Most of the technical aspects of this specimen behaviour are described in the blog post referenced above, however there are some other interesting points I would like to highlight.
In order to install some of the tools used by the malware, like Tor, the malware requieres to gather some packets from homebrew, and this requieres Xcode to be installed, hence both of them are installed.
It is possible to see the set of processes launched to install the different dependencies, and how some of the tools are installed from git.
Other than that, the configuration of the proxy to use the Tor node can be easily spot as it modifies the file /Library/Preferences/SystemConfiguration/preferences.plist
Regarding the persistence of the malware, and for the specific sample with hassh 07b67d95176fb35e70c38561c8d679
Also it is very easy to spot this process through the logs:
May 28 09:37:05 --- last message repeated 6 times ---
May 28 09:37:05 labtests-Mac com.apple.xpc.launchd (homebrew.mxcl.tor): This service is defined to be constantly running and is inherently inefficient.
Lastly, the keychain file, where the certificate is stored, changes when the new certificate has been imported. This file is in/Library/Keychains/
The first samples detected were on the 22/04 and the developer's signature certificate had the serial number "48 CA D4 E6 96 6E 22 D62". Some samples from those dates are:
Then on the 03/05 other bunch of emails were sent with this malware, but this time the certificate used to sign the maliciuos app had the serial number "12 72 51 B3 2B 9A 50 BD".
Some samples from those days:
On the 11/05 another bunch of emails and another different certificate "30 E1 5E 51 24 0E 65 13"
16/05, again other round of maliciuos emails and other certificate used " 57 CA 73 4E 7B 02 E2 28"
19/05, new wave of emails, other certificate used "5E 25 44 7D 4F 1A 7E 4D"
In all the cases, all the certificates used, were created a day or couple of days before being used to sign the maliciuos app with valid apple developers accounts.
Three days ago, a new wave of emails were sent, and again a new certificate has been used, "61 BA 22 AC 99 02 79 A1". Again, the certificate used was created the day previous to the first sample being detected
It is very interesting to see the pattern between the campaigns of emails sent with the maliciuos app signed with a different certificate each time.
This last sample, however, has a detection rate really low, and only 4 AV detects it as malware.
Some samples are here:
In this last wave of emails, there is something interesting which is worth to mentioned. This time, the malicious app is not attached in the email directly, but a PDF file with a link to the malicious app hosted in Dropbox is attached. Also, some typos are in the email ("Amason instead of Amazon")
Another interesting point is that the PDF contains a link to the Windows version of the malware as well (a DOCX file with Macros)
The PDF is in VT since a three days ago:
The link to the linked malware are here:
The windows version of the malware, has not changed since the last time I took a look here, where they were using PowerShell instead of JS.
Since last time I took a look to the Proxifier setup to figure out the banks affected, 49 new domains of Swiss banks have been included in the list:
*credinvest.ch *bancazarattini.ch *appkb.ch *arabbank.ch *apbank.ch *notenstein-laroche.ch *bankbiz.ch *bankleerau.ch *btv3banken.ch *bhibank.com *dcbank.ch *bnpparibas.com *bordier.com *banquethaler.com *bbva.ch *pbgate.net *cmcic-banquepasche.com *bil.com *bcpconnect.com *banquecramer.ch *banqueduleman.ch *bankhaus-jungholz.ch *sparhafen.ch *bankzimmerberg.ch *bankleerau.ch *vontobel.com *notenstein-laroche.ch *bankbiz.ch *ceanet.ch *ce-riviera.ch *cen.ch *cedc.ch *cbhbank.com *cimbanque.net *cembra.ch *cmvsa.ch *coutts.com *ca-financements.ch *commerzbank.com *dominickco.ch *efginternational.com *exane.com *ekaffoltern.ch *falconpb.com *gemeinschaftsbank.ch *frankfurter-bankgesellschaft.com *glarner-regionalbank.ch *globalance-bank.com *hsbcprivatebank.com