The most interesting part of the script can the found in the _DATA_ section at the end. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. The script also includes some code for taking screen captures via shell commands. The latter is a domain name managed by the dynamic DNS service. The perl script, among other things, communicates with the following command and control (C&C) servers: 99.153.29.240 It took the form of a minified and obfuscated perl script. client file was where things got really interesting. plist file itself couldn’t have been much simpler, simply keeping the. The malware was extremely simplistic on the surface, consisting of only two files: ~/.client This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers. The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac.
0 Comments
Leave a Reply. |