Presumably, the backdoor provided by the GoogleUpdate process would be used to perform that lateral movement and infect other machines. Thus, the primary goal of the g.py script seems to be to harvest credentials and other data that would be of use for lateral movement within an organization. These files are all copied into ~/Library/Logs/tmp/, compressed into a file at ~/Library/Logs/tmp.zip, which is then uploaded to 111/u.php?id=%s (where the %s is replaced with the machine’s serial number). The saved application state for iTerm2.The config file for SecureCRT, a terminal emulator program.The user’s keychains, which contain many credentials and can be unlocked if the user’s password can be obtained. ssh folder, which can contain credentials for SSH. The /etc/hosts file, which can contain details on custom servers accessed by the user.The git config file, which contains potentially sensitive information, including an e-mail password.Command histories for bash and zsh, which can contain sensitive information such as credentials.Contents of the user’s home, desktop, Documents, and Downloads folders.The g.py file is clear-text Python code, and thus its intent is quite clear. However, according to Patrick, it communicates with what appears to be a Cobalt Strike server ( 8:443), which may mean it is a Cobalt Strike “beacon,” which would provide comprehensive backdoor access to the attacker. The GoogleUpdate binary is heavily obfuscated, and it’s currently not known exactly what it does. The main purpose seems to be to connect to 11, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them. When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things. ITerm.app/Contents/Frameworks/libcrypto.2.dylib The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added: It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files. Further, for an app with a very professionally designed website, the disk image file is quite unpolished. The real iTerm2 is distributed in a zip file, rather than a disk image. The disk image throws the first red flag. However, the malicious version of iTerm2 was apparently being distributed via iTerm2net, which was a very convincing duplicate of the legitimate iTerm2 site.Ĭlicking the download link on the lookalike site would result in an iTerm2.dmg disk image file being downloaded from kaidinglecom. The website for the legitimate iTerm2 app is. This makes iTerm2 an ideal app to trojanize to infect people who may have access to development system, research intelligence, etc. It is a favorite of security researchers because of the propensity for Mac malware to take control or detect usage of the Terminal app, which can interfere with attempts to reverse engineer malware. ITerm2 is a legitimate replacement for the macOS Terminal app, offering some powerful features that Terminal does not. (For those who don’t speak Chinese, Safari seems to do a fair job of translating it.) The malware was discovered earlier the same day by security researcher Zhi ( on Twitter), and detailed on a Chinese-language blog. Last week, security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |