Next, the malware will check for the file ~/Library/._insu. The data it gets back looked something like this at the time of analysis: This script has several functions.įirst, it will contact a command & control server formerly hosted on Amazon AWS. The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This means that, if you were to click Continue, but then think better of it and quit the installer, it would be too late. The user would then be asked if they want to allow a program to run “to determine if the software can be installed.” pkg files included JavaScript code, in such a way that the code would run at the very beginning, before the installation has really started. However, we do not know how these files were delivered to the user. We know that the malware was installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. This malware is notable in being one of the first to include native code for Apple’s new M1 chips, but what is unknown about this malware is actually more interesting than what is known! Installation Cyber security company Red Canary published findings last week about a new piece of Mac malware called Silver Sparrow.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |