These files are all copied into ~/Library/Logs/tmp/, compressed into a file at ~/Library/Logs/tmp.zip, which is then uploaded to 111/u.php?id=%s (where the %s is replaced with the machine's serial number).
#INSTALL ITERM2 FOR MAC PASSWORD#
The user's keychains, which contain many credentials and can be unlocked if the user's password can be obtained.ssh folder, which can contain credentials for SSH. The /etc/hosts file, which can contain details on custom servers accessed by the user.The git config file, which contains potentially sensitive information, including an e-mail password.Command histories for bash and zsh, which can contain sensitive information such as credentials.Contents of the user's home, desktop, Documents, and Downloads folders.The g.py file is clear-text Python code, and thus its intent is quite clear. However, according to Patrick, it communicates with what appears to be a Cobalt Strike server ( 8:443), which may mean it is a Cobalt Strike "beacon," which would provide comprehensive backdoor access to the attacker. The GoogleUpdate binary is heavily obfuscated, and it's currently not known exactly what it does. The main purpose seems to be to connect to 11, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them. When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things. ITerm.app/Contents/Frameworks/libcrypto.2.dylib The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added: It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files. Further, for an app with a very professionally designed website, the disk image file is quite unpolished. The real iTerm2 is distributed in a zip file, rather than a disk image. The disk image throws the first red flag.
The malware comes in a disk image that contains a link to the Applications folder with a Chinese name
0 kommentar(er)
