A fellow macOS enthusiast remarked to me after this latest discovery that Apple’s action proved to him that Macs are secure against malware, to which my somewhat more circumspect response was: how long was this malware in the wild before it was discovered and the signature revoked? How many users were infected by this malware before it became publicly known? How many unknown, validly signed malware samples are still out there? While it’s great to see Apple on the ball and revoking the signatures of known malware, this kind of after-the-fact protection shouldn’t provide as much comfort as some seem to take from it.
#STOCKFOLIO WINDOWS CODE#
That’s due to the fact that Apple have since revoked the code signature used to sign these samples.
#STOCKFOLIO WINDOWS DOWNLOAD#
If you’re a Mac user running an unprotected Mac (i.e., you’re not using a Next-Gen solution like SentinelOne), you might be glad to hear that these malicious samples should now fail to execute if you try to download and run them. We will come back to the reason for this ruse below. But closer inspection (or changing the font) reveals that the ‘l’ in “apple” is in fact a capital “I”. Looked at casually, those look like they begin with ‘com.apple’. The malicious Stockfoli.app’s Info plist is being distributed with at least two different bundle identifiers (we’re sure there will be more). Disassembly of the main binary in our sample shows that two further ports, 2578, may also be utilized, with the latter used with zsh rather than bash as the shell of choice.īefore we move on to discuss detection and response, let’s note one further characteristic of the malware not pointed out in the previous research. In their write-up, the Trend Micro researchers reported seeing the reverse shell used over ports 25733– 25736. The script then invokes Bash’s interactive mode to redirect the session to the attackers device at the URL shown above across port 25733. This essentially allows the attacker to resume the same session if the connection should drop at any point. The screen utility is then used to start a new session in ‘detached’ mode. The code sleeps for 10000 seconds, then quits and kills any previous connection. Upon decoding the base64, we see the dropped property list file itself contains more encoded base64 in its Program Arguments.įurther decoding reveals a bash script that opens a reverse shell to the attackers’ C2. We can see that in this sample the script contains a bunch of lightly encoded base64 and that upon decoding, it will write the contents as a hidden property list file in the ~/Library/LaunchAgents folder with, in this case, the file name. Of particular note in the Resources folder is the malicious run.sh script. We will come back to code signing in the next section. The Stockfolio.app inside the Resources folder appears to be an undoctored version of the genuine app, save for the fact that the malware authors have replaced the original developer’s code signature with their own. The name is a letter shy of a genuine app called “Stockfolio.app”, which the malware purports to be a copy of, and which is placed inside the malicious Stockfoli.app’s Resources folder. Our sample, which was not analyzed in the previous research, is:ĭ2eaeca25dd996e4f34984a0acdc4c2a1dfa3bacf2594802ad20150d52d23d68ĭespite having been on VirusTotal for 9 days already, and that the initial Trend Micro research hit the news 5 days ago, this particular sample remains undetected by reputation engines on the VT site as of today.Īs with the GMERA.A variant, the malware comes in a macOS application bundle named “Stockfoli.app”.
In this post, we will focus on the interesting points in a particular sample of GMERA.B that pertain to detection and response. Two variants were initially discovered by researchers who identified them as GMERA.A and GMERA.B. Let’s begin by taking a look at the technical details of this new piece of macOS malware. In this post, we first give an overview of how the malware works, and then use this as an example to discuss different detection and response strategies, with a particular emphasis on explaining the principles and advantages of using behavioral detection on macOS. Recently, researchers at Trend Micro spotted a new piece of in-the-wild macOS malware that spoofs a genuine stock market trading app to open a backdoor and run malicious code.
0 kommentar(er)
