Previous days we've seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary. Users are asked to executed a script: A file will be downloaded by curl to /tmp/script and executed. The file is a large mach064 binary (34M), rating a perfect score of 0 / 60 on virustotal.
Hashes of the file: To inspect the binary, I'm using Radare2: Further investigation of the strings within the binary show references to path /Users/zeit/pkg-fetch and to the Google V8 javascript engine. This leads me to the javascript to binary "compiler" called pkg. Pkg packages javascript applications together with nodejs as a standalone executable. Building the example application of pkg gives a similar binary structure as the one we are investigating. During the pkg process, these files where included: Private packages are stored as V8 compilations without source, which makes it a bit more difficult to reverse engineer. It is much easier to just run the file with instrumentation in a lab environment. On MacOS binary activity can be instrumented using dtruss, much like strace works on Linux: During execution, rights are elevated using sudo and the following files written: /var/root/script.sh /Library/LaunchDaemons/com.startup.plist The bash script (which runs a python command) tries to connect to 185.243.115.230 at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon. At the moment I was testing this, the reverse shell failed to connect. There are also references to dumpdummy, but those files weren't written:
CrownCloud, a german based provider is the owner of the block of 185.243.115.230 and the server appears to be located in the Netherlands. References: IOCs:
If you have any information about this, create a comment or contact me. Remco Verhoef (@remco_verhoef) |
Remco 26 Posts ISC Handler Jul 3rd 2018 |
Thread locked Subscribe |
Jul 3rd 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!