The /etc/hosts file, which can contain details on custom servers accessed by the user.The git config file, which contains potentially sensitive information, including an e-mail password.Command histories for bash and zsh, which can contain sensitive information such as credentials.Contents of the user's home, desktop, Documents, and Downloads folders.The g.py file is clear-text Python code, and thus its intent is quite clear. However, according to Patrick, it communicates with what appears to be a Cobalt Strike server ( 8:443), which may mean it is a Cobalt Strike "beacon," which would provide comprehensive backdoor access to the attacker. The GoogleUpdate binary is heavily obfuscated, and it's currently not known exactly what it does. The main purpose seems to be to connect to 11, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them. When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things. ITerm.app/Contents/Frameworks/libcrypto.2.dylib The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added: It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files. Further, for an app with a very professionally designed website, the disk image file is quite unpolished. #Iterm windows zip#The real iTerm2 is distributed in a zip file, rather than a disk image. The disk image throws the first red flag. The malware comes in a disk image that contains a link to the Applications folder with a Chinese name
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |