The OSX.Dok dropper spotted installing the new Bella backdoor

Today the Malwarebytes malware researcher Adam Thomas has discovered found a variant of the OSX.Dok dropper works in a different way respect the first one and installs a different payload, dubbed Bella.

“Adam Thomas, a Malwarebytes researcher, found a variant of the OSX.Dok dropper that behaves altogether differently and installs a completely different payload.” states the analysis published by Malwarebytes.

The new Bella malware is delivered using the same technique of the DOK malware, it leverages a zipped app named Dokument.app masquerading as a document.

The malicious code is signed with the same digital certificate as the OSX.Dok dropper and it was first uploaded to VirusTotal around the same time.

Apple now revoked the certificate in order to neutralize the threat.

Bella, such as DOK, copies itself to /Users/Shared/AppStore.app, then it creates a window on top of all other windows, displaying a message claiming that a security problem has been detected in the operating system and an update is available, it requests victims to enter his password.

Bella displays the fake “OS X Updates Available” window, covering the entire screen, then after a minute it simply closes and deletes itself.

Bella is an open-source backdoor that was developed by a coder that goes online with the GitHub handle “Noah.”

“Noah first joined GitHub back in 2015 but was not active there until August of 2016, when he began creating Python scripts to attack various macOS data, such as stealing iCloud authorization tokens, or password and credit card information from Chrome.” continues the analysis.

“In February of this year, he published the code for Bella, a Python script with some frightening capabilities, including:

• Exfiltration of iMessage and SMS chat transcripts
• Location of devices via Find My iPhone and Find My Friends
• Phishing of passwords
• Exfiltration of the keychain
• Capture of data from the microphone and webcam
• Creation and exfiltration of screenshots
• Remote shell and screen sharing”

The Bella payload includes the capability to escalate to root privileges by exploiting flaws in the OS, this feature only works on macOS 10.12.1 and earlier, or phishing to obtain an admin credential.

Bella is customizable with a script named BUILDER , below an example related to a Bella sample that is controlled by a C&C server with the following characteristics:

• host = ‘185.68.93.74’ #Command and Control IP (listener will run on)
• port = 4545 #What port Bella will operate over

This above address is owned by a hosting company located in Moscow, Russia.

The malware has also been set to install the script, database, and launch agent files in the following locations:

~/Library/Containers/.bella/Bella
~/Library/Containers/.bella/bella.db
~/Library/LaunchAgents/com.apple.iTunes.plist

If the malware gains the root access, it will be placed in the corresponding locations in the root library folder, rather than the user’s library folder.

Experts speculate the Bella backdoor will be used by other threat actors in the future due to a modular structure.

“Of course, since the code signing certificate on the Dokument.app dropper for this malware has been revoked, no one can be newly-infected by this particular variant of this malware at this point. However, since Bella is open-source and surprisingly powerful for a Python script, it’s quite likely it will be dropped by other malicious installers in the future.” concluded MalwareBytes.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DOK malware, Bella backdoor)

[adrotate banner=”13″]