Since its founding in 1988 as a developer and publisher of Bible study software for the personal computer, Biblesoft has been the market leader in product innovation and ease of function.A platinum sanctuary for old software of the classic Mac OS era. Iit can also open a backdoor so the attacker will be able to connect to the system remotely, take screenshots and more.It propagates as fake “Intego Mac Internet Security” as we can see from the differences shown in the pictures below (taken from original report):A Leader in Bible Software. NCalisto is a Trojan that steals sensitive data from the infected machine such as user passwords, Keychain data and Chrome. The Encyclopedia Of Classic Cars: From 1890 To The Present Day Craig Cheetham, Wise Words To Trust: Words Of Wisdom From The Book Of Proverbs Carine MacKenzie, Thing Music Anthony McCann, Certain Queries Humbly Proposed In Order To A Quiet Christian Submission To His Highness The Lord Protector S.N.
![]() Encyclopedia Software Software For TheCrossRAT can manipulate the file system, take screenshots, download and execute additional files. When executed, the malware will try to copy itself to /usr/var/mediagrs.jar if it has permissions, and in case it fails will copy to %HOME%/Library/mediamgrs.jarThe malware creates LaunchAgent “$HOME/Library/LaunchAgents/mediamgrs.plist” for persistence on the infected machine. If macros are enabled, a malicious code will be executed to download and infect the system. There are signs that imply that the malware was developed by/for the Dark Caracal APT group.The infection vector is through a malicious document that arrives in a phishing campaign. Tearing Apart the Undetected (OSX)Coldroot RATCrossRAT is a cross platform malware written in Java, targeting Windows, Linux and MacOS. We can see below its content:In addition it will modify the system security database file TCC.db to add itself as Accessibility application, meaning it will then have the ability to control the computer. Bulk enter transaction quickbooks for macDok spreads via a phishing mail, and usually targets European macOS users. FBI Operation Ghost Click takes out DNS Changer malware network operatorsThis is another macOS malware ported from Windows (“Retefe”). The servers were officially shut down on 07/2012. To achieve that, DNSChanger and Qhost was using a simple technique – either modifying the DNS configuration on the infected machine or modifying the host’s file to control what a user will view while surfing the net to push advertisements or redirect the user to different websites, Qhost was modifying the host file to do the same.In 2011 a wide operation of the FBI led to a takeover of the servers used by DNSChanger operator, since there was a concern that there are still many computers infected by this malware.The FBI temporary replaced the malicious servers so machines that were still infected wouldn’t lose internet access. In addition the malware collects information from the system and sends it to the C2.DNSChangeer (also known as RSPlug) and Qhost both have the same type of action – pushing adware to an infected machine. ![]() OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic The user will get a page that looks similar to the original: Below we can see the content of a Proxy file that will redirect the websites that match thru the attacker’s website:An example we can see below when accessing to “Credit Suisse” website. TOR is a low-level command line utility that allows connection to the dark web.The malware will also change the behaviour of the system to allow root access without the need for entering a password by adding the line “%USER_NAME_HERE% ALL=(ALL) NOPASSWD: ALL”.In addition the malware will configure the network settings to allow outgoing connections to pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server.This resulting change can be seen in the Network Settings:To avoid a warning message by browsers when surfing to secure a web site (HTTPS), the malware adds its fake certificate to the trusted root certificates on the system:The malware persists in the system by adding a LaunchAgent to execute commands to redirect the request to 127.0.0.1 thru the attacker’s website on the dark web.Later variant were also disabled security update and access to various apple services on web:The main payload of the malware is to steal the user’s credentials for chosen sites such as banks. Crypto community target of MacOS malware Below is the shell script: Once the malware is executed, it will create and execute a shell script “/tmp/script.sh” that will open a reverse shell that will enable an attacker to connect remotely to the victim’s machine and execute additional commands. The malware will then create a file “dumpdummy” on the infected computer that will contain the user’s root password when he enters it:The command above will download and execute the malicious file itself. In this way the attacker hopes to catch people that will be naive enough to execute it. An attacker sends the malware to users in Slack/Discord applications, which are popular among cryptocurrency communities, a message that asks the user the execute a command in the terminal.
0 Comments
Leave a Reply. |
AuthorAngelica ArchivesCategories |