nsaninja.blogg.se - Oficina para Windows en un Mac

This malware runs specifically to target Mac users.

One of the adwares downloaded posing as a popular app DMG files are mounted and executed as soon as they are ready, as well as displaying a PUA during execution.įigure 5.

hxxp:///installer/macsearch.dmgįigure 4.

hxxp:///INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg.

It downloads the following files from the Internet and saves it to the directory ~/Library/X2441139MAC/Temp/: Under the /Application directory, the malware also scans for all the basic and installed apps and sends all the information to the C&C server: Once run, the malware collects the following system information: NET applications across platforms such as OSX. This framework allows the execution of Microsoft. When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. EXE file bundled inside the app, verified to be a Windows executable responsible for the malicious payload.įigure 3. Inspecting the installer contents, we found the unusual presence of the. DMG sample we analyzed posing as a legitimate application DMG file hosting the supposed installer of the spoofed app.įigure 2.

TORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip.

LennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip.

Wondershare_Filmora_924_Patched_Mac_OSX_X.zip.

Paragon_NTFS_for_Mac_OS_Sierra_Fully_Activated.zip.

Examples of the applications they pose as are as follows: The samples pose as installers of popular apps and are often available for download from various torrent websites.

While no specific attack pattern is seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States. However, we found EXE files in the wild delivering malicious payload on macOS recently.

By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification. We would also like to thank Apple Product Security team for reaching out to us to clarify this issue.ĮXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. We made the necessary changes in the technical analysis in this post. PST, February 18, 2019: Further analysis on the sample indicated that it does not bypass the Gatekeeper mechanism as previously reported. We would also like to thank Objective Development for clarifying this issue. We made the corrections in the technical analysis in this post. PST, May 3, 2019: Our continued observation of the malware sample showed that it spoofs popular Mac apps, instead of being included in the app installers themselves as previously reported.