11/7/2023 0 Comments Free ruler osx malware![]() Mac cryptocurrency ticker app installs backdoorsĬoldroot was first published as an open source RAT for macOS on Github on 2016, but no real malware was discovered until 2018. ![]() This LaunchAgent is actually a payload to download and execute the backdoor:Īs the additional malware was downloaded from github, the user and all its content no longer exists. To persist with a system reboot, the malware creates a LaunchAgent “~/Library/LaunchAgents/.ist” (note that the LaunchAgent file is hidden by default since its start with “.”) as it starts with the command “launchctl load”. The additional downloaded malware will open a reverse shell connection to its Command & Control server. CoinTicker downloads two additional back doors The first is a custom version of EggShell malware and the other is EvilOSX by using the curl command: However, in the background the malware downloads and executes additional malware from the internet. ![]() – Create a LaunchAgent to start itself automatically on system rebootThe malware has also unfinished/unused functionality that includes:- Loading/unloading kernel extensions that handles USB devicesĬoinTicker appears to be a legitimate program that displays information on cryptocurrency coins such as Bitcoin, Etherium, Ripple etc… – Copy itself to “/System/Library/CoreServices/launchb.app” – Enable remote login to the system / Activate Apple Remote Desktop – Modify TCC.db to make malware application bundle as “Assistive Access”, means the malware will have accessibility rights without the need for password – Save user name and password into ~/.calisto/cred.dat – Save computer IP address into ~/.calisto/network.dat The malware then will execute a bash command to achieve the following:- Zip ~/Library/Keychains folder into the file ~/.calisto/KC.zip When executed, the malware will pop a window asking for the user’s credentials, to gain root access: Iit can also open a backdoor so the attacker will be able to connect to the system remotely, take screenshots and more.It propagates as fake “Intego Mac Internet Security” as we can see from the differences shown in the pictures below (taken from original report): Calisto is a Trojan that steals sensitive data from the infected machine such as user passwords, Keychain data and Chrome. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |