Wardle wasn't able to completely dissect this piece of malware, so he's not quite sure what it does.īut he discovered that the server where it resides has been flagged as hosting a pirated copy of Cobalt Strike, a legitimate penetration-testing tool that criminals have cracked and repurposed for illicit means.Īs Wardle noted, it's possible that this mysterious fake Google Update is actually a Cobalt Strike "beacon," a program that creates a hidden backdoor on a system for other Cobalt Strike users to find. The other piece of malware masquerades as a Google Update application and is downloaded from a different server. One of the two new pieces of malware is an information-stealer that profiles the Mac it's running on, steals the user's Keychain database (containing passwords and other sensitive data), and packages all the data in a Zip file before sending it back to the same server from which the information-stealer is downloaded. There's a little something extra in the fake iTerm2 app - a "downloader" that itself reaches out to an online server and installs at least two more strains of malware. ![]() ![]() (The real iTerm2 app is notarized.) But even though a Mac will notify a user that an app hasn't been notarized, the user can still choose to install it. ![]() The fake app wasn't "notarized" with an extra security badge that Apple grants apps it has verified to be trustworthy.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |