MacOS Malware Impersonates The Unarchiver App to Steal User Data

MacOS Malware Impersonates The Unarchiver App to Steal User Data

Published on

Published on

Published on

Jul 30, 2024

Jul 30, 2024

Jul 30, 2024

macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
TABLE OF CONTENTS

During routine research on Hatching Triage, we discovered a submission for the domain tneunarchiver[.]com. This site, designed to mimic the legitimate theunarchiver[.]com, replicated the web page precisely, except for the altered download button.

The Unarchiver bills itself as "the top application for archives on Mac. It's a RAR extractor, it allows you to unzip files, and works with dozens of other formats."

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfHeZ6thI_M8C16bsEaY6xRd4QKmw2JPqlM1dHnaN9tgyC3WtSCtDrbQtcSpqWr51Nd6HJeU91DwECrvMSpIbGWJ-x2gpSXMCTHDrN5Md_mNNy93bLC7Q643pyW-broktohC9i_9e94mA1mrmKft3oTyAAu?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 1: A spoofed website impersonating The Unarchiver app

Upon clicking the "Download" button, the disk image (TheUnarchiver.dmg, SHA-1: 4932e7da6b21e1e37c507c42d40951ba53a83cf4) is saved to the user's computer.

Hatching Triage correctly identifies the domain as probable phishing, but analysis of the file results in a score of 1/10. Seeing such a low score does not necessarily mean the file is benign but could indicate an error/exception occurring during execution.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcu7GbiL4WLBa8seGgLtHRdY4SCMCxXUXoOg5VoS2hHKPDQPrMOCetW3X_gs6muPfM9CjE9fM4cNxFcWGL1pwWCA7o79lQmTX0R7GlQGSAKerlfpXgCyvNG2ICH9Mce6vJzBdion36UihExpuKDzcA1oq0J?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 2: TheUnarchiver.dmg analysis results in Triage (Source: Hatching Triage)

The file was also not detected as malicious by any of the security vendors in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXesB-PBSOTdQgnJR78gziVPHvQZaoaq3ML5Mv93yg0r3hDCJxUqlrxJ-BqGzEfO39mDtxXW6hkjhbkG3U9OX-jU6vBAwuTQrL2x_9AH4YyzJAgrZ0Zv_l3jJ-6Eeva22Lj9iveE2kjPYoqCRxiSsJUkLOTD?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 3: Screenshot of TheUnarchiver.dmg analysis results (Source: VirusTotal)

According to the above analysis scores, the disk image might be legitimate; however, would anyone register a look-alike domain and copy the web page just to offer the actual application? The short answer is yes, and we've seen this with previous phishing sites, but something feels off here.

Let's dive deeper into TheUnarchiver.dmg to uncover any hidden malicious behaviors that may have slipped through undetected. 

This post covers a basic analysis intended to determine the capabilities and intent of the malware.

Disk Image Analysis

Now that we're in a safe environment to dig deeper into the suspicious file, let's first figure out basic data like signing information and then manually mount the disk image using hdiutil.

When paired with the "attach" option, hdiutil will allow us to analyze any files within the disk image without double-clicking/running the file on the system.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfc-0IgKzgfMwspaLOHaGuYN28gIVOLr8GMBA6GAoRcCu5Kpaly6ISOX6fO6xoqZCHwpaL-6CBorjRrlZT-4x_TArad0qkzJnVmAG7bF71OgJwZCzoVrLoKDv1wrkjKvP4vovs47tx6W4ubkrBsqQWVIjOi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 4: Checking signature information for TheUnarchiver.dmg using Patrick Wardle's "WhatsYourSign" tool

The "WhatsYourSign" tool by Patrick Wardle unsurprisingly finds that the disk image is not signed.

Let's move to the mounted file, which, if you're following along in the terminal, can be found in the  /Volumes directory.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXc1R6vfK1PKjW9m5fdh3BKXDPFm5tdNjxd-2ARtjCqIr6Oz-L4x0nBZYBenMGIPECaymJgAEhVKbsv6DI4YNIthO-ffXlilqSmw7o0emxofqPVs77HtgyORWQ_GXcjq0fYRwjK5oo1rXuICWceAN0R8caKQ?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 5: Screenshot of dmg file contents after mounting using hdiutil

Before jumping into the binary file you've likely focused on, let's review some essential files and folders that are now accessible.

As the name suggests, the "Contents" folder houses all files and subdirectories of the disk image.

The "_CodeSignature" folder indicates that the binary has code-signing information.

The "MacOS" folder contains the executable binary, which runs when users double-click the app icon, familiar to most as part of the installation process.

The "Info.plist" file is the application's primary configuration file, offering insights into the macOS version on which the potentially malicious file was compiled.

Lastly, if you are a user of The Unarchiver, you likely have realized that the legitimate binary is named after the software and not "CryptoTrade."

Mach-O Analysis

Just like the disk image, not one of the vendors in VirusTotal identified the CrytpoTrade file as malicious.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXe95I_B3GViXP0cXwB2o_L7pu44_hUR-wvSyrJ46D8BRl640v8zQxLxJYVOWJiuaK12MR26JYOwwXVx_6gAz-tUHvf3WkPBgCJmdbtUfoe49O7piH9im476SR0bW5yw2DgsB4yyqkCOEk83k7exZOFJanIm?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 6: Analysis results for CryptoTrade mach-o file (Source: VirusTotal)

In the last section, we noted the presence of code-signing information for the CryptoTrade file. 

Using the WhatsYourSign tool again, we can gather additional information regarding who/how the file was signed. 

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdlIASGEsASb2jwT6ICC1YUKdZPC5KngWYtQ5pGNM9NJIrwSwTBw-3CbtehH9xd7ZmnejnNt2TxUymzUeGZzLuFhgQ0H6NTpO3XVXvcG1hV5je5_uH3v1N-DgfYipEgRrNny96VeyPJZrKbr7c30nL9DjE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 7: WhatsYourSign result for CryptoTrade file

We see from the image above that the file uses an ad-hoc signature, which we can grab hashes for, but it is, unfortunately, as far as we can go regarding signing info.

The output above in Figure 7 under "Item Type:" hints that we are dealing with a universal binary capable of running on both Intel and ARM architectures.

We can verify this using the below command in the terminal:

otool -fv CryptoTrade

As previously mentioned, the info.plist file is the main configuration file for the app, but it also contains information that may be interesting to us during file triage.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeEwvnZrqJedtAcmAaAhHrwNsGrogRhacrKwphtYs216CJs0R33-M_2evxbyYaxoRFEvgFSKPk-bSU1_s4sc0FDKicb-PE3nBnQaAxBZn960uNn1hjSHrwzp2lygCZNNArQbSeZmJAkVUw3jlE1VshrQe0u?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 8: Contents of info.plist

The first key in the file, BuildMachineOSBuild, includes a key value of 23f79, indicating the malware was compiled on a macOS 14.5 (May 13, 2024) build.

*Hatching Triage offers macOS 10.15 for sandbox analysis. There could be compatibility issues that are to blame for the low detection number.

While interesting, the information we found so far doesn't tell us much about the intent of the malware.

Let's use the command below to obtain a text file of CryptoTrade's shared libraries.

otool -L CryptoTrade > ~/malware_analysis/cryptotrade_libs.txt

Using the terminal or your favorite text editor, we can see multiple references to the Swift programming language, indicating that CryptoTrade is written in Swift.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXezscLR_GvEeWLMc-hhXN3uSsENSrEHlbj9Yn-vuaAH17gxZvFuLwcbjkx6Pwg_T5WGpq9GRqx_i5EyqUs23ia5GAnolyFyU1A9iGZPsS1hq1ajb5sNSDwtrayGJnnn2vsoE2Xbf2dEJbD9jQHzDqa_Nt0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 9: Dumping CryptoTrade's libraries to a text file

We could continue using otool to dump method names, disassembly, and more to gather additional information, however, that's best left for another post.

When it comes to file analysis, you can't beat the Strings command or Floss. Quickly scanning through the text file output reveals a new domain and code likely used to capture a user's password.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdsK2yJadFKzIOqxpV65zmyAZIfhhuKkAz1g6z3ou-l0sB_RYrdVsN7Tt91IO-aUBPKiQr2pxDNvHoV3yccBYPnmGaJ3AwcsbV3pWQAf_C0B7WbLnqDbHDahauX8EcKZtSDEzUYxCDkzU7culpwDb2zJiI?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 10: Strings output of CryptoTrade revealing password prompt and possible second-stage download

From the output above, we can theorize that the user is prompted for their password, which is likely part of the malicious installation process.

Even more interesting is a full URL: https://cryptomac[.]dev/download/grabber.zip.

As of the time of this post, the domain and zip file were still available.

Grabber.zip Analysis

I feel repetitive here, but grabber.zip was also not found to be malicious in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfMdhVlvVB_mBiDdRJRvTmO94PqtEpC2t2EveX9CxwH5Mj25DhKOj45orJ4qHxiBOOduR5wUc_LenWn5eLWxvR5Se3XB0_9MuCuXRt8HhQuf_652vnmHqF7_QRGyASSucqCLeZF2nTBl7a5RXzJoxpSp-Y?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 11: Analysis results for grabber.zip (Source: VirusTotal)

Unzipping the file resulted in 10 separate shell scripts, all named explicitly for their function in stealing user information.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcN_fOrwFqdtv1Yq-Tc_FfoH5esh7Md_0xSD2Ou7oHK_CWLtRTp00z_cXiQA0IPCPrY7h8DzKSjY9YYu6anOAQJZ0iwTiefubunELmcNkUD0fapbmY5xiLJz5YqA2wRmbYcojfBwCoTgu_9CFE1GO3DugtG?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 12: Contents of grabber.zip after unzipping the file

We'll start by looking at main.sh and send.sh then cover a few additional scripts that caught our attention.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeBt8K_M6rLlBgKL-DwOtMjQ_iwrPbWa0Im7qemOcsSSxenAtRjLs3aQklW7zh18dYLJMJoOYoJrDSokOViWdbd9wXy1QFSR4tVBnPUJBVAl3Fu26tHkScivfujTNB6mEcUM07P7-jFNtRTcmxZz-FH6FE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 13: main.sh script from grabber.zip

main.sh sets the directory path, ' $HOME/Library/Application Support/Google Helper', and deletes it if it already exists. Then, curl is used to get the public IP address, and the results are appended to 'ip.txt'.

grab_docs.sh, grab_keychain.sh, grab_browsers.sh, collect_info.sh, and grab_wallets_extensions.sh are run from their specified path, passing the directory path as an argument.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcWVCVNOTnswDynPO1mB6ubVaSOLuYs0B1Nv7LDUBYVd3moGGKIrQnPcomTzHqFD4b5JIwMBVZ7zL-3k_MwB78dcaqaVNjk2sPcNLh2d5zK-KwqMGPVR-8rY1Hj9vhbRZ6DxL-KOc2iNZQTTaLEVPAN6Czi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 14: send.sh containing a URL likely used to exfiltrate information from a victim system

send.sh switches to the directory path set in the main shell script, and creates a zip file containing the stolen information of the victim.

The zip file is then sent via curl to a separate URL, http://81.19.137[.]179/api/index.php.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcH_7MOO17TutIqmc0ACxWKzMPgQJ7ARCGtBnZsboFYFg8vMenRDNK4UKPcwdikQpvaTnHSnJtUUXKm2VZuCCN2zaU_gfBeZkMhSIDDto2_ik7RfZ5kCgrQZU2BC98PFTEgKggohjIfl5b3rQUCQei9bG0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 15: Screenshot of grab_apps.sh with Russian code comments

The grab_apps.sh file raised suspicions due to the presence of comments in Russian, suggesting the malware author might be from a Russian-speaking region or at least familiar with the language.

Using machine translation, the first comment in English is: "Path to the Telegram folder on your current Mac" and the second, "Copy files and folders."

Conclusion

In this post, we analyzed a malicious disk image that appears to not yet be known to security vendors, but has similar traits to the growing number of stealers targeting MacOS users like Amos, Poseidon, etc.

Impersonating a well-known app like The Unarchiver, the malicious binary written in Swift steals information from victim systems, and exfiltrates that data to infrastructure using a common URL path, /api/index.php.

To stay ahead of emerging threats, contact us to book a free demo today.

TABLE OF CONTENTS

During routine research on Hatching Triage, we discovered a submission for the domain tneunarchiver[.]com. This site, designed to mimic the legitimate theunarchiver[.]com, replicated the web page precisely, except for the altered download button.

The Unarchiver bills itself as "the top application for archives on Mac. It's a RAR extractor, it allows you to unzip files, and works with dozens of other formats."

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfHeZ6thI_M8C16bsEaY6xRd4QKmw2JPqlM1dHnaN9tgyC3WtSCtDrbQtcSpqWr51Nd6HJeU91DwECrvMSpIbGWJ-x2gpSXMCTHDrN5Md_mNNy93bLC7Q643pyW-broktohC9i_9e94mA1mrmKft3oTyAAu?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 1: A spoofed website impersonating The Unarchiver app

Upon clicking the "Download" button, the disk image (TheUnarchiver.dmg, SHA-1: 4932e7da6b21e1e37c507c42d40951ba53a83cf4) is saved to the user's computer.

Hatching Triage correctly identifies the domain as probable phishing, but analysis of the file results in a score of 1/10. Seeing such a low score does not necessarily mean the file is benign but could indicate an error/exception occurring during execution.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcu7GbiL4WLBa8seGgLtHRdY4SCMCxXUXoOg5VoS2hHKPDQPrMOCetW3X_gs6muPfM9CjE9fM4cNxFcWGL1pwWCA7o79lQmTX0R7GlQGSAKerlfpXgCyvNG2ICH9Mce6vJzBdion36UihExpuKDzcA1oq0J?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 2: TheUnarchiver.dmg analysis results in Triage (Source: Hatching Triage)

The file was also not detected as malicious by any of the security vendors in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXesB-PBSOTdQgnJR78gziVPHvQZaoaq3ML5Mv93yg0r3hDCJxUqlrxJ-BqGzEfO39mDtxXW6hkjhbkG3U9OX-jU6vBAwuTQrL2x_9AH4YyzJAgrZ0Zv_l3jJ-6Eeva22Lj9iveE2kjPYoqCRxiSsJUkLOTD?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 3: Screenshot of TheUnarchiver.dmg analysis results (Source: VirusTotal)

According to the above analysis scores, the disk image might be legitimate; however, would anyone register a look-alike domain and copy the web page just to offer the actual application? The short answer is yes, and we've seen this with previous phishing sites, but something feels off here.

Let's dive deeper into TheUnarchiver.dmg to uncover any hidden malicious behaviors that may have slipped through undetected. 

This post covers a basic analysis intended to determine the capabilities and intent of the malware.

Disk Image Analysis

Now that we're in a safe environment to dig deeper into the suspicious file, let's first figure out basic data like signing information and then manually mount the disk image using hdiutil.

When paired with the "attach" option, hdiutil will allow us to analyze any files within the disk image without double-clicking/running the file on the system.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfc-0IgKzgfMwspaLOHaGuYN28gIVOLr8GMBA6GAoRcCu5Kpaly6ISOX6fO6xoqZCHwpaL-6CBorjRrlZT-4x_TArad0qkzJnVmAG7bF71OgJwZCzoVrLoKDv1wrkjKvP4vovs47tx6W4ubkrBsqQWVIjOi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 4: Checking signature information for TheUnarchiver.dmg using Patrick Wardle's "WhatsYourSign" tool

The "WhatsYourSign" tool by Patrick Wardle unsurprisingly finds that the disk image is not signed.

Let's move to the mounted file, which, if you're following along in the terminal, can be found in the  /Volumes directory.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXc1R6vfK1PKjW9m5fdh3BKXDPFm5tdNjxd-2ARtjCqIr6Oz-L4x0nBZYBenMGIPECaymJgAEhVKbsv6DI4YNIthO-ffXlilqSmw7o0emxofqPVs77HtgyORWQ_GXcjq0fYRwjK5oo1rXuICWceAN0R8caKQ?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 5: Screenshot of dmg file contents after mounting using hdiutil

Before jumping into the binary file you've likely focused on, let's review some essential files and folders that are now accessible.

