buglooki.blogg.se

MAC OSX BUNDLE FILES CODE
MAC OSX BUNDLE FILES PASSWORD
MAC OSX BUNDLE FILES ZIP
MAC OSX BUNDLE FILES DOWNLOAD

MAC OSX BUNDLE FILES DOWNLOAD

CrossRAT can manipulate the file system, take screenshots, download and execute additional files. When executed, the malware will try to copy itself to /usr/var/mediagrs.jar if it has permissions, and in case it fails will copy to %HOME%/Library/mediamgrs.jarThe malware creates LaunchAgent “$HOME/Library/LaunchAgents/ist” for persistence on the infected machine.

MAC OSX BUNDLE FILES CODE

If macros are enabled, a malicious code will be executed to download and infect the system. The infection vector is through a malicious document that arrives in a phishing campaign. There are signs that imply that the malware was developed by/for the Dark Caracal APT group.

Tearing Apart the Undetected (OSX)Coldroot RATĬrossRAT is a cross platform malware written in Java, targeting Windows, Linux and MacOS.

In addition it will modify the system security database file TCC.db to add itself as Accessibility application, meaning it will then have the ability to control the computer. The malware keep its configuration within a file in its application bundle (“MacOS/conx.wol”). It will create a LaunchDaemon in order to persist system reboot (“/Library/LaunchDaemons/.plist”). Once executed, the malware will try to get root access via popping a window asking the user for credentials. – KeyloggingThe malicious application arrives with a normal “document” icon, so a user might think he is opening a document rather than a malicious application. – Gain accessibility rights by modifying TCC.db The malware is weaponized with a wide range of commands such as:- File/Folders control (move, reanme, delete)

Mac cryptocurrency ticker app installs backdoorsĬoldroot was first published as an open source RAT for macOS on Github on 2016, but no real malware was discovered until 2018.

This LaunchAgent is actually a payload to download and execute the backdoor:Īs the additional malware was downloaded from github, the user and all its content no longer exists. To persist with a system reboot, the malware creates a LaunchAgent “~/Library/LaunchAgents/.ist” (note that the LaunchAgent file is hidden by default since its start with “.”) as it starts with the command “launchctl load”.

The additional downloaded malware will open a reverse shell connection to its Command & Control server. CoinTicker downloads two additional back doors The first is a custom version of EggShell malware and the other is EvilOSX by using the curl command:

However, in the background the malware downloads and executes additional malware from the internet. – Create a LaunchAgent to start itself automatically on system rebootThe malware has also unfinished/unused functionality that includes:- Loading/unloading kernel extensions that handles USB devicesĬoinTicker appears to be a legitimate program that displays information on cryptocurrency coins such as Bitcoin, Etherium, Ripple etc… – Copy itself to “/System/Library/CoreServices/launchb.app” – Enable remote login to the system / Activate Apple Remote Desktop

MAC OSX BUNDLE FILES PASSWORD

– Modify TCC.db to make malware application bundle as “Assistive Access”, means the malware will have accessibility rights without the need for password – Save user name and password into ~/.calisto/cred.dat – Save computer IP address into ~/.calisto/network.dat

MAC OSX BUNDLE FILES ZIP

The malware then will execute a bash command to achieve the following:- Zip ~/Library/Keychains folder into the file ~/.calisto/KC.zip When executed, the malware will pop a window asking for the user’s credentials, to gain root access: Iit can also open a backdoor so the attacker will be able to connect to the system remotely, take screenshots and more.It propagates as fake “Intego Mac Internet Security” as we can see from the differences shown in the pictures below (taken from original report): Calisto is a Trojan that steals sensitive data from the infected machine such as user passwords, Keychain data and Chrome.