MacOS Malware Impersonates The Unarchiver App to Steal User Data

MacOS Malware Impersonates The Unarchiver App to Steal User Data

Published on

Published on

Published on

Jul 30, 2024

Jul 30, 2024

Jul 30, 2024

macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
TABLE OF CONTENTS

During routine research on Hatching Triage, we discovered a submission for the domain tneunarchiver[.]com. This site, designed to mimic the legitimate theunarchiver[.]com, replicated the web page precisely, except for the altered download button.

The Unarchiver bills itself as "the top application for archives on Mac. It's a RAR extractor, it allows you to unzip files, and works with dozens of other formats."

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfHeZ6thI_M8C16bsEaY6xRd4QKmw2JPqlM1dHnaN9tgyC3WtSCtDrbQtcSpqWr51Nd6HJeU91DwECrvMSpIbGWJ-x2gpSXMCTHDrN5Md_mNNy93bLC7Q643pyW-broktohC9i_9e94mA1mrmKft3oTyAAu?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 1: A spoofed website impersonating The Unarchiver app

Upon clicking the "Download" button, the disk image (TheUnarchiver.dmg, SHA-1: 4932e7da6b21e1e37c507c42d40951ba53a83cf4) is saved to the user's computer.

Hatching Triage correctly identifies the domain as probable phishing, but analysis of the file results in a score of 1/10. Seeing such a low score does not necessarily mean the file is benign but could indicate an error/exception occurring during execution.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcu7GbiL4WLBa8seGgLtHRdY4SCMCxXUXoOg5VoS2hHKPDQPrMOCetW3X_gs6muPfM9CjE9fM4cNxFcWGL1pwWCA7o79lQmTX0R7GlQGSAKerlfpXgCyvNG2ICH9Mce6vJzBdion36UihExpuKDzcA1oq0J?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 2: TheUnarchiver.dmg analysis results in Triage (Source: Hatching Triage)

The file was also not detected as malicious by any of the security vendors in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXesB-PBSOTdQgnJR78gziVPHvQZaoaq3ML5Mv93yg0r3hDCJxUqlrxJ-BqGzEfO39mDtxXW6hkjhbkG3U9OX-jU6vBAwuTQrL2x_9AH4YyzJAgrZ0Zv_l3jJ-6Eeva22Lj9iveE2kjPYoqCRxiSsJUkLOTD?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 3: Screenshot of TheUnarchiver.dmg analysis results (Source: VirusTotal)

According to the above analysis scores, the disk image might be legitimate; however, would anyone register a look-alike domain and copy the web page just to offer the actual application? The short answer is yes, and we've seen this with previous phishing sites, but something feels off here.

Let's dive deeper into TheUnarchiver.dmg to uncover any hidden malicious behaviors that may have slipped through undetected. 

This post covers a basic analysis intended to determine the capabilities and intent of the malware.

Disk Image Analysis

Now that we're in a safe environment to dig deeper into the suspicious file, let's first figure out basic data like signing information and then manually mount the disk image using hdiutil.

When paired with the "attach" option, hdiutil will allow us to analyze any files within the disk image without double-clicking/running the file on the system.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfc-0IgKzgfMwspaLOHaGuYN28gIVOLr8GMBA6GAoRcCu5Kpaly6ISOX6fO6xoqZCHwpaL-6CBorjRrlZT-4x_TArad0qkzJnVmAG7bF71OgJwZCzoVrLoKDv1wrkjKvP4vovs47tx6W4ubkrBsqQWVIjOi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 4: Checking signature information for TheUnarchiver.dmg using Patrick Wardle's "WhatsYourSign" tool

The "WhatsYourSign" tool by Patrick Wardle unsurprisingly finds that the disk image is not signed.

Let's move to the mounted file, which, if you're following along in the terminal, can be found in the  /Volumes directory.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXc1R6vfK1PKjW9m5fdh3BKXDPFm5tdNjxd-2ARtjCqIr6Oz-L4x0nBZYBenMGIPECaymJgAEhVKbsv6DI4YNIthO-ffXlilqSmw7o0emxofqPVs77HtgyORWQ_GXcjq0fYRwjK5oo1rXuICWceAN0R8caKQ?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 5: Screenshot of dmg file contents after mounting using hdiutil

Before jumping into the binary file you've likely focused on, let's review some essential files and folders that are now accessible.

As the name suggests, the "Contents" folder houses all files and subdirectories of the disk image.

The "_CodeSignature" folder indicates that the binary has code-signing information.

The "MacOS" folder contains the executable binary, which runs when users double-click the app icon, familiar to most as part of the installation process.

The "Info.plist" file is the application's primary configuration file, offering insights into the macOS version on which the potentially malicious file was compiled.

Lastly, if you are a user of The Unarchiver, you likely have realized that the legitimate binary is named after the software and not "CryptoTrade."

Mach-O Analysis

Just like the disk image, not one of the vendors in VirusTotal identified the CrytpoTrade file as malicious.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXe95I_B3GViXP0cXwB2o_L7pu44_hUR-wvSyrJ46D8BRl640v8zQxLxJYVOWJiuaK12MR26JYOwwXVx_6gAz-tUHvf3WkPBgCJmdbtUfoe49O7piH9im476SR0bW5yw2DgsB4yyqkCOEk83k7exZOFJanIm?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 6: Analysis results for CryptoTrade mach-o file (Source: VirusTotal)

In the last section, we noted the presence of code-signing information for the CryptoTrade file. 

Using the WhatsYourSign tool again, we can gather additional information regarding who/how the file was signed. 

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdlIASGEsASb2jwT6ICC1YUKdZPC5KngWYtQ5pGNM9NJIrwSwTBw-3CbtehH9xd7ZmnejnNt2TxUymzUeGZzLuFhgQ0H6NTpO3XVXvcG1hV5je5_uH3v1N-DgfYipEgRrNny96VeyPJZrKbr7c30nL9DjE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 7: WhatsYourSign result for CryptoTrade file

We see from the image above that the file uses an ad-hoc signature, which we can grab hashes for, but it is, unfortunately, as far as we can go regarding signing info.

The output above in Figure 7 under "Item Type:" hints that we are dealing with a universal binary capable of running on both Intel and ARM architectures.

We can verify this using the below command in the terminal:

otool -fv CryptoTrade

As previously mentioned, the info.plist file is the main configuration file for the app, but it also contains information that may be interesting to us during file triage.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeEwvnZrqJedtAcmAaAhHrwNsGrogRhacrKwphtYs216CJs0R33-M_2evxbyYaxoRFEvgFSKPk-bSU1_s4sc0FDKicb-PE3nBnQaAxBZn960uNn1hjSHrwzp2lygCZNNArQbSeZmJAkVUw3jlE1VshrQe0u?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 8: Contents of info.plist

The first key in the file, BuildMachineOSBuild, includes a key value of 23f79, indicating the malware was compiled on a macOS 14.5 (May 13, 2024) build.

*Hatching Triage offers macOS 10.15 for sandbox analysis. There could be compatibility issues that are to blame for the low detection number.

While interesting, the information we found so far doesn't tell us much about the intent of the malware.

Let's use the command below to obtain a text file of CryptoTrade's shared libraries.

otool -L CryptoTrade > ~/malware_analysis/cryptotrade_libs.txt

Using the terminal or your favorite text editor, we can see multiple references to the Swift programming language, indicating that CryptoTrade is written in Swift.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXezscLR_GvEeWLMc-hhXN3uSsENSrEHlbj9Yn-vuaAH17gxZvFuLwcbjkx6Pwg_T5WGpq9GRqx_i5EyqUs23ia5GAnolyFyU1A9iGZPsS1hq1ajb5sNSDwtrayGJnnn2vsoE2Xbf2dEJbD9jQHzDqa_Nt0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 9: Dumping CryptoTrade's libraries to a text file

We could continue using otool to dump method names, disassembly, and more to gather additional information, however, that's best left for another post.

When it comes to file analysis, you can't beat the Strings command or Floss. Quickly scanning through the text file output reveals a new domain and code likely used to capture a user's password.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdsK2yJadFKzIOqxpV65zmyAZIfhhuKkAz1g6z3ou-l0sB_RYrdVsN7Tt91IO-aUBPKiQr2pxDNvHoV3yccBYPnmGaJ3AwcsbV3pWQAf_C0B7WbLnqDbHDahauX8EcKZtSDEzUYxCDkzU7culpwDb2zJiI?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 10: Strings output of CryptoTrade revealing password prompt and possible second-stage download

From the output above, we can theorize that the user is prompted for their password, which is likely part of the malicious installation process.

Even more interesting is a full URL: https://cryptomac[.]dev/download/grabber.zip.

As of the time of this post, the domain and zip file were still available.

Grabber.zip Analysis

I feel repetitive here, but grabber.zip was also not found to be malicious in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfMdhVlvVB_mBiDdRJRvTmO94PqtEpC2t2EveX9CxwH5Mj25DhKOj45orJ4qHxiBOOduR5wUc_LenWn5eLWxvR5Se3XB0_9MuCuXRt8HhQuf_652vnmHqF7_QRGyASSucqCLeZF2nTBl7a5RXzJoxpSp-Y?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 11: Analysis results for grabber.zip (Source: VirusTotal)

Unzipping the file resulted in 10 separate shell scripts, all named explicitly for their function in stealing user information.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcN_fOrwFqdtv1Yq-Tc_FfoH5esh7Md_0xSD2Ou7oHK_CWLtRTp00z_cXiQA0IPCPrY7h8DzKSjY9YYu6anOAQJZ0iwTiefubunELmcNkUD0fapbmY5xiLJz5YqA2wRmbYcojfBwCoTgu_9CFE1GO3DugtG?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 12: Contents of grabber.zip after unzipping the file

We'll start by looking at main.sh and send.sh then cover a few additional scripts that caught our attention.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeBt8K_M6rLlBgKL-DwOtMjQ_iwrPbWa0Im7qemOcsSSxenAtRjLs3aQklW7zh18dYLJMJoOYoJrDSokOViWdbd9wXy1QFSR4tVBnPUJBVAl3Fu26tHkScivfujTNB6mEcUM07P7-jFNtRTcmxZz-FH6FE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 13: main.sh script from grabber.zip

main.sh sets the directory path, ' $HOME/Library/Application Support/Google Helper', and deletes it if it already exists. Then, curl is used to get the public IP address, and the results are appended to 'ip.txt'.

grab_docs.sh, grab_keychain.sh, grab_browsers.sh, collect_info.sh, and grab_wallets_extensions.sh are run from their specified path, passing the directory path as an argument.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcWVCVNOTnswDynPO1mB6ubVaSOLuYs0B1Nv7LDUBYVd3moGGKIrQnPcomTzHqFD4b5JIwMBVZ7zL-3k_MwB78dcaqaVNjk2sPcNLh2d5zK-KwqMGPVR-8rY1Hj9vhbRZ6DxL-KOc2iNZQTTaLEVPAN6Czi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 14: send.sh containing a URL likely used to exfiltrate information from a victim system

send.sh switches to the directory path set in the main shell script, and creates a zip file containing the stolen information of the victim.

The zip file is then sent via curl to a separate URL, http://81.19.137[.]179/api/index.php.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcH_7MOO17TutIqmc0ACxWKzMPgQJ7ARCGtBnZsboFYFg8vMenRDNK4UKPcwdikQpvaTnHSnJtUUXKm2VZuCCN2zaU_gfBeZkMhSIDDto2_ik7RfZ5kCgrQZU2BC98PFTEgKggohjIfl5b3rQUCQei9bG0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 15: Screenshot of grab_apps.sh with Russian code comments

The grab_apps.sh file raised suspicions due to the presence of comments in Russian, suggesting the malware author might be from a Russian-speaking region or at least familiar with the language.

Using machine translation, the first comment in English is: "Path to the Telegram folder on your current Mac" and the second, "Copy files and folders."

Conclusion

In this post, we analyzed a malicious disk image that appears to not yet be known to security vendors, but has similar traits to the growing number of stealers targeting MacOS users like Amos, Poseidon, etc.

Impersonating a well-known app like The Unarchiver, the malicious binary written in Swift steals information from victim systems, and exfiltrates that data to infrastructure using a common URL path, /api/index.php.

To stay ahead of emerging threats, contact us to book a free demo today.

TABLE OF CONTENTS

During routine research on Hatching Triage, we discovered a submission for the domain tneunarchiver[.]com. This site, designed to mimic the legitimate theunarchiver[.]com, replicated the web page precisely, except for the altered download button.

The Unarchiver bills itself as "the top application for archives on Mac. It's a RAR extractor, it allows you to unzip files, and works with dozens of other formats."

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfHeZ6thI_M8C16bsEaY6xRd4QKmw2JPqlM1dHnaN9tgyC3WtSCtDrbQtcSpqWr51Nd6HJeU91DwECrvMSpIbGWJ-x2gpSXMCTHDrN5Md_mNNy93bLC7Q643pyW-broktohC9i_9e94mA1mrmKft3oTyAAu?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 1: A spoofed website impersonating The Unarchiver app

Upon clicking the "Download" button, the disk image (TheUnarchiver.dmg, SHA-1: 4932e7da6b21e1e37c507c42d40951ba53a83cf4) is saved to the user's computer.

Hatching Triage correctly identifies the domain as probable phishing, but analysis of the file results in a score of 1/10. Seeing such a low score does not necessarily mean the file is benign but could indicate an error/exception occurring during execution.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcu7GbiL4WLBa8seGgLtHRdY4SCMCxXUXoOg5VoS2hHKPDQPrMOCetW3X_gs6muPfM9CjE9fM4cNxFcWGL1pwWCA7o79lQmTX0R7GlQGSAKerlfpXgCyvNG2ICH9Mce6vJzBdion36UihExpuKDzcA1oq0J?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 2: TheUnarchiver.dmg analysis results in Triage (Source: Hatching Triage)

The file was also not detected as malicious by any of the security vendors in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXesB-PBSOTdQgnJR78gziVPHvQZaoaq3ML5Mv93yg0r3hDCJxUqlrxJ-BqGzEfO39mDtxXW6hkjhbkG3U9OX-jU6vBAwuTQrL2x_9AH4YyzJAgrZ0Zv_l3jJ-6Eeva22Lj9iveE2kjPYoqCRxiSsJUkLOTD?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 3: Screenshot of TheUnarchiver.dmg analysis results (Source: VirusTotal)

According to the above analysis scores, the disk image might be legitimate; however, would anyone register a look-alike domain and copy the web page just to offer the actual application? The short answer is yes, and we've seen this with previous phishing sites, but something feels off here.

Let's dive deeper into TheUnarchiver.dmg to uncover any hidden malicious behaviors that may have slipped through undetected. 

This post covers a basic analysis intended to determine the capabilities and intent of the malware.

Disk Image Analysis

Now that we're in a safe environment to dig deeper into the suspicious file, let's first figure out basic data like signing information and then manually mount the disk image using hdiutil.

When paired with the "attach" option, hdiutil will allow us to analyze any files within the disk image without double-clicking/running the file on the system.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfc-0IgKzgfMwspaLOHaGuYN28gIVOLr8GMBA6GAoRcCu5Kpaly6ISOX6fO6xoqZCHwpaL-6CBorjRrlZT-4x_TArad0qkzJnVmAG7bF71OgJwZCzoVrLoKDv1wrkjKvP4vovs47tx6W4ubkrBsqQWVIjOi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 4: Checking signature information for TheUnarchiver.dmg using Patrick Wardle's "WhatsYourSign" tool

The "WhatsYourSign" tool by Patrick Wardle unsurprisingly finds that the disk image is not signed.

Let's move to the mounted file, which, if you're following along in the terminal, can be found in the  /Volumes directory.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXc1R6vfK1PKjW9m5fdh3BKXDPFm5tdNjxd-2ARtjCqIr6Oz-L4x0nBZYBenMGIPECaymJgAEhVKbsv6DI4YNIthO-ffXlilqSmw7o0emxofqPVs77HtgyORWQ_GXcjq0fYRwjK5oo1rXuICWceAN0R8caKQ?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 5: Screenshot of dmg file contents after mounting using hdiutil

Before jumping into the binary file you've likely focused on, let's review some essential files and folders that are now accessible.

As the name suggests, the "Contents" folder houses all files and subdirectories of the disk image.

The "_CodeSignature" folder indicates that the binary has code-signing information.

The "MacOS" folder contains the executable binary, which runs when users double-click the app icon, familiar to most as part of the installation process.

The "Info.plist" file is the application's primary configuration file, offering insights into the macOS version on which the potentially malicious file was compiled.

Lastly, if you are a user of The Unarchiver, you likely have realized that the legitimate binary is named after the software and not "CryptoTrade."

Mach-O Analysis

Just like the disk image, not one of the vendors in VirusTotal identified the CrytpoTrade file as malicious.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXe95I_B3GViXP0cXwB2o_L7pu44_hUR-wvSyrJ46D8BRl640v8zQxLxJYVOWJiuaK12MR26JYOwwXVx_6gAz-tUHvf3WkPBgCJmdbtUfoe49O7piH9im476SR0bW5yw2DgsB4yyqkCOEk83k7exZOFJanIm?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 6: Analysis results for CryptoTrade mach-o file (Source: VirusTotal)

In the last section, we noted the presence of code-signing information for the CryptoTrade file. 

Using the WhatsYourSign tool again, we can gather additional information regarding who/how the file was signed. 

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdlIASGEsASb2jwT6ICC1YUKdZPC5KngWYtQ5pGNM9NJIrwSwTBw-3CbtehH9xd7ZmnejnNt2TxUymzUeGZzLuFhgQ0H6NTpO3XVXvcG1hV5je5_uH3v1N-DgfYipEgRrNny96VeyPJZrKbr7c30nL9DjE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 7: WhatsYourSign result for CryptoTrade file

We see from the image above that the file uses an ad-hoc signature, which we can grab hashes for, but it is, unfortunately, as far as we can go regarding signing info.

The output above in Figure 7 under "Item Type:" hints that we are dealing with a universal binary capable of running on both Intel and ARM architectures.

We can verify this using the below command in the terminal:

otool -fv CryptoTrade

As previously mentioned, the info.plist file is the main configuration file for the app, but it also contains information that may be interesting to us during file triage.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeEwvnZrqJedtAcmAaAhHrwNsGrogRhacrKwphtYs216CJs0R33-M_2evxbyYaxoRFEvgFSKPk-bSU1_s4sc0FDKicb-PE3nBnQaAxBZn960uNn1hjSHrwzp2lygCZNNArQbSeZmJAkVUw3jlE1VshrQe0u?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 8: Contents of info.plist

The first key in the file, BuildMachineOSBuild, includes a key value of 23f79, indicating the malware was compiled on a macOS 14.5 (May 13, 2024) build.

*Hatching Triage offers macOS 10.15 for sandbox analysis. There could be compatibility issues that are to blame for the low detection number.

While interesting, the information we found so far doesn't tell us much about the intent of the malware.

Let's use the command below to obtain a text file of CryptoTrade's shared libraries.

otool -L CryptoTrade > ~/malware_analysis/cryptotrade_libs.txt

Using the terminal or your favorite text editor, we can see multiple references to the Swift programming language, indicating that CryptoTrade is written in Swift.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXezscLR_GvEeWLMc-hhXN3uSsENSrEHlbj9Yn-vuaAH17gxZvFuLwcbjkx6Pwg_T5WGpq9GRqx_i5EyqUs23ia5GAnolyFyU1A9iGZPsS1hq1ajb5sNSDwtrayGJnnn2vsoE2Xbf2dEJbD9jQHzDqa_Nt0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 9: Dumping CryptoTrade's libraries to a text file

We could continue using otool to dump method names, disassembly, and more to gather additional information, however, that's best left for another post.

When it comes to file analysis, you can't beat the Strings command or Floss. Quickly scanning through the text file output reveals a new domain and code likely used to capture a user's password.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdsK2yJadFKzIOqxpV65zmyAZIfhhuKkAz1g6z3ou-l0sB_RYrdVsN7Tt91IO-aUBPKiQr2pxDNvHoV3yccBYPnmGaJ3AwcsbV3pWQAf_C0B7WbLnqDbHDahauX8EcKZtSDEzUYxCDkzU7culpwDb2zJiI?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 10: Strings output of CryptoTrade revealing password prompt and possible second-stage download

From the output above, we can theorize that the user is prompted for their password, which is likely part of the malicious installation process.

Even more interesting is a full URL: https://cryptomac[.]dev/download/grabber.zip.

As of the time of this post, the domain and zip file were still available.

Grabber.zip Analysis

I feel repetitive here, but grabber.zip was also not found to be malicious in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfMdhVlvVB_mBiDdRJRvTmO94PqtEpC2t2EveX9CxwH5Mj25DhKOj45orJ4qHxiBOOduR5wUc_LenWn5eLWxvR5Se3XB0_9MuCuXRt8HhQuf_652vnmHqF7_QRGyASSucqCLeZF2nTBl7a5RXzJoxpSp-Y?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 11: Analysis results for grabber.zip (Source: VirusTotal)

Unzipping the file resulted in 10 separate shell scripts, all named explicitly for their function in stealing user information.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcN_fOrwFqdtv1Yq-Tc_FfoH5esh7Md_0xSD2Ou7oHK_CWLtRTp00z_cXiQA0IPCPrY7h8DzKSjY9YYu6anOAQJZ0iwTiefubunELmcNkUD0fapbmY5xiLJz5YqA2wRmbYcojfBwCoTgu_9CFE1GO3DugtG?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 12: Contents of grabber.zip after unzipping the file

We'll start by looking at main.sh and send.sh then cover a few additional scripts that caught our attention.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeBt8K_M6rLlBgKL-DwOtMjQ_iwrPbWa0Im7qemOcsSSxenAtRjLs3aQklW7zh18dYLJMJoOYoJrDSokOViWdbd9wXy1QFSR4tVBnPUJBVAl3Fu26tHkScivfujTNB6mEcUM07P7-jFNtRTcmxZz-FH6FE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 13: main.sh script from grabber.zip

main.sh sets the directory path, ' $HOME/Library/Application Support/Google Helper', and deletes it if it already exists. Then, curl is used to get the public IP address, and the results are appended to 'ip.txt'.

grab_docs.sh, grab_keychain.sh, grab_browsers.sh, collect_info.sh, and grab_wallets_extensions.sh are run from their specified path, passing the directory path as an argument.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcWVCVNOTnswDynPO1mB6ubVaSOLuYs0B1Nv7LDUBYVd3moGGKIrQnPcomTzHqFD4b5JIwMBVZ7zL-3k_MwB78dcaqaVNjk2sPcNLh2d5zK-KwqMGPVR-8rY1Hj9vhbRZ6DxL-KOc2iNZQTTaLEVPAN6Czi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 14: send.sh containing a URL likely used to exfiltrate information from a victim system

send.sh switches to the directory path set in the main shell script, and creates a zip file containing the stolen information of the victim.

The zip file is then sent via curl to a separate URL, http://81.19.137[.]179/api/index.php.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcH_7MOO17TutIqmc0ACxWKzMPgQJ7ARCGtBnZsboFYFg8vMenRDNK4UKPcwdikQpvaTnHSnJtUUXKm2VZuCCN2zaU_gfBeZkMhSIDDto2_ik7RfZ5kCgrQZU2BC98PFTEgKggohjIfl5b3rQUCQei9bG0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 15: Screenshot of grab_apps.sh with Russian code comments

The grab_apps.sh file raised suspicions due to the presence of comments in Russian, suggesting the malware author might be from a Russian-speaking region or at least familiar with the language.

Using machine translation, the first comment in English is: "Path to the Telegram folder on your current Mac" and the second, "Copy files and folders."

Conclusion

In this post, we analyzed a malicious disk image that appears to not yet be known to security vendors, but has similar traits to the growing number of stealers targeting MacOS users like Amos, Poseidon, etc.

Impersonating a well-known app like The Unarchiver, the malicious binary written in Swift steals information from victim systems, and exfiltrates that data to infrastructure using a common URL path, /api/index.php.

To stay ahead of emerging threats, contact us to book a free demo today.

Related Posts:

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.