Trojan

Posts in category: Trojan

AppleJeus is a cross-platform malware developed by the Lazarus APT group. AppleJeus was a targeted attack distributed by phishing email claiming to be a cryptocurrency trading application.



The trading application has a hidden updater module that is installed and runs automatically after system reboot. This component will contact its C&C and it may upload/download additional files. The malware will first collect basic information from the system such as : host name, OS version, OS kernel version.The malware will send the collected information to its C&C encrypted within a .gif file. To persist system reboot, it creates the LaunchAgent “/Library/LaunchDaemons/com.celastradepro.plist” that will start “updater” file:


Links:


Samples:
8069b2a09aee5a387a731fe072428839ba5db11d

posted on 2019 in Trojan  

Calisto is a Trojan that steals sensitive data from the infected machine such as user passwords, Keychain data and Chrome. Iit can also open a backdoor so the attacker will be able to connect to the system remotely, take screenshots and more.It propagates as fake “Intego Mac Internet Security” as we can see from the differences shown in the pictures below (taken from original report):

Source: Kaspersky


When executed, the malware will pop a window asking for the user’s credentials, to gain root access:

Source: CheckPoint


The malware then will execute a bash command to achieve the following:- Zip ~/Library/Keychains folder into the file ~/.calisto/KC.zip – Save computer IP address into ~/.calisto/network.dat – Save user name and password into ~/.calisto/cred.dat – Modify TCC.db to make malware application bundle as “Assistive Access”, means the malware will have accessibility rights without the need for password – Enable remote login to the system / Activate Apple Remote Desktop – Disable system sleep – Copy itself to “/System/Library/CoreServices/launchb.app” – Create a LaunchAgent to start itself automatically on system rebootThe malware has also unfinished/unused functionality that includes:- Loading/unloading kernel extensions that handles USB devices – Steal data from user directories – Self-destruct of infected OS


Source: CheckPoint


Links:


Samples:
d7ac1b8113c94567be4a26d214964119

posted on 2019 in Trojan  , Backdoor  

CoinTicker appears to be a legitimate program that displays information on cryptocurrency coins such as Bitcoin, Etherium, Ripple etc…

Source: Malwarebytes


However, in the background the malware downloads and executes additional malware from the internet. CoinTicker downloads two additional back doors The first is a custom version of EggShell malware and the other is EvilOSX by using the curl command:


Source: CheckPoint


The additional downloaded malware will open a reverse shell connection to its Command & Control server. To persist with a system reboot, the malware creates a LaunchAgent “~/Library/LaunchAgents/.espl.plist” (note that the LaunchAgent file is hidden by default since its start with “.”) as it starts with the command “launchctl load”. This LaunchAgent is actually a payload to download and execute the backdoor:

Source: CheckPoint


As the additional malware was downloaded from github, the user and all its content no longer exists.


Source: CheckPoint

Links:


Samples:
a93b7d87c66506a2bc7e52b57e8900c5d445d827

posted on 2019 in Trojan  , Backdoor  

Coldroot was first published as an open source RAT for macOS on Github on 2016, but no real malware was discovered until 2018. The malware is weaponized with a wide range of commands such as:- File/Folders control (move, reanme, delete) – Remote Desktop – Download, upload and executes files – Process control (list, execute, kill) – Taking screen shots – Gain accessibility rights by modifying TCC.db – KeyloggingThe malicious application arrives with a normal “document” icon, so a user might think he is opening a document rather than a malicious application.

Source: Digita Security


Once executed, the malware will try to get root access via popping a window asking the user for credentials. It will create a LaunchDaemon in order to persist system reboot (“/Library/LaunchDaemons/com.apple.audio.driver.plist”). The malware keep its configuration within a file in its application bundle (“MacOS/conx.wol”). We can see below its content:

Source: Digita Security


In addition it will modify the system security database file TCC.db to add itself as Accessibility application, meaning it will then have the ability to control the computer.

Source: Digita Security


Links:


Samples:
7e60c8ae77e20fbd7699187d0baf9ed0477e72f3

posted on 2019 in Trojan  , Remote Access Tool  

CookieMiner is a malware that steals a user’s sensitive data, opens a backdoor on infected machines and downloads and executes a cryptominer. It is then able to do the following:

  • Steal cookies of Chrome and Safari browsers
  • Steal Usernames and Passwords stored in Chrome
  • Steal credit card credentials stored in Chrome (such as Visa, Mastercard and more)
  • Steal iPhone SMS messages if it was backup to iTunes
  • Download and install additional files to have a backdoor on the infected machine
  • Download and execute the cryptominer program.

Source: PaloAlto


Below we can see a piece of the malware code that extracts the saved Username and Password from Chrome:

Source: PaloAlto


For remote control, CookieMiner will download EmPyre, an open source post-exploitation control tool (https://research.checkpoint.com/macos-malware-pedia/#empyre)

Source: CheckPoint


Links:


Samples:
587ca10c466b1793a03cf23203bcb751c3633718

posted on 2019 in Trojan  , Backdoor  , CryptoCurrencyMiner  

CrossRAT is a cross platform malware written in Java, targeting Windows, Linux and MacOS. There are signs that imply that the malware was developed by/for the Dark Caracal APT group.

Source: CheckPoint


The infection vector is through a malicious document that arrives in a phishing campaign. If macros are enabled, a malicious code will be executed to download and infect the system. When executed, the malware will try to copy itself to /usr/var/mediagrs.jar if it has permissions, and in case it fails will copy to %HOME%/Library/mediamgrs.jarThe malware creates LaunchAgent “$HOME/Library/LaunchAgents/mediamgrs.plist” for persistence on the infected machine. CrossRAT can manipulate the file system, take screenshots, download and execute additional files. It also uses “jnativehook”, an open source library written in Java, that enables keyboard and mouse listeners, i.e keylogging. In addition the malware collects information from the system and sends it to the C2.


Links:


Samples:
7e60c8ae77e20fbd7699187d0baf9ed0477e72f3

posted on 2019 in Trojan  

DarthMiner is a combination of EmPyre, a post exploitation backdoor, and XMRig cryptominer. The malware is distributed as a fake “Adobe Zii” application.

Source: Malwarebytes


When executed, the malware will execute a shell command that will download and execute additional files. As result, EmPyre and XMRig are installed on the infected system.

Source: CheckPoint


The malware will also create the LaunchAgent “com.apple.rig.plist” so the XMRig will start automatically on system boot.

Source: CheckPoint


Links:


Samples:
ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

posted on 2019 in Trojan  , CryptoCurrencyMiner  

This is another macOS malware ported from Windows (“Retefe”). Dok spreads via a phishing mail, and usually targets European macOS users. The malware installs a proxy on an infected machine that could redirect internet traffic thru the attacker’s website.Almost all malware samples were signed with a legitimate Apple Developer ID which (already revoked), and this implies there is great effort made by the malware authors where dozens of legitimate certificates were used to signed the malicious files. After all, each Apple Developer ID costs $99/year.When executed, Dok malware will show a fake message claiming the application is damaged and cannot be executed. This is in order to fool the user into thinking that nothing is happening, when actually behind the scenes the malware copies itself to a destination and waits for a few minutes to show the message below saying that an update is available for OS:

Source: CheckPoint


When the user will click to update, a credentials window will pop asking for the user’s password. This is used to install additional programs at root. using those privileges, the malware will install brew, which is a popular package manager for macOS, and with it additional tools – TOR and SOCAT. TOR is a low-level command line utility that allows connection to the dark web.The malware will also change the behaviour of the system to allow root access without the need for entering a password by adding the line “%USER_NAME_HERE% ALL=(ALL) NOPASSWD: ALL”.In addition the malware will configure the network settings to allow outgoing connections to pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server.

Source: CheckPoint


This resulting change can be seen in the Network Settings:

Source: CheckPoint


To avoid a warning message by browsers when surfing to secure a web site (HTTPS), the malware adds its fake certificate to the trusted root certificates on the system:

Source: CheckPoint


The malware persists in the system by adding a LaunchAgent to execute commands to redirect the request to 127.0.0.1 thru the attacker’s website on the dark web.Later variant were also disabled security update and access to various apple services on web:

Source: CheckPoint


The main payload of the malware is to steal the user’s credentials for chosen sites such as banks. Below we can see the content of a Proxy file that will redirect the websites that match thru the attacker’s website:

Source: CheckPoint


An example we can see below when accessing to “Credit Suisse” website. The user will get a page that looks similar to the original:

Source: CheckPoint


Links:


Samples:
7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145
4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5

posted on 2019 in Trojan  

Eleanor is a bundle of several open source applications and scripts. Eleanor acts as an “EasyDoc Converter” app which purports to convert file formats into Microsoft Word files, but actually this malware opens a back door into Mac OS X systems via the Tor network. Its main purpose is to give an attacker a full control over infected machine, so the attacker could browse user files, execute applications, capture photos and gain access to webcams and remote code execution.Discovered in July 2016 by Bitdefender. The malware disributed as “EasyDoc Converter” that migrates documents from Windows to OS X. In fact, this “EasyDoc Converter” contains malicious functionality which tries to gain full control over the victim machine.Eleanor could be found on web sites that offer Mac applications, such as MacUpdate. Using free Pastebin account, after each infection the victim host name will be uploaded to Pastebin.It took three months until Eleanor was discovered, as the first infection was at April 2016.


Infection Vector

A user will be infected after downloading and installing “EasyDoc Converter”. Since the application is not signed with any certificate belongs to an Apple developer ID, it is more difficult to open it. By default, Mac OS X will not open unsigned apps.

Source: CheckPoint


Once the infection is made, the malware installs several hidden services which give the attacker anonymous access to the infected machine via TOR network. The attacker then has the ability to access and modify files, execute shell commands, capture images and videos and more.First, the malware checks for the presence of Little Snitch (A 3rd party security product for mac). If Little Snitch is present, the malware will not infect the machine.The malware creates a hidden folder .dropbox and copies its components to this directory. Later, the malware shows a message that the current system is not supported by the application (so the user will not suspect about the malware).Eleanor creates three deamons:

  • Tor Hidden Service – creates a Tor hidden service which will give access to the second backdoor on the infected machine – the Web Service. It generates a Tor address in the format XXXpaceinbeg3yci.onion. The location of the service is: /Users/%CURRENT_USER%/Library/.dropbox/sync/connWhen Tor starts, it creates the HiddenServiceDir, and a public/private key pair. This hidden service gives access to two local services – a Web Service 127.0.0.1:9991 and SSH service 127.0.0.1:9992.

  • Web Service(PHP) – This daemon provides the attacker control over the infected machine. It can be accessed through the Tor-generated address described above.

The main page of the web service requires a password which should match a hardcoded string:$GLOBALS[‘pass’] = “15bd408e435dc1a1509911cfd8c312f46ed54226”; // sha1(md5(pass))After authentication is done the main control panel will be displayed. The control panel has the following abilities:File manager (view, edit, rename, delete, upload, download, archiver, etc)Command executionScript execution (php, perl, python, ruby, java, c)Shell via bind/reverse shell connectSimple packet crafterConnect to DBMS (mysql, sqlite, pdo)Process list/Task managerSend mail with attachment (you can attach local file on server)String conversionOther part of the web service is WebCam Control Panel. It has the ability to capture images and videos from user’s webcams using a tool it copies to ~/Library/.dropbox/utilities/wacaw.

  • PasteBin Agent – after creating a unique Tor address, this daemon encrypts & uploads the address to Pastebin. The location of this daemon is /Users/%CURRENT_USER%/Library/.dropbox/check_hostname. It uses an RSA key contained in the application bundle, and encodes it with base64 before uploading it to Pastebin, so the attacker could know the victim address.

The malware creates a service on the victim computer over TOR network in order to open a backdoor to the attacker, so all incoming traffic communication will pass through it.Once infected, the machine posts its encrypted TOR address into Pastebin using the PasteBin Agent mentioned above.

Source: CheckPoint


Links:


Samples:
fe2796b17c3553b37ba9e2a72b0a2c507418d588

posted on 2019 in Trojan  

FakeFileOpened is a nasty application that sets itself as a “File Opener” application for over 200 file types in macOS includes video, gifs, java files and many more. this is done by configuring all the file types in its Info.plist file:

Source: CheckPoint


The key “CFBundleTypeExtensions” declares the file type to reference to, and the key “LSHandlerRank” is set to “Alternate”. This means that FakeFileOpener will be the default handling application for specified file types only if there is no other application that was declared as “Owner” or “Default”.

Source: CheckPoint


Once such a file is opened, FakeFileOpener will be opened. then it will show the window below, saying there is no program installed that can handle this kind of file, and the user can search on the web.

Source: CheckPoint


When the user will click “Search Web” a web page with adwares / fake applications will be opened suggesting to handle the file:

Source: CheckPoint


Need to mention that in a normal case that there are file types with no default application to handle it, the OS will show the message below:

Source: CheckPoint


Links:


Samples:
7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145

posted on 2019 in Trojan  

In my opinion this is one of the most interesting malware for macOS because of the large number of infections and the techniques it uses.Flashback is probably the first wide spread malware on macOS with over 500,000 infections and started getting attention on 2012. The malware propagates by disguising itself as an Adobe Flash update or as a java-signed applet that either uses an exploit to automatically install the malware without the user’s knowledge or pops a window asking the user to run the signed java file.

Source: ESET


One of the most interesting things in this malware is that it obfuscates itself after infection, so the executable will not be executed properly on another machine except the one on which it was first infected. This is done by encrypting its data structure with the machine platform UUID with RC4.The malware also uses DGA (Domain Generation Algorithm) based on date in order make it difficult to identify its C2 servers. In that way, the malware generates different addresses daily to communicate. Another interesting thing in this malware is that it uses Twitter as way to deliver commands to the malware from the attacker. In it’s config it may include hashtags that will be used by the malware to search for a command.The main payload of Flashback is intercepting HTTP/HTTPS data to push ads.


