The binary itself seems primarily interested in screen captures and webcam access, but interestingly, it uses some truly antique system calls for those purposes, such as: SGGetChannelDeviceList In the case of the Java class file, it is run with set to true, which means that it does not show up in the Dock. Found there are a Mach-O binary, a second perl script and a Java class, which the script extracts, writes to the /tmp/ folder and executes.
The most interesting part of the script can the found in the _DATA_ section at the end.
#Mac virus protection 2017 code#
It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. The script also includes some code for taking screen captures via shell commands. The latter is a domain name managed by the dynamic DNS service. The perl script, among other things, communicates with the following command and control (C&C) servers: 99.153.29.240 It took the form of a minified and obfuscated perl script. client file was where things got really interesting. plist file itself couldn’t have been much simpler, simply keeping the. The malware was extremely simplistic on the surface, consisting of only two files: ~/.client
This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers. The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac.
0 kommentar(er)
