Lazarus For Mac
2021年2月28日Download here: http://gg.gg/oh8xm
*Lazarus For Macos
*Lazarus Mac 64 Bit
The Lazarus Farm Market has been in continuous operation at this location for 7 generations. We currently farm 1,000 acres. We currently have 115 different varieties of fruits and 15 varieties of berries and nuts. Our sweet corn is hand picked daily to minimize bruising and is. Installing Lazarus on a Mac is unfortunately not as easy as e.g. On Windows, the Lazarus installation contains all necessary prerequisites. This is not the case on Mac OS X, where several other tools are needed: XCode the development environment of Mac, which contains some command-line tools. Gdb The gnu debugger.
An application created using Lazarus on one platform can generally compile and execute on any platform for which a Free Pascal compiler exists. For desktop applications a single source can target Mac, Linux, and Windows, with little or no modification. Mac Backdoor Linked to Lazarus Targets Korean Users. We analyzed a new variant of a Mac backdoor attributed to the cybercriminal group Lazarus, observed to be targeting Korean users with a macro-embedded Microsoft Excel spreadsheet and a malicious Adobe Flash component for persistence. By: Gabrielle Joyce Mabutas November 20, 2019. My route was to install Xcode 4.3 on an old Mac Mini running snow leopard, then install Lazarus using the fink version as described here. This took a while but was done in an evening. Then I just copied my folder across to the Mac, opened the lpi on the Mac, compiled it. It failed so I removed a windows references, recompiled, and it was working.
*1Cross compiling for macOS on LinuxCross compiling for macOS on LinuxRequirements
What you’ll need:
*an Intel Mac running Leopard, Snow Leopard, or Lion
*Xcode installed on your Mac or the original or retail operating system DVD (for the SDK)
*a working Linux setup (tested with Debian Squeeze)
*up to date source for FPC (tested with 2.4.x) and Lazarus (tested with 0.9.30)
*the Open Darwin cctools (odcctools)
Warning: These instructions are for i386 Linux; trying this on x64 Linux has failed. Update 2013-12-13: cross compiling from Linux for macOS no longer works at all for 10.8 and above. The compiler works fine but viable linker tools (cctools for linux) are not available for Linux anymore. Please adjust instructions if you find a solution for this. The cctools are available in Arch Linux. STEP 1: copy the SDK from your Mac
You need to install Xcode from your operating system DVD if you’ve not already done so and copy the SDK to an appropriate location on your Linux box.
I’d recommend Leopard 10.5.sdk (compatible with Leopard) but it depends on how far back you want to be compatible. The 10.5.sdk is located in /Developer/SDKs on the Mac.I put mine at /opt/Mac/ on my Debian box. Example using ssh from your Linux box to copy over the files:STEP 2: grab odcctools from SVN
Odcctools apparantly provide binutils for OSX/Darwin.
On 64 bit Linux environments, fpc mailing list users have problems with this step. Perhaps this StackOverflow question and answer can help: in the configure step, you’d apparently need to setCC=’gcc -m32’ CXX=’g++ -m32’ ./configure blah blah blah
and build it as
This installs the tools in /opt/odcctools.I’ve specified gcc 4.4 but it should be okay with other versions.STEP 3: rebuild FPC
(my sources are in ~/hg/pascal)
Note that the options (OPT) as shown are vital, especially -gw.STEP 4: configure fpc.cfg
Add a darwin (cross-compile) clause to /etc/fpc.cfg:STEP 5: build the Carbon LCL
Be sure to specify the Darwin OS target, i386 CPU target and, most importantly, add the -gw option. Perform a Clean+Build of the LCL and the Package Registration.
You should now be able to use Lazarus in Linux to build for macOS.Gotcha’s
There are two more gotcha’s when cross-compiling to macOS:
*Be sure to specify the -gw in your projects to avoid problems
reported in (the unfixable) FPC bug #12001.
*Be sure to specify the -XR option pointing to your SDK root (e.g. -XR/opt/Mac/Leopard10.5.sdk), or the Darwin linker will try to link to the wrong startup object (/usr/lib/crt1.o).Source
Fpc Mailing list 6 August 2011 post by Bruce titled ’Re: Cross Compiling from Linux to Leopard 10.5 or Snow Leopard 10.6 target. How? [SOLVED]’Adapted by BigChimpOlder instructions
This section was taken from the general Cross compiling page and may still be of interest:
*First you need the binutils for the platform you want to compile to. Download odcctools from this site (use the cvs version) and follow their instructions for installing. http://www.opendarwin.org/projects/odcctools/
*you need to create a fake root dir like: $HOME/darwinroot copy at least the /System and /Frameworks and /usr directories (you may have to copy more than this) from your Apple or Darwin computer to $HOME/darwinroot
*now that you have these files make a folder in $HOME/darwinroot called cross. where ever you installed the odcctools you need to make links for the cross tools to be more fpc friendly. there are a bunch of files from odcc tools called powerpc-apple-darwin-* you need to make links (or rename them) so powerpc-apple-darwin-ld becomes powerpc-darwin-ld, do the same for *-ar and *-as.
*now you are ready to crosscompile fpc. basically you need to have the fpc source and have a terminal open there.
type:
type (iirc):
if that succeded you can install it to whereever you want with:
now copy the file ./compiler/ppccross somewhere you will be able to find it as it’s the compiler you’ll need to build powerpc programs
*configure your /etc/fpc.cfg file.
add a section like this:
whenever you want to crosscompile you have to have ppccross and the symlinks to powerpc-darwin-* in the PATHand you should be able to just do ppccross someprogie.pas and it will create a darwin executable.
I may have missed some things (or most everything) as it’s been a while since I did this.Retrieved from ’https://wiki.freepascal.org/index.php?title=Cross_compiling_OSX_on_Linux&oldid=129917’
Malware
We analyzed a new variant of a Mac backdoor attributed to the cybercriminal group Lazarus, observed to be targeting Korean users with a macro-embedded Microsoft Excel spreadsheet and a malicious Adobe Flash component for persistence.
Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a macro-embedded Microsoft Excel spreadsheet.
Similarities to an earlier Lazarus iteration
We analyzed a malicious sample first discovered by Twitter user cyberwar_15, and found that it used an Excel document with an embedded macro, which is similar to a previous attack by the Lazarus group.
Figure 1. The spreadsheet displays a fairly known psychological test (similar to one found here); clicking on the smiley image on the top left shows a different response depending on the user’s answer.
However, unlike the previous attack that contains a different routine based on the OS the spreadsheet is running on, the macro in this file will just run a PowerShell script that connects to three C&C servers set up by the group:
Figure 2. The macro file connects to hxxps[:]//crabbedly[.]club/board[.]php, hxxps[:]//craypot[.]live/board[.]php, and hxxps[:]//indagator[.]club/board[.]php.
Figure 3. Comparison of SentinelOne’s code snippet of the malicious macro used in the abovementioned previous attack (left) and the code snippet of the recently discovered one (right). The latter shows that it no longer performs any specific action if it runs on a Mac platform. The “#If Mac Then” MacOS-specific attack does not start with malicious macros this time.
Mac app bundle contains malicious and legitimate Flash Players
Apart from the analyzed sample, @cyberwar_15, as well as Qianxin Technology, were also able to source an in-the-wild Mac app bundle suspected to be involved in the attack since it shares similar C&C servers with the malicious spreadsheets.
Figure 4. Mac app bundle inside a sample found in the wild
However, this is only a decoy since the actual Adobe Flash Player is contained as a hidden Mach-O file. The bundle contains two Flash Player files: a legitimate version and a malicious version (Trojan.MacOS.NUKESPED.B). The app will run the smaller-sized Flash Player as its main executable, which is the malicious version that only poses as a “Flash Player” by name. It also runs the legitimate Flash Player to hide its actual malicious routine.
Figure 5. The bundle contains two Flash Player files — one legitimate version and one malicious version.
Figure 6. A closer look at the bundle revealed that this Flash Player app was developed by someone named Oleg Krasilnikov, who has no relation to Adobe Inc.
When running the Mac app, the malicious Flash Player will run the legitimate one to play a decoy SWF video.Lazarus For Macos
Figure 7. The SWF video, which plays a Korean song in the background, shows a collection of pictures.Lazarus Mac 64 Bit
Our own analysis of the sample revealed that while the video is playing, the malicious Flash Player creates another hidden file (Backdoor.MacOS.NUKESPED.A) in the following path: ~/.FlashUpdateCheck.
Figure 8. The malicious Flash Player creates a hidden file at ~/.FlashUpdateCheck while the legitimate Flash Player plays a video. Note: The symbol (~) is equivalent to the path of the current user.
Subsequently, a persistence mechanism for this hidden file is installed through dropped PLIST file ~/Library/Launchagents/com.adobe.macromedia.plist.
Figure 9. Code snippet of ~/Library/Launchagents/com.adobe.macromedia.plist being dropped. The hidden file ~/.FlashUpdateCheck is set as its autorun target.
