![]() The reference to libcurl API ( curl_easy_perform) and embedded url indicate networking and/or command and control capabilities. Strings such as IOPlatformSerialNumber and reference to the ist likely indicate basic survey capabilities (to gather information about the infected system). System/Library/CoreServices/istĪBCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Ĭould not resolve symbol: _sym = 0x4d6d6f72.Ĭould not resolve symbol: _sym = 0x4d6b6e69. $ strings -a /Library/UnionCrypto/unioncryptoupdater Once the installer completes, the binary unioncryptoupdater will both currently executing, and persistently installed: Though installing a launch daemon requires root access, the installer will prompt the user for their credentials: "path" : "/Library/UnionCrypto/unioncryptoupdater", "/Library/UnionCrypto/unioncryptoupdater" "/Applications/UnionCryptoTrader.app/Contents/Resources/.unioncryptoupdater", "/Applications/UnionCryptoTrader.app/Contents/Resources/.", # ProcessMonitor.app/Contents/MacOS/ProcessMonitor -pretty We can passively observe this part of the installation via either our File or Process monitors: ![]() unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/Įxecute this binary ( /Library/UnionCrypto/unioncryptoupdater) ) from the application’s Resources directory into /Library/LaunchDaemons ![]() The purpose of this script is to persistently install a launch daemon. Pinging this site reveals that it’s still online, and resolving to 104.168.167.16:Ģ mv /Applications/UnionCryptoTrader.app/Contents/Resources/.ģ /Library/LaunchDaemons/Ĥ 5 chmod 644 /Library/LaunchDaemons/ħ 8 mv /Applications/UnionCryptoTrader.app/Contents/Resources/.unioncryptoupdaterĩ /Library/UnionCrypto/unioncryptoupdaterġ0 11 chmod +x /Library/UnionCrypto/unioncryptoupdaterġ2 /Library/UnionCrypto/unioncryptoupdater & In this specific attack, Lazarus group created a new website, : And their de facto method of infecting such targets is via fake crypto-currency company and trading applications.Īs part of my recent RSA presentation I highlighted their attack vector: Lazarus Group has a propensity for targeting users or administrators of crypto-currency exchanges. (See: UnionCryptoTrader.dmg on VirusTotal).įrom the URL provided in Dinesh’s tweet, ( ) and spelunking around on VirusTotal, we can gain an understanding of the infection mechanism. In his tweet, Dinesh kindly provided an MD5 hash: 6588d262529dc372c400bef8478c2eec which allows us to locate the sample ( UnionCryptoTrader.dmg) on VirusTotal, where it’s only flagged as malicious by two of the engines. ![]() “Detecting macOS.GMERA Malware Through Behavioral Inspection” “Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website” ![]() “Operation AppleJeus: Lazarus hits cryptocurrency exchange w/ fake installer & macOS malware” To read more about their past activity, see: The Lazarus Group has recently been quite active in the macOS space. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |