- #REMOTE DESKTOP DMG INSTALL#
- #REMOTE DESKTOP DMG SERIAL#
- #REMOTE DESKTOP DMG PASSWORD#
There are indications that this malware may be primarily distributed in China and other southeast Asian countries, where Malwarebytes has a relatively small install base. We’ve only seen a detection on one computer so far, in Asia. Navicat Premium (a database management app)Īt the moment, few people with Malwarebytes installed seem to be affected.Subsequent findings revealed additional apps that had also been trojanized, using the same libcrypto.2.dylib file.
Presumably, the backdoor provided by the GoogleUpdate process would be used to perform that lateral movement and infect other machines. Thus, the primary goal of the g.py script seems to be to harvest credentials and other data that would be of use for lateral movement within an organization.
#REMOTE DESKTOP DMG SERIAL#
These files are all copied into ~/Library/Logs/tmp/, compressed into a file at ~/Library/Logs/tmp.zip, which is then uploaded to 111/u.php?id=%s (where the %s is replaced with the machine’s serial number).
The saved application state for iTerm2. The config file for SecureCRT, a terminal emulator program. #REMOTE DESKTOP DMG PASSWORD#
The user’s keychains, which contain many credentials and can be unlocked if the user’s password can be obtained. ssh folder, which can contain credentials for SSH. The /etc/hosts file, which can contain details on custom servers accessed by the user. The git config file, which contains potentially sensitive information, including an e-mail password. Command histories for bash and zsh, which can contain sensitive information such as credentials. Contents of the user’s home, desktop, Documents, and Downloads folders. The g.py file is clear-text Python code, and thus its intent is quite clear. However, according to Patrick, it communicates with what appears to be a Cobalt Strike server ( 8:443), which may mean it is a Cobalt Strike “beacon,” which would provide comprehensive backdoor access to the attacker. The GoogleUpdate binary is heavily obfuscated, and it’s currently not known exactly what it does. The main purpose seems to be to connect to 11, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them. When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things. The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added: iTerm.app/Contents/Frameworks/libcrypto.2.dylib It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files. Further, for an app with a very professionally designed website, the disk image file is quite unpolished. 
The real iTerm2 is distributed in a zip file, rather than a disk image. The disk image throws the first red flag. The malware comes in a disk image that contains a link to the Applications folder with a Chinese name
0 kommentar(er)