Links:


Samples:
94e4b5112e750c7902968d97237618f5b61efeb2
12a764ffa03ab8951ae8bdb59d40f72710bb3a46

posted on 2019 in Trojan  , Backdoor  

Discovered by Malwarebytes in the early days of 2017. The malware written in perl (obfuscated), includes a “DATA” part that when decoded is a mach-o file that will be executed on an infected machine.

Source: CheckPoint


The malware can take screenshots using the command “screencapture -x” and in addition the malware downloads and executes additional files such to enable it to scan for other computers on the same network and connect to them. Below we can see the set of commands the malware can receive from the C&C for FruitFly variants A and B as analyzed by Patric Wardle (full report in link2)

Source: Patrick Wardle


Source: Patrick Wardle


Links:




posted on 2019 in Trojan  , Backdoor  

Imuler is a backdoor that connects to a remote C&C server and enables an attacker to perform various commands on an infected system such as:

  • download and execute additional files.
  • collect system information and send it to the C&C.
  • capture screenshots and send them to the attacker.The first variant arrived inside a pdf file, but as far as is known was not found in the wild. Other variant appears as jpeg file, as by default on macOS file extention does not appear.Once a user clicks on the file thinking he’ will see a large view of the picture, the malware, which is actually an application bundle, is executed.

Source: Intego


The malware persists in the system by adding a LaunchAgent in the ~/Library/LaunchAgents/ folder. One specific variant of Imuler was targeting Tibetan users as the malware application bundle had images Tibetan organizations.

Source: Intego


Source: CheckPoint


Source: CheckPoint


Links:


Samples:
151c8135e46e645d3daa3b2d4332117e0b386817
1348ed679b0a5e7ae0ccb1ce52813836f884f8f1

posted on 2019 in Trojan  

Keydnap is a malware which opens a backdoor to infected machines and steals content of keychain which holds sensitive information such as passwords.The malware uses cunning techniques to trick the user to click on the malicious executable file – it adds an jpg file extensions but with the addition of spaces or other characters, such as “.jpg ” or “.jpg|” so in this way the user might think the file is an image file and will be tempted to click on it, however the OS recognizes the file as executable and once click it will be executed.

Source: ESET


The malware will drop the file ‘icloudsyncd’ which is the backdoor. It will then create LaunchAgent to start the backdoor in order to survive a reboot.To exfiltrate the passwords stored within the keychain, Keydnap uses an open source POC (proof of concept) project “Keychiandump”.To communicate with its C&C the malware uses onion.to which is a Tor2Web proxy to domains in the dark web, and it uses RC4 encryption in order to encrypt the data it sends to its Command and Control.

Source: ESET


The backdoor can receive several commands such as an update itself, download and execute additional files, execute a command and send the output to the C2 and more:

Source: ESET


Another interesting thing about this malware is the way it will try to achieve root permissions if it doesn’t have it. The malware will monitor the number of processes and if two processes will be created in a short time one after the other then the malware will pop a window asking for root privileges to hope the use will fall for this trick.

Source: ESET


Links:


Samples:
773a82343367b3d09965f6f09cc9887e7f8f01bf
07cd177f5baf8c1bdbbae22f1e8f03f22dfdb148

posted on 2019 in Trojan  , Backdoor  

Komplex is a malware developed by Sofacy group (APT28) to attack individuals using macOS. It’s able to downlaod and execute additional files, execute and delete files, directly interacting with the system shell.The malware contains several components:Binder:Responsible for saving another payload and a decoy pdf document that will be shown on the screen after the malware is executed by using “Preview” application. This is to shift user attention from the malicious activity behind the scene. The pdf file is writing in Russian and might applies to the target users being attack of the malware.The binder will drop an executable file “/tmp/content” which is the second stage of the infection.

Source: PaloAlto


Dropper: The dropper is responsible to drop the third stage of the malware infection and to achieve persistence on the system. Komplex’s actual payload will be saved as “/Useres/Shared/.local/kextd”.It will create a LaunchAgent at “~/Library/LaunchAgents/com.apple.updates.plist” and will start it using “launchctl”. This is to ensure that the malware survives a system reboot.


Payload: When executed, the payload first does some anti-debug checks as well as connectivity checks by testing a get request to “google.com”. If those tests pass, it then decrypts its configuration file, which contains the C&C servers as well as a token that will be part of communication encryption between the infected machine and the C&C.It will collect information from the system such as system version, username and process list and send it to the C&C. In return the C2 will send additional command for the malware to execute.Some of the C&C domains were used by other malwares by Sofacy group. Another interesting thing is that there is some code/flow similarity between Komplex and Carberp, a malware targeting Windows users also by Sofacy group.

Source: CheckPoint


Links:


Samples:
c7199fb8c605f4b76093cc88f1d80a59fac64ae2
9e73b0457d28b0296befed65e2517ed7a9c1e61d

posted on 2019 in Trojan  , Backdoor  

This malware was first seen as a malicious copy of the Discord app, even though it did not try to fool the user into thinking it is the real Discord app after execution. When executed, the malware sets up a LaunchAgent in order to persist on the system. It will create and execute some python scripts on the system. The malware installs an EmPyre backdoor and, in addition, takes screenshots of the infected system and sends them to its C&C

Source: CheckPoint


Links:



Samples:
ffc4872e8fffd81eed1b94a6d68f1442e61c380b

posted on 2019 in Trojan  

A cross plaftform malware that using infected machines to mine crypto currency, in this case “Monero”. The malware targeting both for macOS and Windows machine, is distributed with a light linux image, in macOS case its QEMU image that is used to , as a result of that, the malicious program is over 100MB and it disguise as audio production such as “Virtual DJ 8 Pro Infinity”.

Source: ESET


The malware using a VST software (“Visual Studio Technology”) which is a software that contains the sounds, effects and editors that your MIDI controllers use to create music.

Both macOS and Windows malware has similar charectaristics:

  1. An application is bundled with virtualization software, a Linux image and additional files used to achieve persistence
  2. User downloads the application and follows attached instructions on how to install it.
  3. LoudMiner is installed first, the actual VST software after.
  4. LoudMiner hides itself and becomes persistent on reboot.
  5. The Linux virtual machine is launched and the mining starts.
  6. Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries).

Source: ESET


LoudMiner macOS version has several main components:

  1. QEMU Linux image
  2. Shell scripts used to launch the QEMU images.
  3. Daemons used to start the shell scripts at boot and keep them running.
  4. CPU monitor shell script that monitor the CPU usage and can start/stop the mining based on it.

Source: ESET


Links:


Samples:
71030028c4e1b844c85138bd77ddea96a190ec2c
32c80edcec4f7bb3b494e8949c6f2014b7f5db65
7dc9f8ca07cd8e0247cf15cd8d2da2190a02fc90
e9c9d17d006fb03d67b736c0826df0af8ca6d5fd

posted on 2019 in Trojan  , CryptoCurrencyMiner  

A cross-platform trojan which according to original publication is related to an Iranian Cyber Security Group attacking Windows and macOS users. The malware is distributed via a spear phishing website impersonating “United Technologies” aerospace firm. The page will show an error claiming in French that flash plugin has security flaws:

Source: IRAN THREATS


To fix the issue the user will bait to download “Bitdefender Adware Removal Tool”, after the user will click on the update button, a window claiming an adware has been found on the system, and right after credentials windows asks the user for their password in order to fix the problem:

Source: CheckPoint


After gaining the root password, the malware will be able to steal sensitive information from the keychain. It will collects information from the infected machine such as osVersion, user password, keychain files, application and processes list and will store in “/private/tmp/applist.txt”:

Source: CheckPoint


The malware application bundle contains the file “checkadr.txt” in its Resources folder which contains the C&C address that will be used to send the data collected from the system with a zip file contains keychain files.


Links:


Samples:
52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c

posted on 2019 in Trojan  , Backdoor  

MacSpy is Malware as a Service (MaaS). The malware authors claim that it is undetected by anti-viruses and it is offered with basic version for free, and in addition in a paid version more advanced features available such as:- File encryption (similar to Ransomware)- Access to emails- Official code signing for the malicious file- Webcam streaming from infected machine- Remote shell- More…

Source: CheckPoint


The website offers the malware containing lots of informative details such as how to download, how the malware should be installed, and even an “About Us” section. Below is a screenshot from the website on TOR network that advertised MacSpy as “The most sophisticated Mac spyware”:

Source: CheckPoint


MacSpy using anti-debug and anti-vm techniques in order to make its analysis harder. It creates a LaunchAgent in order to persist a system reboot.For communication it uses TOR service to send messages to its C&C. A “customer” that will buy the MacSpy service will receive credentials to a Web Portal and allow him to see the information collected from infected machines.


Links:


Samples:
d2036f93eaa4b2ba10e42ebd260fc929c3160ba5

posted on 2019 in Trojan  , Backdoor  

OSX/MaMi is a DNS hijacking malware with additional dangerous functionalities in its code, such as taking Screenshots, simulating mouse events, downloading & uploading files, executing additional commands and more.The malware modifies the system’s default DNS setting, so all the DNS requests will be sent to the attacker machines, which can use it to send wrong DNS response. In this way an attacker could send the victim to fake websites and not the intended ones.