As the name suggests, the "Contents" folder houses all files and subdirectories of the disk image.

The "_CodeSignature" folder indicates that the binary has code-signing information.

The "MacOS" folder contains the executable binary, which runs when users double-click the app icon, familiar to most as part of the installation process.

The "Info.plist" file is the application's primary configuration file, offering insights into the macOS version on which the potentially malicious file was compiled.

Lastly, if you are a user of The Unarchiver, you likely have realized that the legitimate binary is named after the software and not "CryptoTrade."

Mach-O Analysis

Just like the disk image, not one of the vendors in VirusTotal identified the CrytpoTrade file as malicious.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXe95I_B3GViXP0cXwB2o_L7pu44_hUR-wvSyrJ46D8BRl640v8zQxLxJYVOWJiuaK12MR26JYOwwXVx_6gAz-tUHvf3WkPBgCJmdbtUfoe49O7piH9im476SR0bW5yw2DgsB4yyqkCOEk83k7exZOFJanIm?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 6: Analysis results for CryptoTrade mach-o file (Source: VirusTotal)

In the last section, we noted the presence of code-signing information for the CryptoTrade file. 

Using the WhatsYourSign tool again, we can gather additional information regarding who/how the file was signed. 

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdlIASGEsASb2jwT6ICC1YUKdZPC5KngWYtQ5pGNM9NJIrwSwTBw-3CbtehH9xd7ZmnejnNt2TxUymzUeGZzLuFhgQ0H6NTpO3XVXvcG1hV5je5_uH3v1N-DgfYipEgRrNny96VeyPJZrKbr7c30nL9DjE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 7: WhatsYourSign result for CryptoTrade file

We see from the image above that the file uses an ad-hoc signature, which we can grab hashes for, but it is, unfortunately, as far as we can go regarding signing info.

The output above in Figure 7 under "Item Type:" hints that we are dealing with a universal binary capable of running on both Intel and ARM architectures.

We can verify this using the below command in the terminal:

otool -fv CryptoTrade

As previously mentioned, the info.plist file is the main configuration file for the app, but it also contains information that may be interesting to us during file triage.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeEwvnZrqJedtAcmAaAhHrwNsGrogRhacrKwphtYs216CJs0R33-M_2evxbyYaxoRFEvgFSKPk-bSU1_s4sc0FDKicb-PE3nBnQaAxBZn960uNn1hjSHrwzp2lygCZNNArQbSeZmJAkVUw3jlE1VshrQe0u?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 8: Contents of info.plist

The first key in the file, BuildMachineOSBuild, includes a key value of 23f79, indicating the malware was compiled on a macOS 14.5 (May 13, 2024) build.

*Hatching Triage offers macOS 10.15 for sandbox analysis. There could be compatibility issues that are to blame for the low detection number.

While interesting, the information we found so far doesn't tell us much about the intent of the malware.

Let's use the command below to obtain a text file of CryptoTrade's shared libraries.

otool -L CryptoTrade > ~/malware_analysis/cryptotrade_libs.txt

Using the terminal or your favorite text editor, we can see multiple references to the Swift programming language, indicating that CryptoTrade is written in Swift.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXezscLR_GvEeWLMc-hhXN3uSsENSrEHlbj9Yn-vuaAH17gxZvFuLwcbjkx6Pwg_T5WGpq9GRqx_i5EyqUs23ia5GAnolyFyU1A9iGZPsS1hq1ajb5sNSDwtrayGJnnn2vsoE2Xbf2dEJbD9jQHzDqa_Nt0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 9: Dumping CryptoTrade's libraries to a text file

We could continue using otool to dump method names, disassembly, and more to gather additional information, however, that's best left for another post.

When it comes to file analysis, you can't beat the Strings command or Floss. Quickly scanning through the text file output reveals a new domain and code likely used to capture a user's password.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdsK2yJadFKzIOqxpV65zmyAZIfhhuKkAz1g6z3ou-l0sB_RYrdVsN7Tt91IO-aUBPKiQr2pxDNvHoV3yccBYPnmGaJ3AwcsbV3pWQAf_C0B7WbLnqDbHDahauX8EcKZtSDEzUYxCDkzU7culpwDb2zJiI?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 10: Strings output of CryptoTrade revealing password prompt and possible second-stage download

From the output above, we can theorize that the user is prompted for their password, which is likely part of the malicious installation process.

