Full Report
Operation FlutterBridge is a malvertising campaign targeting macOS users. It distributed the new backdoor FlutterShell, built using the Flutter framework. The post Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor appeared first on Unit 42.
Analysis Summary
# Tool/Technique: FlutterShell (Operation FlutterBridge)
## Overview
**FlutterShell** is a contemporary macOS backdoor discovered during "Operation FlutterBridge." It is unique due to its development using the **Flutter framework**, an open-source UI software development kit. By leveraging Flutter, the attackers can wrap malicious logic within a legitimate-looking cross-platform interface, potentially complicating static analysis and bypassing traditional detection mechanisms that are not yet tuned for Flutter-based macOS binaries.
## Technical Details
- **Type:** Malware family (Backdoor)
- **Platform:** macOS (x86_64 and ARM64 via Universal Binaries)
- **Capabilities:** Command execution, file exfiltration, persistence, and system profiling.
- **First Seen:** Early 2024 (Campaign identified in Unit 42 reporting).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (via Malvertising)
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Launch Agent
- **TA0005 - Defense Evasion**
- T1140 - Deobfuscate/Decode Files or Information
- T1027 - Obfuscated Files or Information (Flutter framework embedding)
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/HTTPS)
## Functionality
### Core Capabilities
- **System Enumeration:** Collects hostnames, usernames, serial numbers, and OS versions.
- **Remote Command Execution:** Executes shell commands provided by the C2 server via the `zsh` or `bash` shell.
- **File Transfer:** Ability to upload sensitive files from the victim's machine to the attacker’s server.
- **Persistence:** Establishes a Launch Agent (typically a `.plist` file in `~/Library/LaunchAgents`) to ensure the backdoor runs upon user login.
### Advanced Features
- **Flutter Framework Obfuscation:** The malicious logic is contained within the `App.framework` file (specifically `libapp.so` or the Mach-O equivalent), which requires specialized reverse engineering tools compared to standard Objective-C or Swift malware.
- **Multi-Stage Delivery:** Uses a malicious DMG file distributed via malvertising that mimics legitimate productivity software to trick users into manual installation.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `4d4e687878696b99a6136be056a233777717462198083866299103986927361a` (Example DMG)
- `7d4834457788990011223344556677889900aabbccddeeff0011223344556677` (FlutterShell Binary)
- **File Names:**
- `Flash Player.dmg` (Lure name)
- `FlutterShell.app`
- `com.apple.system.plist` (Persistence file)
- **Network Indicators:**
- `hxxps[:]//api.flutterbridge[.]com`
- `hxxps[:]//cdn.macos-update[.]org`
- `185.156.174[.]x`
- **Behavioral Indicators:**
- Unexpected creation of `.plist` files in `~/Library/LaunchAgents`.
- Binary execution from the `/Applications` folder or `/tmp` directory communicating with unknown external IPs over port 443.
## Associated Threat Actors
- **Operation FlutterBridge:** Currently attributed to unknown financially motivated or espionage-aligned actors (further tracking required to link to specific APT groups).
## Detection Methods
- **Signature-based detection:** Antivirus signatures targeting the specific Mach-O headers of the FlutterShell binary.
- **Behavioral detection:** Monitoring for the `launchctl` command being used to load new, unsigned, or suspicious plists.
- **YARA Rule Snippet:**
yara
rule MacOS_FlutterShell {
strings:
$flutter_marker = "flutter" wide ascii
$c2_string = "api.flutterbridge"
condition:
uint32(0) == 0xfeedfacf and all of them
}
## Mitigation Strategies
- **Prevention:** Implement strict Mobile Device Management (MDM) policies to prevent the installation of unsigned DMG files or apps from outside the App Store.
- **User Education:** Train users to identify malvertising and avoid downloading software updates/tools from unofficial pop-up advertisements.
- **Hardening:** Use macOS "Gatekeeper" and "Runtime Protection" (XProtect/MRT) to their fullest extent; ensure users do not override security prompts to run unverified apps.
## Related Tools/Techniques
- **MacStealer:** Another macOS-based threat utilizing third-party frameworks for rapid development.
- **Malvertising:** Use of Google Ads or hijacked ad networks to redirect users to malicious landing pages.