Source: Objective-See


The attacker can also perform a Man In The Middle attack (MiTM) since he controls the actual web address the user will be redirected to. To achieve full control over that, view also secure (https) traffic, the malware adds a fake certificate as a root certificate to the System keychain:

Source: Objective-See


Another interesting fact about the malware are similarities to Windows malware from 2015 which (second link) hijacks the same DNS addresses used in osx/MaMi. Another suspicious thing that points to the similarity is that both the Windows and MacOS malwares certificates have the same fingerprint:

Source: thecomputerperson


Links:



posted on 2019 in Trojan  

A cross-platform malware, attacking also Windows and Linux operating systems, which opens a backdoor to an infected machine. It is unknown how this malware propagates to macOS machines, and the only evidence of it is an unpacked version of the malware on VirusTotal.Mokes is able to perform the actions below:

  • Take screenshots
  • Capture audio and video
  • Steal Office documents
  • Record keystrokes
  • Execute additional commandsOnce executed, the malware will copy itself to the first available location:
    • $HOME/Library/AppStore/storeuserd
    • $HOME/Library/com.apple.spotlight/SpotlightHelper
    • $HOME/Library/Dock/com.apple.dock.cache
    • $HOME/Library/Skype/SkypeHelper
    • $HOME/Library/Dropbox/DropboxCache
    • $HOME/Library/Google/Chrome/nacld
    • $HOME/Library/Firefox/Profiles/profiled

The malware will create a LaunchAgent corresponding to the file created above to persist itself on system reboot.To keep stolen information, Mokes uses temporary files with different extensions for each data type:

  • $TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
  • $TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
  • $TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
  • $TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)


Links:


Samples:
1e8568e61b75a68ed7481cf0619f643af76bf889

posted on 2019 in Trojan  , Backdoor  

Proton is a Remote Access Tool for macOS. It was first published as a service in a Russian cybercrime forum and later variants of this malware were seen spreading in different ways.

Source: SIXGILL


Over time, researchers have discovered different applications containing the Proton malware. One of them was as a fake “Symantec Malware Detector”. Another was within a package of the “Elmedia Player” application which was somehow repackaged with the malware.

Source: Malwarebytes


The malware will pop a message asking the user for credentials to gain root privileges on infected machine. To persist it creates a LaunchAgent to start itself after reboot. The malware has a wide range of commands available such as:

  • Keyloggin – Passwords and data stealing – Remote access – Copy/Create/Delete files on infected machine – Download, Upload, Execute files – More…

Source: CheckPoint


For more details about Proton and its variants click on the links below.


Links:


Samples:
0935a43ca90c6c419a49e4f8f1d75e68cd70b274
8cfa551d15320f0157ece3bdf30b1c62765a93a5

posted on 2019 in Trojan  , Remote Access Tool  

This is a malware hidden in a hacked version of the game “Counter Strike: GO”. An infection occurs when a user will download a hack for the game. When executed, the malware will ask the user to run it as root:

Source: CheckPoint


When it achieves root permissions, it will download additional files, one of which is a variant of OSX/Pwnet. Its main payload is using computer resources to mind crypto-currencies. The malware also creates a LaunchDaemon “/Library/LaunchDaemons/com.dynamsoft.WebTwainService.plist” in order to persist on the system.


Links:


Samples:
86216a50a60c08cf1f455ff1a27aaeb62b618bc3

posted on 2019 in Trojan  , CryptoCurrencyMiner  

Like many others MacOS malwares, OSX/Shlayer distributes as a fake Flash Player. That might be via a torrent, or a fake pop up alert telling the user they needs to update their Flash in order to view content on malicious/compromised web sites. The malware is signed with a legitimate Apple certificate.

Source: CheckPoint


The malware executes a small shell script to decrypt other scripts that are located in the Resources folder (“Resources/enc”).

Source: CheckPoint


After decryption, the final shell script it execute looks like the below. What does the malware actually do? It downloads additional files/malware and executes them on the system using the curl command:

Source: CheckPoint


Links:


Samples:
79f22a59805513799ee631d4e61ca309a2057709

posted on 2019 in Trojan  

Siggen is a backdoor, that allows an attacker to download and execute any Python/Shell script on infected machine. It’s disguised itself as a portfolio or as a WhatsApp messenger.

Source: CheckPoint


When executed, the malware will download a plist file which will be installed on the system as LaunchAgent in order to persist on the system.

Source: SentinalOne


Links:


Samples:
66ecc5d96d7fbcb54cac534a16b12e918fa0f11c

posted on 2019 in Trojan  , Backdoor  

Snake is a known malware on Windows OS since 2008. In 2017 fox-it found a variant of this malware that was ported to macOS.The malware arrived as the file “Install Adobe Flash Player.zip” which is a modify version of Adobe Flash installation. Within the zip file there is a macOs application bundle signed with a legitimate Apple Developer ID (revoked already):

Source: CheckPoint


Once executed the malware will execute its script first prior the real Adobe installation. It will use AppleScript in order to execute its infection script with administrator permissions:

Source: CheckPoint


The infection vector contains two scripts. The first will copy the malware files to target locations “/Library/Scripts/” and create a LaunchDaemon in order to persist on the system.

Source: CheckPoint


The second script “installd.sh” will check if “installdp” process is running, and if not, will execute it.It is unknown what the infection vector is, if any infection was there at all. From the malicious binary file “installdp” it might be implied that this version of the malware is not finished as there are a lot of debug strings:

Source: CheckPoint


Links:


Samples:
b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea

posted on 2019 in Trojan  

Another macOS backdoor discovered on 2017, which was mostly targeting university researchers in Hong Kong.When executed the malware will copy itself as “~/.local/bin/sysetmd”. Then to persist on an infected machine it will create the LaunchAgent “~/Library/LaunchAgents/com.appule.sysetmd.plist” to start the binary.The malware collect and send following information to the C&C:

  • OS info (name, version)
  • User info (ID, login)
  • Computer info (CPU, memory, MAC address)
  • IP address

Source: CheckPoint


Below is the list of commands the malware can receive from the attacker:

Source: Dr.WEB


Links:


Samples:
3cb1cfa072dbd28f02bd4a6162ba0a69f06f33f0

posted on 2019 in Trojan  , Backdoor  

Tsunami, discovered by Intego, is a cross platform malware. The malware was originally developed for the Linux operating system (named Kaiten) and in 2009 its source code was published on the internet. Two years later a macOS version appeared.This malware acts as a backdoor and a tool for a Denial of Service attack by the attacker. It connects to a server and accepts commands via a specified IRC channel.We can see below the commands it is able to perform on an infected machine which includes different Denial of Service attack, downloading additional payload, network spoofing and more.

Source: Intego


Links:


Samples:
f479f4c9811a62a0ff861373ff315d0df8962f1d

posted on 2019 in Trojan  , Backdoor  

WindTail is a malware developed and delivered by the WindShift APT group and mostly targets government agencies and companies in the Middle East. WindShift will infect a user with WindTail by using a spear phishing emails, either by attachment or linking to crafted webpage that will exploit a vulnerability in the system to install the malware. As described by Taha Karim research “The Trails of WINDSHIFT APT”, about WindShit APT group, such an attack will occur after 1-2 years of reconnaissance on a targeted user.

Source: Dark Matter


The malware samples are signed with a legitimate Apple Certificate and is thus able to bypass GateKeeper.

Source: CheckPoint


When executed, the malware adds itself as a LoginItem in order to persist on the system:

Source: Objective-See


In addition the malware will try to download and execute additional malware using the curl command.

Source: CheckPoint


Links:


Samples:
70a1c4ed3a09a44a41d54c4fd4b409a5fc3159f6

posted on 2019 in Trojan  , Backdoor  

Another tool set by the WindShift APT group is a second stage infection downloaded by WindTale malware.

Source: Dark Matter


Its main purpose is to take screenshots from the infected machine and send it a remote C&C every few seconds.


Links:




posted on 2019 in Trojan  

Winplyer is a MacOS malware that executes a Windows binary on the infected system using the Mono framework. This allows the execution of Microsoft .NET executables on the Mac operating system. The malware is propagating as different MacOS application such as “Little Snitch”, “Paragon NTFS” and more in torrent websites. Upon execution, the malware will collect and send information from the system such as ModelName, ProcessorDetails, SerialNumber and applications installed on the system on the “/Applicaiton” folder. Below we can see the content of one of the malicious files, that contains the Mono framework files, and the Windows binary files.

Source: Trend Micro


The malware will then download and execute additional files, mostly adware. It is worth mentioning that the malware only targets MacOS users as its windows binaries fail to execute on Windows machines.

Source: CheckPoint


Links:


Samples:
b1e8b8813ff9a156a6cd8b7ad2b0d0039ea31ede

posted on 2019 in Trojan  

A cross platform malware affected not only macOS but also Windows and Linux operating systems. Wirenet, a trojan that opens a backdoor on an infected machine, is also able to take screenshots and collect users keystrokes and additional data from the system and send it to attacker’s server.The malware steals user’s data and passwords for different programs such as browsers (Opera, Firefox, and Chrome) and other popular internet applications such as Thunderbird and SeaMonkkey.


The malware installs itself in the folder %home%/WIFIADAPT.app to communicate with its C&C and encrypts the data using AES encryption algorithm.

Source: Dr.WEB



Links:


Samples:
c520e9099bfc695b54662bdb7e8fa5b2800a72e9
c36f0943484ce8f8aba2d649aae2ad1243947c4e
1f0a890b3ac0daf93e6de8f7e93559355780ba84

posted on 2019 in Remote Access Tool  , Trojan  

Another macOS malware developed by the Sofacy group (APT28). The malware can handle various commands from its C&C such as download and execute files, take screenshots, collect information from system and capture keystrokes. Below we can see the command the malware can receive from its C2:

Source: PaloAlto


To communicate, the malware uses a POST request in order to send data to the attacker and a GET request to receive commands. For communication encryption it uses RC4:

Source: PaloAlto


To capture a user’s keystrokes, the malware is using CGEventTapCreate API and will send the captured keys to the C&C every 50 keystrokes.

Source: PaloAlto


Links:


Samples:
70a1c4ed3a09a44a41d54c4fd4b409a5fc3159f6

posted on 2019 in Trojan  , Backdoor  

This malware was found within a copy of the iWork suit on BiTorrent. The iWork application suit had the malicious package “iWorkServices.pkg” added to it. The installation of the malwares starts automatically when installing iWork.

Source: Intego


The installer asks for administrator password and the malware adds itself to the startup folder /System/Libarary/StartupItems/iWorkSrvices. The malware then contacts its C&C and waits for additional commands.The remote attacker is able to execute different commands on the infected machine such as httpget, shell, rshell and more.


Links:


Samples:
6807d7e2134b8084fc00b17c616045aab575fd84

posted on 2019 in Trojan  

OceanLotus is a cross-platform malware, exists on both Windows and macOS operating system. It is mostly targeting Chinese infrastructure. Except wide range of available commands the malware uses also Anti-Debug and Anti-VM techniques in order to make its detection harder. When executed, the malware will collect the following information from the system:

  • Product Nae and Version
  • Machine name
  • Is the user is root
  • User’s name
  • Username
  • IOPlatformUUID that will be used as unique infection_id

Source: CheckPoint


The malware will create a LaunchAgent in order to persist on the system. Below is available command the malware can receive from the C2, for different OceanLotus variants:

Source: PaloAlto



Links:


Samples:
12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888
83cd03d4190ad7dd122de96d2cc1e29642ffc34c2a836dbc0e1b03e3b3b55cff
26e3bd5f1362d8d219a8db745087b6dccc60d6f085f808ff2bd6215058839a75

posted on 2019 in Trojan  , Backdoor  

Another malware that disguise itself as Adboe Flash Player installer. Appon installation, the malware will first check if its running within a Virtual Machine, it addition it will check whether any common Mac antivirus is installed, if so, it will exit installation. It uses 2 configuration files virtualmachines.json and antivirus.json that will be used to check to which VM / AV engines to look for.

Source: Intego


CrescentCore malware that was signed with multiple Apple Developer Ids, spreads in couple of websites by offering free digital piracy content such as free dc comics:

Source: Intego


Source: Intego


Source: CheckPoint


Links:


Samples:
638004ee6a45903dcbf03d03e31d2e83c6270377973a64188f0b89d4062f321e
45eab9f25158b677877a447b052f024c44c80744bcfae59deb660c47a9cbf1ac
b111891b698dfdafb6952b0cf89aaebde51c5c1758df316e6b843624ed2db205
8938e48a0b0f8765a017d2e25ed5a68bd7954d220e460c5aa4b1c59763ec5a8d

posted on 2019 in Trojan  

Discovered by Intego, Linker is the first malware to exploit a vulnerability in macOS GateKeeper (which is already [disclosed] (https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass){:target=”_blank”})., that enabled adding a symbolic link to remote application located on attacker machine within a legitimate application, and by that bypass the scan of Gatekeeper and XProtect. A video demostrating the attack is [available] (https://www.youtube.com/watch?time_continue=13&v=m74cpadIPZY){:target=”_blank”}.

An attacker could add a symbolic link either to a zip file or .dmg file (Apple Disk Image Format). Intego point that one of the samples was signed with the same Apple Developer ID (“Mastura Fenny”) as the OSX/Surfbuyer adware.

On installation the malware will show itself as Adobe Flash Player, a common thing among macOS malwares.

Source: CheckPoint


Althou the remote application was already removed, a research name Adam Thomas has found a PCAP on VirusTotal which contains the remote application that was downloaded when the original application was installed, which at that time was only a bash script that created a temporary file, But since its located on a remote machine it could change any second for testing and place back a malicioius application.

Source: Intego


Links:


Samples:
d53ebf9fe70bce05a00fb6dded971f49b070ed8e10beb0e40d48e3495b274a23
f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de

posted on 2019 in Trojan  

NewTab is a malware that tries to inject tabs into Safari browser.


Links:


Samples:

posted on 2019 in Trojan