Recently we had intercepted a new MacOS malware which is using adware to disguise his C2 (command and control) capabilities.
The distribution comes in the well-known form of “Your Mac has viruses – click here to scan” popup.
The files identified are 2 DMG files called:
- Sublime Text 3.2 Build 3205.dmg
- Trickster 3.1.dmg
Both pkg installers are signed using a valid codesign certificate issued under the name of Edward Furlhoper.
At first, analyze these two files are nothing more than a dropper of the Chill-Tab extension, but in reality, the real “deal” comes from these two files:
This two bash will download silently the archive called exec.tar for the C2 (command and control) in the /var/tmp folder, unarchive it under the filename: xSf and execute it.
After the execution, the process will trigger the communication to the C2 (command and control) servers.
The command received is encrypted. It was also identified that the malware is using the RNCDecrypt/Encrypt framework to decrypt/encrypt commands sent and received from the C2 (command and control) server. The RNCryptor is an opensource framework found on GitHub and is Cross-language AES Encryptor/Decryptor.
We identified two C2 (command and control) servers online:
The first one is sending the MacOS Hardware UUID (Mac device unique serial number) and receive commands, while the second one is only used as backup and control.
This type of malware can be used for the following scenarios:
- Data exfiltration
- Password stealing
- Browser injection
- Online Banking data tamper
MD5 (exec.tar) = 2d9a3899ae646e2f75008f75ab758bd2
MD5 (xSf) = 06dc9ff1857dcd4cdcd125b277955134
MD5 (Sublime Text 3.2 Build 3205.dmg) = 1b25d2413dd5b1e99a6e3f8678784b6b
MD5 (Trickster 3.1.dmg) = 1b25d2413dd5b1e99a6e3f8678784b6b
Samples are available on the VirusBay.
We detect this malware as MacOS.Malware.Trickster2019.
Scan your Mac OS NOW with CyberByte Antivirus for Mac to check if YOU are infected!