For Customer Support, call: (801) 857-2372. It effectively scans and removes found infections and unwanted apps, which could compromise your Mac. Malware Scan ensures that your Mac stays protected from infections such as malware, adware, and spyware.
![]() ![]() Advanced Cleaner Malware Mac Stays ProtectedIn Patrick’s report he said there might be MAC address verification to detect VM (VM MAC usually starts with ’00:xx’). It’s quite surprising because Virustotal behavioral analysis shows a shorter execution trace than mine, which usually means its environment was detected at some point and malware stop running. Filtering system calls logs with some rules of mine, there is no evasion technique been found. Their DNS servers mostly are pointed to Akamai so I suggest we rather use domain as IOC than IP address, which could be different from viewers location. Pso mac emulatorHowever previous report detailed it well enough, hence only some screenshots from these features will be showed:Some dropped binaries like AMCleaner (93dd0c34a4ec25a508cd6d5fb86d8ccc0c318238d9fee0c93342a20759bf9b7e) already marked as malicious on VirusTotal (VT) 7/56, which could be an indication for vigilant users.Also with some fancy nonsense statistic screenshots, intent to scare analyst (:p)At this moment, we have got all indicators to make behavioral detection rule and go hunting for other similar adware samples. So we got several processes created with posix_spawn(): delete Safari, iBooks, Mail cache (likely Advanced Mac cleaner doing its job), install mentioned PUAs and we got some new IOCs.Other great things from Cuckoo sandbox are Network analysis and Dropped files. I should add new rule – “MAC address check” later.Additionally instead of execve(), MacOS sandbox policy usually invokes processes using XPCProxy or launchd services. Some of dropped MachO executables are not signed, and we don’t know what if those can be really dangerous (like the unsigned MachO executable from APT32 Ocean Lotus campaign targeted Vietnamese organizations lately is really a sophisticated one). Apple Mac is not virus-free even with those fancy Apple protection XProtect, GateKeeper, Mac sandbox, code signing, etc, many security researchers already warned.It’s likely an affiliation advertising campaign, in which adware authors spent quite some money (~$800) for these 8 Apple developer certificates and only 2 of them are revoked. I suggest it would be OperatorMac because all campaign packages call a simple loader “mac” binary.Be vigilant, no one needs Flash nowadays it’s dead. I don’t think OSX/Mughthesec would be appropriate for the adware name. Also instead of Mughthesec, other adware use different loader names such as SearchWebSvc, TrustedSafeFinder, etc. We can never know if AV would detect those adwares live running whether or not. ![]()
0 Comments
Leave a Reply. |
AuthorJoe ArchivesCategories |