Looking for Command & Control agents on my Mac

Introduction

Years ago I used to work with Apple’s BSM audit trails. Now, with macOS 10.15 (Catalina) a developer can collect important security information without changing the BSM configuration or using Kernel Extensions (KEXTs). This post shows that it is relatively easy to spot these Command & Control (C&C) agents waking up to call their C&C servers. In these cases, the C&C agents are (mostly) benign.

Why does this matter? Command & Control networks are how malicious adversaries often maintain persistent access to your computers, even through firewalls. Being able to spot, understand, and distinguish between benign and malicious C&C agents in your network is an important capability for keeping your network secure.

To give you an idea of some of the information you can capture using Catalina’s system extension API, this video shows a live GUI front-end for Process X-Ray displaying new processes being created. (the video can be skipped without loss of information)

Analyzing the Process X-Ray audit logs

While I like to keep the Process X-Ray GUI running on a side monitor to see what is happening in real-time, I also log the events to rotating log files. I can insert these JSON log-lines into a database to perform searches on past activity, look for patterns, run the data through various analytics algorithms, etc.

In the examples below, I pushed logs into an SQLite database and performed some simple queries.

Programs repeatedly activating in the background to call home (click to enlarge)

The image above show a query on the database that highlights programs that repeatedly start in the background. The next image zooms into the upper-left corner of the previous image.

Three groups of beaconing programs

In the image above, the funny 10 character string on the right is the Team ID used by the developer to sign the application. Everyone who wants to distribute an applications on the Mac has one of these. Apple knows the full identity associated with each Team ID.

For example, the Team ID EQHXZ8M8AV (red box) signed three Google programs (com.google.Keystone.Agent, crashpad_handler, and ksfetch). The green box shows Dropbox agents, and the blue box shows a LogMeIn agent.

The numbers on the left are the number of times each program was executed. For example, the LogMeIn G2MUpdate agent launched 13 times over about a 3-day period. All of these are launched in the background. They typically run only for a few seconds and then exit. Without some type of logging mechanisms, I would have no idea these programs were waking up and calling home.

Digging into LogMeIn’s G2MUpdate agent

This second query shows when the LogMeIn agent was launched, who launched it (xpcproxy), and where the program lives.

LogMeIn agent apparently trying to update GoToMeeting

This query shows LogMeIn’s agent launching between 2-7 times each day (presumably less when my Mac is asleep).

What I find particularly interesting about this is that I deleted the GoToMeeting application months ago. I followed the instructions from LogMeIn’s web site, which is the same instructions their support sent me on twitter - drag the application to the trash. Yet clearly, deleting GoToMeeting from the Applications folder doesn’t actually delete everything.

In the figure above, the red underline shows that this agent is buried in my personal Library folder. The Library folder is usually hidden from the user.

Using the Terminal application, I went to the GoToMeeting directory buried in the hidden Library folder and used the command “ls -la”. It shows another hidden folder/directory named “.versions” (blue line). So LogMeIn is using two layers of hidden folders/directories.

Contents of GoToMeeting shows a second hidden folder/directory named “.versions”

Listing the contents of the “.versions” hidden directory shows that my computer has 4 different versions of the GoToMeeting application installed (red box in figure below). Furthermore, all of these versions of GoToMeeting were installed long after I had supposedly deleted the application from my computer.

In short, the C&C agent G2MUpdate has installed in a hidden location on my computer at least 4 versions of a large complex application, and all of this was done without my knowledge or consent long after I thought I had deleted GoToMeeting.

Conclusions

In conclusion, a quick check from my Process X-Ray’s logs shows at least 3 Command & Control agents are active on my machine. Presumably they are all benign, but the LogMeIn C&C agent is a little dodgy because, following their instructions, I had deleted the GoToMeeting software from my Mac months ago, yet it is still secretly installing applications on my computer.

Update 2020-04-13: Added more information about the LogMeIn agent and made minor text changes.