FlashBack
In my opinion this is one of the most interesting malware for macOS because of the large number of infections and the techniques it uses.Flashback is probably the first wide spread malware on macOS with over 500,000 infections and started getting attention on 2012. The malware propagates by disguising itself as an Adobe Flash update or as a java-signed applet that either uses an exploit to automatically install the malware without the user’s knowledge or pops a window asking the user to run the signed java file.
Source: ESET
One of the most interesting things in this malware is that it obfuscates itself after infection, so the executable will not be executed properly on another machine except the one on which it was first infected. This is done by encrypting its data structure with the machine platform UUID with RC4.The malware also uses DGA (Domain Generation Algorithm) based on date in order make it difficult to identify its C2 servers. In that way, the malware generates different addresses daily to communicate. Another interesting thing in this malware is that it uses Twitter as way to deliver commands to the malware from the attacker. In it’s config it may include hashtags that will be used by the malware to search for a command.The main payload of Flashback is intercepting HTTP/HTTPS data to push ads.
Links:
Samples:
94e4b5112e750c7902968d97237618f5b61efeb2
12a764ffa03ab8951ae8bdb59d40f72710bb3a46