- #MACOS MALWARE RUNONLY TO AVOID DETECTION REGISTRATION#
- #MACOS MALWARE RUNONLY TO AVOID DETECTION DOWNLOAD#
- #MACOS MALWARE RUNONLY TO AVOID DETECTION MAC#
7Y2A70Ha9g- Avigayil Mechtinger January 5, 2021 The commands are sent as a json structure with the following keys: type, uid and data for additional parameters needed for the command. Commands received from the C&C are parsed by the RAT using corresponding functions before sending a message back with the response. Once the malware has checked in with the command and control server, it acts upon any (remote) tasking: …and then once the address of the command and control server ( 213.226.100.140) is retrieved, connects out (with some basic information about infected machine): Via Wireshark, we can confirm the macOS variant of ElectroRAT performs these same actions. r98bbVThs3- Avigayil Mechtinger January 5, 2021
#MACOS MALWARE RUNONLY TO AVOID DETECTION REGISTRATION#
The malware then calls the registerUser function, which creates and sends a user registration Post request to the C&C. Upon execution, ElectroRAT queries a raw pastebin page to retrieve the C&C IP address. In a Twitter thread, Avigayil (the security researcher at Intezer) notes that the malware first “ queries a raw pastebin page to retrieve the C&C IP address”: % cat ~/Library/LaunchAgents/istĪs the RunAtLoad is set to true the OS will automatically (re)launch the malware each time the user (re)logs in.Ĭapabilities: Persistent Backdoor (+ embedded binaries). Via a ProcessMonitor, we see that the trojanized application (whose pid is 1350) will execute this mdworker binary (via bash): The malware is found within the trojanized application bundle, as a binary named mdworker eTrader app, containing ElectroRAT If the user is tricked into downloading and running the application, they will inadvertently infect themselves with ElectroRAT.
#MACOS MALWARE RUNONLY TO AVOID DETECTION DOWNLOAD#
The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware." -IntezerĮTrader app, containing ElectroRAT eTrader app, containing ElectroRAT " These applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. In terms of its infection vector, Intezer noted the use of trojanized/fake crypto currency applications : Infection Vector: Trojanized/Fake Crypto-Currency Applications “Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets” steal personal information from cryptocurrency users" -Intezer This extensive operation is composed of a full-fledged marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch." " we discovered a wide-ranging operation targeting cryptocurrency users, estimated to have initiated in January 2020. Installed (to /usr/bin/lldb) as part of Xcode.Ī “reverse engineering tool (for macOS) that lets you disassemble, decompile and debug your applications” …or malware specimens!ĮlectroRAT is a cross-platform remote “administration” tool (RAT), designed to steal information from cryptocurrency users.ĭownload: OSX.ElectroRAT (password: infect3d)ĮlectroRAT was uncovered by Intezer, who note: The de-facto commandline debugger for macOS. My open-source light weight network monitor. My open-source utility that displays code-signing information, via the UI.
My open-source utility that monitors file events (such as creation, modifications, and deletions) providing detailed information about such events. My open-source utility that monitors process creations and terminations, providing detailed information about such events. While there are a myriad of malware analysis tools, these are some of my favorites, and include: Throughout this blog, I reference various tools used in analyzing the malware specimens. What was the purpose of the malware? a backdoor? a cryptocurrency miner? or something more insidious…Īlso, for each malware specimen, I’ve added a direct download link to the malware specimen, case you want to follow along with my analysis or dig into the malware more! ?️ Malware Analysis Tools & Tactics
How it installed itself, to ensure it would be automatically restarted on reboot/user login. However at the end of this blog, I’ve included a section dedicated to these other threats, that includes a brief overview, and links to detailed write-ups.įor each malicious specimen covered in this post, we’ll identify the malware’s: Adware and/or malware from previous years, are not covered.
#MACOS MALWARE RUNONLY TO AVOID DETECTION MAC#
In this blog post, we focus on new Mac malware specimens or significant new variants that appeared in 2021.