Further inspection shows that the hidden file ~/.FlashUpdateCheck acts as the dropped Powershell script-equivalent of the Macro-embedded document. We have identified functions related to its C&C communication with the following servers:
Figure 10. Listed C&C servers located in the _DATA segment of the hidden file
The variant’s backdoor functions
To trigger the backdoor functions of Backdoor.MacOS.NUKESPED.A, it must first try to establish a connection with the abovementioned servers, craypot[.]live being the first in order. Upon successful connection, it would continue to its actual backdoor routine.
Figure 11. In this routine, the file would evaluate the server’s response and perform specific functions based on the received command number.
Figure 12. Disassembled pseudocode for backdoor functions 11, 12, and 14
Figure 13. Disassembled pseudocode for backdoor functions 18, 19, 20, 21, 24, and 25Switch case backdoor commandFunction2Set Sleep3Terminate Process11Get Host Information12, 14Check Current Backdoor Configuration15Update C2 and Backdoor Configuration18, 19Execute Shell command20Upload File21Download File24, 25Execute Response Directly
Table 1. The complete backdoor functions of Backdoor.MacOS.NUKESPED.A
Figure 14. The MacOS hidden file has backdoor functions that are similar to those of the executed hidden PowerShell script in the Excel spreadsheet sample (for example, the command 11 for both is the GetHostInfo function).
Conclusion
Unlike Lazarus’ earlier method, which used macros to download a backdoor Mac file, the samples we analyzed reveal that this attack type uses an app with a decoy while running the malicious routine to separate the entire Mac attack chain.
Cybercriminal groups such as Lazarus are expanding their scope of attack through different platforms. The Lazarus group’s shift from using a single cross-platform method for starting an attack chain to a more OS-specific crafted variant is something to take note of — and something we should expect on future related cases.
Security recommendations
To avoid attacks involving Backdoor.MacOS.NUKESPED.A, users should only download apps from official sources. This simple practice minimizes the chances of downloading a malicious app. Users can also benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats.
Enterprises, for their part, should take advantage of Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or endpoint.
Indicators of Compromise (IoCs)FilesSHA256sDetection NamesAlbum.appd91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715Trojan.MacOS.NUKESPED.BFlash Player735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02Trojan.MacOS.NUKESPED.B.FlashUpdateCheck6f7a5f1d52d3bfc6f175bf2bbb665e4bd99b0453e2d2e27712fe9b71c55962dcBackdoor.MacOS.NUKESPED.A
Download here: http://gg.gg/oh8xm
https://diarynote.indered.space
*Lazarus For Macos
*Lazarus Mac 64 Bit
The Lazarus Farm Market has been in continuous operation at this location for 7 generations. We currently farm 1,000 acres. We currently have 115 different varieties of fruits and 15 varieties of berries and nuts. Our sweet corn is hand picked daily to minimize bruising and is. Installing Lazarus on a Mac is unfortunately not as easy as e.g. On Windows, the Lazarus installation contains all necessary prerequisites. This is not the case on Mac OS X, where several other tools are needed: XCode the development environment of Mac, which contains some command-line tools. Gdb The gnu debugger.
An application created using Lazarus on one platform can generally compile and execute on any platform for which a Free Pascal compiler exists. For desktop applications a single source can target Mac, Linux, and Windows, with little or no modification. Mac Backdoor Linked to Lazarus Targets Korean Users. We analyzed a new variant of a Mac backdoor attributed to the cybercriminal group Lazarus, observed to be targeting Korean users with a macro-embedded Microsoft Excel spreadsheet and a malicious Adobe Flash component for persistence. By: Gabrielle Joyce Mabutas November 20, 2019. My route was to install Xcode 4.3 on an old Mac Mini running snow leopard, then install Lazarus using the fink version as described here. This took a while but was done in an evening. Then I just copied my folder across to the Mac, opened the lpi on the Mac, compiled it. It failed so I removed a windows references, recompiled, and it was working.
*1Cross compiling for macOS on LinuxCross compiling for macOS on LinuxRequirements
What you’ll need:
*an Intel Mac running Leopard, Snow Leopard, or Lion
*Xcode installed on your Mac or the original or retail operating system DVD (for the SDK)
*a working Linux setup (tested with Debian Squeeze)
*up to date source for FPC (tested with 2.4.x) and Lazarus (tested with 0.9.30)
*the Open Darwin cctools (odcctools)
Warning: These instructions are for i386 Linux; trying this on x64 Linux has failed. Update 2013-12-13: cross compiling from Linux for macOS no longer works at all for 10.8 and above. The compiler works fine but viable linker tools (cctools for linux) are not available for Linux anymore. Please adjust instructions if you find a solution for this. The cctools are available in Arch Linux. STEP 1: copy the SDK from your Mac
You need to install Xcode from your operating system DVD if you’ve not already done so and copy the SDK to an appropriate location on your Linux box.
