![]() updated.kext – the driver that intercepts user keystrokes.The following files are extracted from the archive: Depending on whether root access is available:.Library/LaunchAgents (or LaunchDaemons)/ – the properties file used to set the file Library/.local/updated to autorun using the launchd daemon.Initially contains the Trojan’s global settings, such as the C&C address. Library/.local/libweb.db – the malicious program’s database file.Library/.local/update – the backdoor module.Library/.local/reweb – used to re-launch the file updated.Library/.local/updated – re-launches files update and EventMonitor in the event of unexpected termination.Location of the Trojan’s files inside the dropperĪs a result, the following files will be installed on the infected system: If it does not have root access, the files will be installed in ~/Library/.local and ~/Library/LaunchAgents (“~” stands for the path to the current user’s home directory).Īll files of the Trojan to be downloaded to the victim machine are initially located in the “_data” section of the dropper file.If it has root access, the files will be installed in /Library/.local and /Library/LaunchDaemons. ![]() The result of the check determines where the Trojan’s files will be installed: Source file ()Īs soon as it is launched, the dropper checks whether it has root access by calling the geteuid () function. The extension’s code is publicly available, for example, on GitHub!ĭepending on their purpose, these files are detected by Kaspersky Lab antivirus solutions as, , and not-a-virus. ![]() ![]() It is particularly noteworthy that the keylogger uses an open-source kernel extension. Even after preliminary analysis it was clear that the file was not designed for any good purpose: an ordinary 64-bit mach-o executable contained several more mach-o files in its data section it set one of them to autorun, which is typical of Trojan-Droppers.įurther investigation showed that a backdoor, a keylogger and a Trojan-Spy were hidden inside the sample. It turned out to be a sample of modular malware for MacOS X. We got an interesting file (MD5 9283c61f8cce4258c8111aaf098d21ee) for analysis a short while ago. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |