Mac OS X Live Forensics 107: Mac Malware
Hello All! We've talked a lot about OS X forensics in this series up to now, and have taken a deep look at the OS X operating system, learning what is normal and what is abnormal. But let's now take a closer look at what is truly malicious. This post is going to call out a lot of OS X malware, based on open source information I've gathered, and some of the places to look for indicators of compromise that result from this malware. For a good idea of the stuff your system is already looking for with XProtect, checkout: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
If you want to download any I suggest searching for the sample MD5 or SHA1 sum. I typically pull mine down with VirtusTotal Intelligence, and always do my analysis in sandbox! Now, lets dive in to some of the fun OS X malware out there!!
Report:
http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
IOCs:
/Users/Shared/run.sh
/usr/bin/globalupdate
/usr/local/machook/machook
/Library/LaunchDaemons/com.apple.machook_damon.plist
/Library/LaunchDaemons/com.apple. globalupdate.plist
Report:
http://www.symantec.com/security_response/writeup.jsp?docid=2012-041310-1536-99&tabid=2
Samples:
MD5: 40C8786A4887A763D8F3E5243724D1C9
SHA1: 5c148e37b863a9ce8e5ba9f7c95637149a3b3926
SHA256: c3f32ba569ce3b3c8901d1bb537363317df36c42557e6a5ee4e07fd8ee7956a9
Beacons:
rtx556.onedumb[.]com
IOCs:
~/Library/LaunchAgents/com.apple.PubSabAgent.plist
~/Library/Preferences/com.apple.PubSabAgent.pfile
Report:
http://www.sans.org/reading-room/whitepapers/threats/opportunity-crisis-34600
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/crisis_the_advanced_malware.pdf
Samples:
MD5: ba170664095b53d97690b5be208927e2
SHA1: 465ca6b7e883a7d145ddf6d59e3ef1c0eec279e5
SHA256: 53cd1d6a1cc64d4e8275a22216492b76db186cfb38cec6e7b3cfb7a87ccb3524
Beacons:
176.58.100.37
IOCs:
~/Library/Preferences/jlc3V7we.app
~/Library/ScriptingAdditions/appleHID/
/Library/LaunchAgents/com.apple.mdworker.plist
/System/Library/Frameworks/Foundation.framework/XPCServices/
Report:
http://www.thesafemac.com/arg-genieo/
Samples:
MD5: d43fd1bfc8b51fc228f9a31fb5f1353b
SHA1: f548bf98c423937454e62eea120d684c9953c347
SHA256: 90afdd0ccbac71d1e2c81488b61c65d0b9df1a96947c7901c4a41284d19c048c
IOCs:
~/Library/LaunchAgents/com.geneio.completer.download.plist
~/Library/LaunchAgents/com.geneio.completer.update.plist
~/Library/Preferences/com.geneio.settings.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/Applications/Genieo
/Applications/Uninstall IM Completer.app
/var/lib/libimckit.dylib
/var/lib/libimckitsa.dylib
/Library/Frameworks/GenieoExtra.framework
Report:
http://blogs.technet.com/b/mmpc/archive/2011/07/25/backdoor-olyx-is-it-malware-on-a-mission-for-mac.aspx
Samples:
MD5: 93a9b55bb66d0ff80676232818d5952f
SHA1: 0b0ca1263df13e124a8db0b744f8a6462e41fe44
SHA256: a5c1b89b26007f4672409e0e7a3ab85135a0ffc01c74c4b6d49084da7fe9def5
MD5: ae8d91261c6fb0ca5145454898126f5f
SHA1: 90ebc867d3e69f10fc45e28dc87789b1c7092c5f
SHA256: 249107f3129a45dd38a6e7884cae2a4f50a037b019d42dd1a504a1df1b6b11bf
Beacons:
121.254.173.57
IOCs:
/Library/LaunchAgents/www.google.com.tstart.plist
/Library/Application Support/google/startp
Report:
https://www.alienvault.com/open-threat-exchange/blog/cyber-espionage-campaign-against-the-uyghur-community-targeting-macosx-syst
Samples:
MD5: 14c3ffeb7eca1fd42a4d161faabbb8bd
SHA1: a7413ae0008dba53817502b64c4c3554cdcaeeab
SHA256: eadb56789a6786268628f41a4b9b5b9de9b96d364657164083fd4184e93b480d
MD5: 910928E2E5AAAFC662C632D650CDD650
SHA1: ead3b15e4c9cee31c502a091cff6d3d222a2aa28
SHA256: c4b6845e50fd4dce0fa69b25c7e9f7d25e6a04bbca23c279cc13f8b274d865c7
IOCs:
~/Library/launchagents/.system
~/Library/launchagents/apple.plist
/Library/LaunchDaemons/apple.plist
/Library/LaunchDaemons/.systm
/Library/Application\ Support /.realPlayerUpdate
/tmp/tmpAddressbook.vcf
/tmp/__system
Report:
http://www.macrumors.com/2011/09/26/apple-updates-anti-malware-tools-to-address-new-trojan-threat/
Samples:
MD5: fe4aefe0a416192a1a6916f8fc1ce484
MD5: dfda0ddd62ac6089c6a35ed144ab528e
MD5: 22b1af87dc75a69804bcfe3f230d8c9d
MD5: 9d2462920fdaed5e360875fb0cf8274f
SHA1: 6ac6c17fd2bd5101415a2353097d68fb35c3d3a8
SHA256: b2d45a18d9ebaddacdb72ef96a21e24452891bd5e8b226ffcfd21a2145e53800
MD5: d029e0d44f07f9f4566b0fce93d8a17e
SHA1: cc3fc1a0f9d37390872321cb71ef057ee8ef098b
SHA256: 21186a6a74ccd1bae270690756f686e4a3c8479e9350c0cb8e6f9239c02fd0cc
Beacons:
tarmu.narod[.]ru/
IOCs:
~/Library/LaunchAgents/checkvir.plist
/Applications/DSC08387.app
/Applications/DSC08511.app
/Applications/DSC08381.app
/tmp/updtdata
/tmp/host
Report:
http://www.securemac.com/MAC-Defender-Rogue-Anti-Virus-Analysis-Removal.php
Samples:
MD5: c785daff57a4c9049042f6bda2669961
SHA1: b59b4e03db490a9ba3d6798d8ecc4d9dfff6b67f
SHA256: 7fb474f0779fb9540e69e2c9e812a1c5789f11d0c41d2b76bc9d2258ba40b7f0
IOCs:
~/Library/Preferences/com.apple.loginitems.plist
/Library/Receipts/mdinstall.pkg
/Library/Receipts/Ispavid.pkg
/Library/Receipts/macProtectorInstallerProgramPostFlight.pkg
/Library/Receipts/macprotector.pkg
Report:
https://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis
Samples:
MD5: 6a36379b1da8919c1462f62deee666be
SHA1: 40b34e91cde683a567974750d1c5c9bcb09a87bb
SHA256: 9bf2f2a273988a7e9b8318ae7a6aa26d23ea8e5c841468605443c1a9a1fac193
Beacons:
servicesmsc.sytes[.]net
IOCs:
/Users/Shared/UserEvent.app
/Applications/DSC00117.app
Report:
http://www.welivesecurity.com/2013/03/22/from-flicks-to-clicks-mac-os-x-trojan-adware-yontoo-fake-codec/
Samples:
MD5: b59a8a69e19867d277516a9c1fd0481e
SHA1: a6d24478d22a45d25703208702482a1bb7a2ae23
SHA256: 88c89f852fafe5d57a08007f5f5bf8e38d7a2806983a03ffa660af1b7a87e5e6
IOCs:
~/Library/Safari/Extensions/Extensions.plist
~/Library/Application\ Support/Mozzilla/Extensions/
~/Library/Application\ Support/Chrome/External\ Extensions/
Report:
http://www.macworld.com/article/1040253/opener.html
Samples:
MD5: 80753666a54a8ae97bd6ed3a4e2f3702
SHA1: 11c9a661f499c06779f13e65ea78f90aa189124b
SHA256: b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab
IOCs:
/System/Library/StartupItems/$scriptname/StartupParamaters.plist
/System/Library/StartupIems/$scriptname/$scriptname
Report:
http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf
Samples:
MD5: 9f422bb6c00bb46fbfa3918ae3e9447a
SHA1: edff0cd0111ee1e3a85dbd0961485be1499bdb66
SHA256: 14290594cfa43f32d3c20ef5510e4a06c9c839c2bf3d5e2fdd8068b4327fe3d0
Beacons:
cloudsbit[.]com
IOCs:
~/.launchd.app
~/Library/LaunchAgents/apple.launchd.plist
Report:
http://www.intego.com/mac-security-blog/softonic-download-site-briefly-delivers-trojan-adware-installer/
Samples:
MD5: 3aa9d0d96ee2202deda7d923e5e2b9ab
SHA1: 42b045bfde31eb58df7bc57b64e2902690abff70
SHA256: 577a589c31ed3099811ac9e91e3bd09ddff99eb06210df2c5ceee4d7f7eb4abe
Beacons:
chatzum[.]com
IOCs:
~/Library/Safari/Extensions/ChatZumBar.safariextz
~/Library/Application Support/Google/Chrome/Chrome.crx
/Library/Internet\ Plug-Ins/zako.plugin
/Library/Internet\ Plug-Ins/uid.plist
/Library/ScriptingAdditions/SIMBL.osax
/Library/LaunchAgents/net.culater.SIMBL.Agent.plist
/Library/Application Support/SIMBL/Plugins/SafariOmnibar.bundle
Report:
http://contagioexchange.blogspot.com/2012/06/023-crime-osx-dns-changer-osxrspluga.html
Samples:
MD5: 5291beb71cba2c5779119bff7a10abdb
SHA1: f620af9a43d6e46e6b028dc8b109ff5d4cced911
SHA256: 2bdcdab0a5d41f4b6aa48e2ab55177552c8419c3f8ce140c4850a0616d7a2f3e
IOCs:
/Lubrary/Internet\ Plugins/Mozillplugin.plugin
ultracodec1237.dmg
Report:
https://code.google.com/p/logkext/wiki/ReadMe
Samples:
MD5: 4f3baf54bf0fe2cb481654769cf3204d
SHA1: 72e514cb295e4491e8c5fa910a56584b11764975
SHA256: 34491d6eaf298ab5f49e5a65ba11b56ee130ff2c51ae9ea29e940a2e18909d67
IOCs:
/System/Library/Extensions/logKext.kext
Report:
http://securelist.com/blog/research/67267/the-ventir-trojan-assemble-your-macos-spy/
Samples:
MD5: 9283c61f8cce4258c8111aaf098d21ee
SHA1: cb27650db5fd999d2a599d95ad0b5ccb031ce517
SHA256: 59539ff9af82c0e4e73809a954cf2776636774e6c42c281f3b0e5f1656e93679
IOCs:
~/Library/LaunchAgents/com.updated.launchagent.plist
~/Library/.local/*
/Library/LaunchDaemons/com.updated.launchagent.plist
/Library/.local/*
Report:
http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/
Samples:
MD5: d85bd548decc7866ffd083329e23af8c
SHA1: 3c9d127000153c3edd36a71956ad1f6280efad9c
SHA256: df6d4d71a6c73df51b2c5286fb0e0dbb0fe5877ce55902b5269aae75751ab8a5
MD5: 3027d5589850d2fef3693a12ca4ec35e
SHA1: 28271bed553ae23696e7dcf20805e0c768b74a02
SHA256: 0c6624433e275f2941dc0232bf9e4cfb3a46464c853ab3f39b7c0828bac4ec72
IOCs:
crontab -l
~/.t/runner.pyc
Report:
http://www.f-secure.com/weblog/archives/00002536.html
Samples:
MD5: 473426b7be5335816c545036cc724021
SHA1: 94e4b5112e750c7902968d97237618f5b61efeb2
SHA256: 0e2f4c5606135f1391df1b6616e01de3f045238c3871c133c32a692a6a46b21a
MD5: 8acfebd614c5a9d4fbc65eddb1444c58
SHA1: cb9515233d0c39faa7042d4b597c9135050c4f28
SHA256: 67c39863b651e01410d8a187c8f64f708075072f1fdac683f8ad0b8612067c77
Beacons:
31.31.79.87
IOCs:
~/.jupdate
~/.MacOSX/environment.plist
~/Library/LaunchAgents/com.java.update.plist
/var/db/receipts/com.adobe.update.fp.flashPlayer.FlashPlayer.pkg.plist
Report:
http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html
Samples:
MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1
SHA1: 46bb20aefd09ea0bad534d3aa9b567d89b5ae8c4
SHA256: 1db30d5b2bb24bcc4b68d647c6a2e96d984a13a28cc5f17596b3bfe316cca342
IOCs:
~/.fontset/pxupdate.ini
~/.fontset/chkdiska.dat
~/.fontset/chkdiskc.dat
~/Library/LaunchAgents/clipboardd
/Library/Logs/clipboardd
/var/db/.AccessibilityAPIEnabled
com.apple.service.clipboardd.plist
If you want to download any I suggest searching for the sample MD5 or SHA1 sum. I typically pull mine down with VirtusTotal Intelligence, and always do my analysis in sandbox! Now, lets dive in to some of the fun OS X malware out there!!
WireLurker
Report:
http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
Samples:
MD5: 3fa4e5fec53dfc9fc88ced651aa858c6
SHA1: 42ad4311f5e7e520a40186809aad981f78c0cf05
SHA256: 98a01e7d0d5cbefa5569b1bcb5881b1f6618d18fe7e1e6ab1c4e8b02c14d1693
MD5: 9037cf29ed485dae11e22955724a00e7
SHA1: 0396176f3a9bfc8c2b8ddc979d723f9a77f16388
SHA256: aaecae4ef66c617c5cde4ed852b600591848f8db618a38cb8bd9e23fea9bcfcf
MD5: ecb429951985837513fdf854e49d0682
SHA1: 4c04ccd66bf6a1edb7b94f9320f80289d1097829
SHA256: 195e2e9ca6b50b7fff05859c475e1ab08bae7ccf82a6171580abc9c2778cdc72
Beacons:
comeinbaby.comIOCs:
/Users/Shared/run.sh
/usr/bin/globalupdate
/usr/local/machook/machook
/Library/LaunchDaemons/com.apple.machook_damon.plist
/Library/LaunchDaemons/com.apple. globalupdate.plist
Sabpab
Report:
http://www.symantec.com/security_response/writeup.jsp?docid=2012-041310-1536-99&tabid=2
Samples:
MD5: 40C8786A4887A763D8F3E5243724D1C9
SHA1: 5c148e37b863a9ce8e5ba9f7c95637149a3b3926
SHA256: c3f32ba569ce3b3c8901d1bb537363317df36c42557e6a5ee4e07fd8ee7956a9
Beacons:
rtx556.onedumb[.]com
IOCs:
~/Library/LaunchAgents/com.apple.PubSabAgent.plist
~/Library/Preferences/com.apple.PubSabAgent.pfile
Crisis
Report:
http://www.sans.org/reading-room/whitepapers/threats/opportunity-crisis-34600
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/crisis_the_advanced_malware.pdf
Samples:
MD5: ba170664095b53d97690b5be208927e2
SHA1: 465ca6b7e883a7d145ddf6d59e3ef1c0eec279e5
SHA256: 53cd1d6a1cc64d4e8275a22216492b76db186cfb38cec6e7b3cfb7a87ccb3524
Beacons:
176.58.100.37
IOCs:
~/Library/Preferences/jlc3V7we.app
~/Library/ScriptingAdditions/appleHID/
/Library/LaunchAgents/com.apple.mdworker.plist
/System/Library/Frameworks/Foundation.framework/XPCServices/
Geneio
Report:
http://www.thesafemac.com/arg-genieo/
Samples:
MD5: d43fd1bfc8b51fc228f9a31fb5f1353b
SHA1: f548bf98c423937454e62eea120d684c9953c347
SHA256: 90afdd0ccbac71d1e2c81488b61c65d0b9df1a96947c7901c4a41284d19c048c
IOCs:
~/Library/LaunchAgents/com.geneio.completer.download.plist
~/Library/LaunchAgents/com.geneio.completer.update.plist
~/Library/Preferences/com.geneio.settings.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/Applications/Genieo
/Applications/Uninstall IM Completer.app
/var/lib/libimckit.dylib
/var/lib/libimckitsa.dylib
/Library/Frameworks/GenieoExtra.framework
Olyx
Report:
http://blogs.technet.com/b/mmpc/archive/2011/07/25/backdoor-olyx-is-it-malware-on-a-mission-for-mac.aspx
Samples:
MD5: 93a9b55bb66d0ff80676232818d5952f
SHA1: 0b0ca1263df13e124a8db0b744f8a6462e41fe44
SHA256: a5c1b89b26007f4672409e0e7a3ab85135a0ffc01c74c4b6d49084da7fe9def5
MD5: ae8d91261c6fb0ca5145454898126f5f
SHA1: 90ebc867d3e69f10fc45e28dc87789b1c7092c5f
SHA256: 249107f3129a45dd38a6e7884cae2a4f50a037b019d42dd1a504a1df1b6b11bf
Beacons:
121.254.173.57
IOCs:
/Library/LaunchAgents/www.google.com.tstart.plist
/Library/Application Support/google/startp
CallMe
Report:
https://www.alienvault.com/open-threat-exchange/blog/cyber-espionage-campaign-against-the-uyghur-community-targeting-macosx-syst
Samples:
MD5: 14c3ffeb7eca1fd42a4d161faabbb8bd
SHA1: a7413ae0008dba53817502b64c4c3554cdcaeeab
SHA256: eadb56789a6786268628f41a4b9b5b9de9b96d364657164083fd4184e93b480d
MD5: 910928E2E5AAAFC662C632D650CDD650
SHA1: ead3b15e4c9cee31c502a091cff6d3d222a2aa28
SHA256: c4b6845e50fd4dce0fa69b25c7e9f7d25e6a04bbca23c279cc13f8b274d865c7
IOCs:
~/Library/launchagents/.system
~/Library/launchagents/apple.plist
/Library/LaunchDaemons/apple.plist
/Library/LaunchDaemons/.systm
/Library/Application\ Support /.realPlayerUpdate
/tmp/tmpAddressbook.vcf
/tmp/__system
Revir
Report:
http://www.macrumors.com/2011/09/26/apple-updates-anti-malware-tools-to-address-new-trojan-threat/
Samples:
MD5: fe4aefe0a416192a1a6916f8fc1ce484
MD5: dfda0ddd62ac6089c6a35ed144ab528e
MD5: 22b1af87dc75a69804bcfe3f230d8c9d
MD5: 9d2462920fdaed5e360875fb0cf8274f
SHA1: 6ac6c17fd2bd5101415a2353097d68fb35c3d3a8
SHA256: b2d45a18d9ebaddacdb72ef96a21e24452891bd5e8b226ffcfd21a2145e53800
MD5: d029e0d44f07f9f4566b0fce93d8a17e
SHA1: cc3fc1a0f9d37390872321cb71ef057ee8ef098b
SHA256: 21186a6a74ccd1bae270690756f686e4a3c8479e9350c0cb8e6f9239c02fd0cc
Beacons:
tarmu.narod[.]ru/
IOCs:
~/Library/LaunchAgents/checkvir.plist
/Applications/DSC08387.app
/Applications/DSC08511.app
/Applications/DSC08381.app
/tmp/updtdata
/tmp/host
MacProtector
Report:
http://www.securemac.com/MAC-Defender-Rogue-Anti-Virus-Analysis-Removal.php
Samples:
MD5: c785daff57a4c9049042f6bda2669961
SHA1: b59b4e03db490a9ba3d6798d8ecc4d9dfff6b67f
SHA256: 7fb474f0779fb9540e69e2c9e812a1c5789f11d0c41d2b76bc9d2258ba40b7f0
IOCs:
~/Library/Preferences/com.apple.loginitems.plist
/Library/Receipts/mdinstall.pkg
/Library/Receipts/Ispavid.pkg
/Library/Receipts/macProtectorInstallerProgramPostFlight.pkg
/Library/Receipts/macprotector.pkg
Leverage
Report:
https://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis
Samples:
MD5: 6a36379b1da8919c1462f62deee666be
SHA1: 40b34e91cde683a567974750d1c5c9bcb09a87bb
SHA256: 9bf2f2a273988a7e9b8318ae7a6aa26d23ea8e5c841468605443c1a9a1fac193
Beacons:
servicesmsc.sytes[.]net
IOCs:
/Users/Shared/UserEvent.app
/Applications/DSC00117.app
Yontoo
Report:
http://www.welivesecurity.com/2013/03/22/from-flicks-to-clicks-mac-os-x-trojan-adware-yontoo-fake-codec/
Samples:
MD5: b59a8a69e19867d277516a9c1fd0481e
SHA1: a6d24478d22a45d25703208702482a1bb7a2ae23
SHA256: 88c89f852fafe5d57a08007f5f5bf8e38d7a2806983a03ffa660af1b7a87e5e6
IOCs:
~/Library/Safari/Extensions/Extensions.plist
~/Library/Application\ Support/Mozzilla/Extensions/
~/Library/Application\ Support/Chrome/External\ Extensions/
Renepo
Report:
http://www.macworld.com/article/1040253/opener.html
Samples:
MD5: 80753666a54a8ae97bd6ed3a4e2f3702
SHA1: 11c9a661f499c06779f13e65ea78f90aa189124b
SHA256: b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab
IOCs:
/System/Library/StartupItems/$scriptname/StartupParamaters.plist
/System/Library/StartupIems/$scriptname/$scriptname
IceFog
Report:
http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf
Samples:
MD5: 9f422bb6c00bb46fbfa3918ae3e9447a
SHA1: edff0cd0111ee1e3a85dbd0961485be1499bdb66
SHA256: 14290594cfa43f32d3c20ef5510e4a06c9c839c2bf3d5e2fdd8068b4327fe3d0
Beacons:
cloudsbit[.]com
IOCs:
~/.launchd.app
~/Library/LaunchAgents/apple.launchd.plist
Okaz
Report:
http://www.intego.com/mac-security-blog/softonic-download-site-briefly-delivers-trojan-adware-installer/
Samples:
MD5: 3aa9d0d96ee2202deda7d923e5e2b9ab
SHA1: 42b045bfde31eb58df7bc57b64e2902690abff70
SHA256: 577a589c31ed3099811ac9e91e3bd09ddff99eb06210df2c5ceee4d7f7eb4abe
Beacons:
chatzum[.]com
IOCs:
~/Library/Safari/Extensions/ChatZumBar.safariextz
~/Library/Application Support/Google/Chrome/Chrome.crx
/Library/Internet\ Plug-Ins/zako.plugin
/Library/Internet\ Plug-Ins/uid.plist
/Library/ScriptingAdditions/SIMBL.osax
/Library/LaunchAgents/net.culater.SIMBL.Agent.plist
/Library/Application Support/SIMBL/Plugins/SafariOmnibar.bundle
RSPLug
Report:
http://contagioexchange.blogspot.com/2012/06/023-crime-osx-dns-changer-osxrspluga.html
Samples:
MD5: 5291beb71cba2c5779119bff7a10abdb
SHA1: f620af9a43d6e46e6b028dc8b109ff5d4cced911
SHA256: 2bdcdab0a5d41f4b6aa48e2ab55177552c8419c3f8ce140c4850a0616d7a2f3e
IOCs:
/Lubrary/Internet\ Plugins/Mozillplugin.plugin
ultracodec1237.dmg
LogKext
Report:
https://code.google.com/p/logkext/wiki/ReadMe
Samples:
MD5: 4f3baf54bf0fe2cb481654769cf3204d
SHA1: 72e514cb295e4491e8c5fa910a56584b11764975
SHA256: 34491d6eaf298ab5f49e5a65ba11b56ee130ff2c51ae9ea29e940a2e18909d67
IOCs:
/System/Library/Extensions/logKext.kext
Ventir
Report:
http://securelist.com/blog/research/67267/the-ventir-trojan-assemble-your-macos-spy/
Samples:
MD5: 9283c61f8cce4258c8111aaf098d21ee
SHA1: cb27650db5fd999d2a599d95ad0b5ccb031ce517
SHA256: 59539ff9af82c0e4e73809a954cf2776636774e6c42c281f3b0e5f1656e93679
IOCs:
~/Library/LaunchAgents/com.updated.launchagent.plist
~/Library/.local/*
/Library/LaunchDaemons/com.updated.launchagent.plist
/Library/.local/*
Janicab
Report:
http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/
Samples:
MD5: d85bd548decc7866ffd083329e23af8c
SHA1: 3c9d127000153c3edd36a71956ad1f6280efad9c
SHA256: df6d4d71a6c73df51b2c5286fb0e0dbb0fe5877ce55902b5269aae75751ab8a5
MD5: 3027d5589850d2fef3693a12ca4ec35e
SHA1: 28271bed553ae23696e7dcf20805e0c768b74a02
SHA256: 0c6624433e275f2941dc0232bf9e4cfb3a46464c853ab3f39b7c0828bac4ec72
IOCs:
crontab -l
~/.t/runner.pyc
Flashback
Report:
http://www.f-secure.com/weblog/archives/00002536.html
Samples:
MD5: 473426b7be5335816c545036cc724021
SHA1: 94e4b5112e750c7902968d97237618f5b61efeb2
SHA256: 0e2f4c5606135f1391df1b6616e01de3f045238c3871c133c32a692a6a46b21a
MD5: 8acfebd614c5a9d4fbc65eddb1444c58
SHA1: cb9515233d0c39faa7042d4b597c9135050c4f28
SHA256: 67c39863b651e01410d8a187c8f64f708075072f1fdac683f8ad0b8612067c77
Beacons:
31.31.79.87
IOCs:
~/.jupdate
~/.MacOSX/environment.plist
~/Library/LaunchAgents/com.java.update.plist
/var/db/receipts/com.adobe.update.fp.flashPlayer.FlashPlayer.pkg.plist
XSLCMD
Report:
http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html
Samples:
MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1
SHA1: 46bb20aefd09ea0bad534d3aa9b567d89b5ae8c4
SHA256: 1db30d5b2bb24bcc4b68d647c6a2e96d984a13a28cc5f17596b3bfe316cca342
IOCs:
~/.fontset/pxupdate.ini
~/.fontset/chkdiska.dat
~/.fontset/chkdiskc.dat
~/Library/LaunchAgents/clipboardd
/Library/Logs/clipboardd
/var/db/.AccessibilityAPIEnabled
com.apple.service.clipboardd.plist