Even more interesting is a full URL: https://cryptomac[.]dev/download/grabber.zip.

As of the time of this post, the domain and zip file were still available.

Grabber.zip Analysis

I feel repetitive here, but grabber.zip was also not found to be malicious in VirusTotal.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfMdhVlvVB_mBiDdRJRvTmO94PqtEpC2t2EveX9CxwH5Mj25DhKOj45orJ4qHxiBOOduR5wUc_LenWn5eLWxvR5Se3XB0_9MuCuXRt8HhQuf_652vnmHqF7_QRGyASSucqCLeZF2nTBl7a5RXzJoxpSp-Y?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 11: Analysis results for grabber.zip (Source: VirusTotal)

Unzipping the file resulted in 10 separate shell scripts, all named explicitly for their function in stealing user information.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcN_fOrwFqdtv1Yq-Tc_FfoH5esh7Md_0xSD2Ou7oHK_CWLtRTp00z_cXiQA0IPCPrY7h8DzKSjY9YYu6anOAQJZ0iwTiefubunELmcNkUD0fapbmY5xiLJz5YqA2wRmbYcojfBwCoTgu_9CFE1GO3DugtG?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 12: Contents of grabber.zip after unzipping the file

We'll start by looking at main.sh and send.sh then cover a few additional scripts that caught our attention.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXeBt8K_M6rLlBgKL-DwOtMjQ_iwrPbWa0Im7qemOcsSSxenAtRjLs3aQklW7zh18dYLJMJoOYoJrDSokOViWdbd9wXy1QFSR4tVBnPUJBVAl3Fu26tHkScivfujTNB6mEcUM07P7-jFNtRTcmxZz-FH6FE?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 13: main.sh script from grabber.zip

main.sh sets the directory path, ' $HOME/Library/Application Support/Google Helper', and deletes it if it already exists. Then, curl is used to get the public IP address, and the results are appended to 'ip.txt'.

grab_docs.sh, grab_keychain.sh, grab_browsers.sh, collect_info.sh, and grab_wallets_extensions.sh are run from their specified path, passing the directory path as an argument.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcWVCVNOTnswDynPO1mB6ubVaSOLuYs0B1Nv7LDUBYVd3moGGKIrQnPcomTzHqFD4b5JIwMBVZ7zL-3k_MwB78dcaqaVNjk2sPcNLh2d5zK-KwqMGPVR-8rY1Hj9vhbRZ6DxL-KOc2iNZQTTaLEVPAN6Czi?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 14: send.sh containing a URL likely used to exfiltrate information from a victim system

send.sh switches to the directory path set in the main shell script, and creates a zip file containing the stolen information of the victim.

The zip file is then sent via curl to a separate URL, http://81.19.137[.]179/api/index.php.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXcH_7MOO17TutIqmc0ACxWKzMPgQJ7ARCGtBnZsboFYFg8vMenRDNK4UKPcwdikQpvaTnHSnJtUUXKm2VZuCCN2zaU_gfBeZkMhSIDDto2_ik7RfZ5kCgrQZU2BC98PFTEgKggohjIfl5b3rQUCQei9bG0?key=7CAQGR5AJc1p1Kfvomgk_A
Figure 15: Screenshot of grab_apps.sh with Russian code comments

The grab_apps.sh file raised suspicions due to the presence of comments in Russian, suggesting the malware author might be from a Russian-speaking region or at least familiar with the language.

Using machine translation, the first comment in English is: "Path to the Telegram folder on your current Mac" and the second, "Copy files and folders."

Conclusion

In this post, we analyzed a malicious disk image that appears to not yet be known to security vendors, but has similar traits to the growing number of stealers targeting MacOS users like Amos, Poseidon, etc.

Impersonating a well-known app like The Unarchiver, the malicious binary written in Swift steals information from victim systems, and exfiltrates that data to infrastructure using a common URL path, /api/index.php.

To stay ahead of emerging threats, contact us to book a free demo today.

Related Posts:

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.