Previous days we've seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.
Users are asked to executed a script:
A file will be downloaded by curl to /tmp/script and executed. The file is a large mach064 binary (34M), rating a perfect score of 0 / 60 on virustotal.
Hashes of the file:
To inspect the binary, I'm using Radare2:
During the pkg process, these files where included:
Private packages are stored as V8 compilations without source, which makes it a bit more difficult to reverse engineer. It is much easier to just run the file with instrumentation in a lab environment.
On MacOS binary activity can be instrumented using dtruss, much like strace works on Linux:
During execution, rights are elevated using sudo and the following files written:
The bash script (which runs a python command) tries to connect to 220.127.116.11 at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon. At the moment I was testing this, the reverse shell failed to connect.
There are also references to dumpdummy, but those files weren't written:
CrownCloud, a german based provider is the owner of the block of 18.104.22.168 and the server appears to be located in the Netherlands.
If you have any information about this, create a comment or contact me.
Jul 3rd 2018
9 months ago