DEEPBREATH
A new piece of macOS malware identified during the intrusion was DEEPBREATH, a sophisticated data miner designed to bypass a key component of macOS privacy: the Transparency, Consent, and Control (TCC) database.
Written in Swift, DEEPBREATH’s primary purpose is to gain access to files and sensitive personal information.
TCC Bypass
Instead of prompting the user for elevated permissions, DEEPBREATH directly manipulates the user’s TCC database (TCC.db). It executes a series of steps to circumvent protections that prevent direct modification of the live database:
-
Staging: It leverages the Finder application to rename the user’s TCC folder and copies the
TCC.dbfile to a temporary staging location, which allows it to modify the database unchallenged. -
Permission Injection: Once staged, the malware programmatically inserts permissions, effectively granting itself broad access to critical user folders like Desktop, Documents, and Downloads.
-
Restoration: Finally, it restores the modified database back to its original location, giving DEEPBREATH the broad file system access it needs to operate.
It should be noted that this technique is possible due to the Finder application possessing Full Disk Access (FDA) permissions, which are the permissions necessary to modify the user-specific TCC database in macOS.
To ensure its operation remains uninterrupted, the malware uses an AppleScript to re-launch itself in the background using the -autodata argument, detaching from the initial process to continue data collection silently throughout the user’s session.
With elevated access, DEEPBREATH systematically targets high-value data:
-
Credentials: Steals login credentials from the user keychain (
login.keychain-db) -
Browser Data: Copies cookies, login data, and local extension settings from major browsers including Google Chrome, Brave, and Microsoft Edge across all user profiles
-
Messaging and Notes: Exfiltrates user data from two different versions of Telegram and also targets and copies database files from Apple Notes
DEEPBREATH is a prime example of an attack vector focused on bypassing core operating system security features to conduct widespread data theft.
SUGARLOADER
SUGARLOADER is a downloader written in C++ historically associated with UNC1069 intrusions.
Based on the observations from this intrusion, SUGARLOADER was solely used to deploy CHROMEPUSH. If SUGARLOADER is run without any command arguments, the binary checks for an existing configuration file located on the victim’s computer at /Library/OSRecovery/com.apple.os.config.
The configuration is encrypted using RC4, with a hard-coded 32-byte key found in the binary.
Once decrypted, the configuration data contains up to two URLs that point to the next stage. The URLs are queried to download the next stage of the infection; if the first URL responds with a suitable executable payload, then the second URL is not queried.
The decrypted SUGARLOADER configuration for the sample analysed by Mandiant included the following C&C servers:
breakdream[.]com:443dreamdie[.]com:443
CHROMEPUSH
During this intrusion, a second dataminer was recovered and named CHROMEPUSH. This data miner is written in C++ and installs itself as a browser extension targeting Chromium-based browsers, such as Google Chrome and Brave, to collect keystrokes, username and password inputs, and browser cookies, which it uploads to a web server.
CHROMEPUSH establishes persistence by installing itself as a native messaging host for Chromium-based browsers. For Google Chrome, CHROMEPUSH copies itself to %HOME%/Library/Application Support/Google/Chrome/NativeMessagingHosts/Google Chrome Docs and creates a corresponding manifest file, com.google.docs.offline.json, in the same directory.
