Trojan.MacOS.SLISP.A
2021年2月23日
:
Trojan.OSX.SilverSparrow (IKARUS)
平台:
OSX
总體(tǐ)风险等级:
潜在破坏:
潜在分(fēn)布:
感染次数:
信息暴露:
恶意软件类型:
Trojan
有(yǒu)破坏性?:
没有(yǒu)
加密?:
In the Wild:
是的
概要
感染途徑: ???????, ?????????
N???????????????????????
技(jì )术详细信息
文(wén)件大小(xiǎo): 54403 bytes
报告日期: Other
内存驻留: 没有(yǒu)
初始樣本接收日期: 2021年2月22日
Payload: ??? URL/Ip, ????, ????
???????
???????????????????????
??
????????:
- /Users/scbox/Library/Application Support/agent_updater
????
???????:
- ~/Library/LaunchAgents/init_agent.plist -> persistence for agent.sh
- ~/Library/Application Support/agent_updater/agent.sh -> detected as Trojan.SH.SLISP
????
???????:
- Query String:
- sqlite3 /Users/scbox/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString like \"%stu=3c55805%\" order by LSQuarantineTimeStamp desc
????
??? HTTP POST ??????????? URL:
- http://api.{BLOCKED}traits.com/pkl
??????
它连接到以下可(kě)疑的网址:
- mobiletraits.s3.{BLOCKED}aws.com
- s3-1-w.{BLOKCED}aws.com
- api.{BLOCKED}traits.com
?????????:
- This malware is a pkg file (updater.pkg) that contains malicious pre-install scripts inside the Distribution.xml file -> detected as Trojan.XML.SLISP.A
- The Distribution.xml file contains javascript codes to run system commands and does the routine:
- Creates file init_agent.plist
- Creates file agent.sh
- Downloads version.plist
- Run init_agent.plist
- agent.sh downloads and runs its payload
- Query Download Data
- Init_agent.plist calls agent.sh every hour
- The url that agent.sh downloads is dependent from another downloaded file from https://mobiletraits.s3.{BLOCKED}aws.com/version.json and is stored in /tmp/version.json
- The .pkg file will also execute the bystander binaries file
解决方案
最小(xiǎo)扫描引擎: 10.000
First VSAPI Pattern File: 16.557.00
VSAPI 第一样式发布日期: 2021年2月23日
VSAPI OPR样式版本: 16.557.00
VSAPI OPR样式发布日期: 2021年2月23日
?????????????,???????Trojan.MacOS.SLISP.A?? ????????????????????????,????????????????????????????????????????