I’d recommend Leopard 10.5.sdk (compatible with Leopard) but it depends on how far back you want to be compatible. The 10.5.sdk is located in /Developer/SDKs on the Mac.I put mine at /opt/Mac/ on my Debian box. Example using ssh from your Linux box to copy over the files:STEP 2: grab odcctools from SVN
Odcctools apparantly provide binutils for OSX/Darwin.
On 64 bit Linux environments, fpc mailing list users have problems with this step. Perhaps this StackOverflow question and answer can help: in the configure step, you’d apparently need to setCC=’gcc -m32’ CXX=’g++ -m32’ ./configure blah blah blah
and build it as
This installs the tools in /opt/odcctools.I’ve specified gcc 4.4 but it should be okay with other versions.STEP 3: rebuild FPC
(my sources are in ~/hg/pascal)
Note that the options (OPT) as shown are vital, especially -gw.STEP 4: configure fpc.cfg
Add a darwin (cross-compile) clause to /etc/fpc.cfg:STEP 5: build the Carbon LCL
Be sure to specify the Darwin OS target, i386 CPU target and, most importantly, add the -gw option. Perform a Clean+Build of the LCL and the Package Registration.
You should now be able to use Lazarus in Linux to build for macOS.Gotcha’s
There are two more gotcha’s when cross-compiling to macOS:
*Be sure to specify the -gw in your projects to avoid problems
reported in (the unfixable) FPC bug #12001.
*Be sure to specify the -XR option pointing to your SDK root (e.g. -XR/opt/Mac/Leopard10.5.sdk), or the Darwin linker will try to link to the wrong startup object (/usr/lib/crt1.o).Source
Fpc Mailing list 6 August 2011 post by Bruce titled ’Re: Cross Compiling from Linux to Leopard 10.5 or Snow Leopard 10.6 target. How? [SOLVED]’Adapted by BigChimpOlder instructions
This section was taken from the general Cross compiling page and may still be of interest:
*First you need the binutils for the platform you want to compile to. Download odcctools from this site (use the cvs version) and follow their instructions for installing. http://www.opendarwin.org/projects/odcctools/
*you need to create a fake root dir like: $HOME/darwinroot copy at least the /System and /Frameworks and /usr directories (you may have to copy more than this) from your Apple or Darwin computer to $HOME/darwinroot
*now that you have these files make a folder in $HOME/darwinroot called cross. where ever you installed the odcctools you need to make links for the cross tools to be more fpc friendly. there are a bunch of files from odcc tools called powerpc-apple-darwin-* you need to make links (or rename them) so powerpc-apple-darwin-ld becomes powerpc-darwin-ld, do the same for *-ar and *-as.
*now you are ready to crosscompile fpc. basically you need to have the fpc source and have a terminal open there.
type:
type (iirc):
if that succeded you can install it to whereever you want with:
now copy the file ./compiler/ppccross somewhere you will be able to find it as it’s the compiler you’ll need to build powerpc programs
*configure your /etc/fpc.cfg file.
add a section like this:
whenever you want to crosscompile you have to have ppccross and the symlinks to powerpc-darwin-* in the PATHand you should be able to just do ppccross someprogie.pas and it will create a darwin executable.
I may have missed some things (or most everything) as it’s been a while since I did this.Retrieved from ’https://wiki.freepascal.org/index.php?title=Cross_compiling_OSX_on_Linux&oldid=129917’
Malware
We analyzed a new variant of a Mac backdoor attributed to the cybercriminal group Lazarus, observed to be targeting Korean users with a macro-embedded Microsoft Excel spreadsheet and a malicious Adobe Flash component for persistence.
Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a macro-embedded Microsoft Excel spreadsheet.
Similarities to an earlier Lazarus iteration
We analyzed a malicious sample first discovered by Twitter user cyberwar_15, and found that it used an Excel document with an embedded macro, which is similar to a previous attack by the Lazarus group.
Figure 1. The spreadsheet displays a fairly known psychological test (similar to one found here); clicking on the smiley image on the top left shows a different response depending on the user’s answer.
However, unlike the previous attack that contains a different routine based on the OS the spreadsheet is running on, the macro in this file will just run a PowerShell script that connects to three C&C servers set up by the group:
Figure 2. The macro file connects to hxxps[:]//crabbedly[.]club/board[.]php, hxxps[:]//craypot[.]live/board[.]php, and hxxps[:]//indagator[.]club/board[.]php.
Figure 3. Comparison of SentinelOne’s code snippet of the malicious macro used in the abovementioned previous attack (left) and the code snippet of the recently discovered one (right). The latter shows that it no longer performs any specific action if it runs on a Mac platform. The “#If Mac Then” MacOS-specific attack does not start with malicious macros this time.
Mac app bundle contains malicious and legitimate Flash Players
Apart from the analyzed sample, @cyberwar_15, as well as Qianxin Technology, were also able to source an in-the-wild Mac app bundle suspected to be involved in the attack since it shares similar C&C servers with the malicious spreadsheets.
Figure 4. Mac app bundle inside a sample found in the wild
However, this is only a decoy since the actual Adobe Flash Player is contained as a hidden Mach-O file. The bundle contains two Flash Player files: a legitimate version and a malicious version (Trojan.MacOS.NUKESPED.B). The app will run the smaller-sized Flash Player as its main executable, which is the malicious version that only poses as a “Flash Player” by name. It also runs the legitimate Flash Player to hide its actual malicious routine.
Figure 5. The bundle contains two Flash Player files — one legitimate version and one malicious version.
Figure 6. A closer look at the bundle revealed that this Flash Player app was developed by someone named Oleg Krasilnikov, who has no relation to Adobe Inc.
When running the Mac app, the malicious Flash Player will run the legitimate one to play a decoy SWF video.Lazarus For Macos
Figure 7. The SWF video, which plays a Korean song in the background, shows a collection of pictures.Lazarus Mac 64 Bit
Our own analysis of the sample revealed that while the video is playing, the malicious Flash Player creates another hidden file (Backdoor.MacOS.NUKESPED.A) in the following path: ~/.FlashUpdateCheck.
Figure 8. The malicious Flash Player creates a hidden file at ~/.FlashUpdateCheck while the legitimate Flash Player plays a video. Note: The symbol (~) is equivalent to the path of the current user.
Subsequently, a persistence mechanism for this hidden file is installed through dropped PLIST file ~/Library/Launchagents/com.adobe.macromedia.plist.
Figure 9. Code snippet of ~/Library/Launchagents/com.adobe.macromedia.plist being dropped. The hidden file ~/.FlashUpdateCheck is set as its autorun target.
Further inspection shows that the hidden file ~/.FlashUpdateCheck acts as the dropped Powershell script-equivalent of the Macro-embedded document. We have identified functions related to its C&C communication with the following servers:
Figure 10. Listed C&C servers located in the _DATA segment of the hidden file
The variant’s backdoor functions
To trigger the backdoor functions of Backdoor.MacOS.NUKESPED.A, it must first try to establish a connection with the abovementioned servers, craypot[.]live being the first in order. Upon successful connection, it would continue to its actual backdoor routine.
Figure 11. In this routine, the file would evaluate the server’s response and perform specific functions based on the received command number.
Figure 12. Disassembled pseudocode for backdoor functions 11, 12, and 14
Figure 13. Disassembled pseudocode for backdoor functions 18, 19, 20, 21, 24, and 25Switch case backdoor commandFunction2Set Sleep3Terminate Process11Get Host Information12, 14Check Current Backdoor Configuration15Update C2 and Backdoor Configuration18, 19Execute Shell command20Upload File21Download File24, 25Execute Response Directly
Table 1. The complete backdoor functions of Backdoor.MacOS.NUKESPED.A
Figure 14. The MacOS hidden file has backdoor functions that are similar to those of the executed hidden PowerShell script in the Excel spreadsheet sample (for example, the command 11 for both is the GetHostInfo function).
Conclusion
Unlike Lazarus’ earlier method, which used macros to download a backdoor Mac file, the samples we analyzed reveal that this attack type uses an app with a decoy while running the malicious routine to separate the entire Mac attack chain.
Cybercriminal groups such as Lazarus are expanding their scope of attack through different platforms. The Lazarus group’s shift from using a single cross-platform method for starting an attack chain to a more OS-specific crafted variant is something to take note of — and something we should expect on future related cases.
Security recommendations
To avoid attacks involving Backdoor.MacOS.NUKESPED.A, users should only download apps from official sources. This simple practice minimizes the chances of downloading a malicious app. Users can also benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats.
Enterprises, for their part, should take advantage of Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or endpoint.
Indicators of Compromise (IoCs)FilesSHA256sDetection NamesAlbum.appd91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715Trojan.MacOS.NUKESPED.BFlash Player735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02Trojan.MacOS.NUKESPED.B.FlashUpdateCheck6f7a5f1d52d3bfc6f175bf2bbb665e4bd99b0453e2d2e27712fe9b71c55962dcBackdoor.MacOS.NUKESPED.A
Download here: http://gg.gg/oh8xm
https://diarynote.indered.space
コメント