am
  
  Thank you.
  Another user has reported almost identical reports in the last few days. He has worked with Apple Support and these appear to be false positives. His seem to have gone away now. Those data files do turn over so the files causing the reports have probably been replaced now.
  If you have time, it would be worth contacting Apple Support so this can be checked back with Apple’s engineers.
  Please let me know how you get on.
  Howard
  
  LikeLike
5

macfeind on May 16, 2023 at 6:05 pm

Greetings,

I’m consistently getting this:

023-05-16 12:42:02.056 BadGacha 👉 no status_message report time 0.0000000 {“process”:{“pid”:22116,”name”:”ZoomAutoUpdater”},”status”:null,”action”:”report”}

The process ID doesn’t appear in activity monitor.

Located and removed the ZoomAutoUpdater file. No change.

I uninstalled Zoom using the Zoom apps uninstall feature. Reboot. No change.

Downloaded and ran MalwareBytes (why not at this point)… nothing reported.

I have little snitch installed and haven’t seen any unusual network traffic. Mac seems as normal as it ever gets.

Hopefully this is an Apple issue and nothing insidious that’s doing a pretty good job of evasion. Looking forward to seeing a final resolution.

thanks!

LikeLiked by 1 person
- 6
  
  hoakley on May 16, 2023 at 6:48 pm
  
  Thank you.
  That isn’t a detection or remediation report, merely of potentially suspicious activity.
  I suggest you install the latest version of Zoom, and keep a watch on those reports over the coming days.
  Recently XPR has started making more of these reports, but they’re for information, and not detections. If you’re uncertain, then I suggest you contact Apple Support and check with them.
  Howard.
  
  LikeLike
7

Don on July 24, 2023 at 11:37 am

Jumping into an older thread — I get 1 or 2 a day of these, the almost looks like a “I am running” message but nothing is found:
2023-07-23 21:07:45.315 BadGacha 👉 no status_message report time 0.0000000 {“process”:

..especially since it says non status_message, the time is 0, and no process name is filled in.

LikeLiked by 1 person
- 8
  
  hoakley on July 25, 2023 at 7:40 am
  
  I’m sorry to hear that. However, they look completely benign. If they continue, I suggest that you contact Apple Support, and try to get this elevated to a security engineer who may be able to help.
  Hopefully they’ll settle down now.
  Howard.
  
  LikeLike
  - 9
    
    Don on July 25, 2023 at 10:46 am
    
    Thanks Howard. I just ran it again plus checked the last couple of days – the reason being I updated to Ventura 13.5 that just came out; I was wondering if they fixed it since it seemed like a non-message. XProCheck shows nothing from it now! I’ll keep an eye on it, maybe it’s gone. Thanks again for the article!
    
    LikeLiked by 1 person
    - 10
      
      hoakley on July 25, 2023 at 8:36 pm
      
      Thank you.
      Howard.
      
      LikeLike

·Comments are closed.

KeySteal

Honkbox

BadGacha

Share this:

Related