![]() Via a ProcessMonitor, we see that the trojanized application (whose pid is 1350) will execute this mdworker binary (via bash): The malware is found within the trojanized application bundle, as a binary named mdworker eTrader app, containing ElectroRAT If the user is tricked into downloading and running the application, they will inadvertently infect themselves with ElectroRAT. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware." -IntezerĮTrader app, containing ElectroRAT eTrader app, containing ElectroRAT " These applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. In terms of its infection vector, Intezer noted the use of trojanized/fake crypto currency applications : Infection Vector: Trojanized/Fake Crypto-Currency Applications “Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets” steal personal information from cryptocurrency users" -Intezer This extensive operation is composed of a full-fledged marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch." " we discovered a wide-ranging operation targeting cryptocurrency users, estimated to have initiated in January 2020. Installed (to /usr/bin/lldb) as part of Xcode.Ī “reverse engineering tool (for macOS) that lets you disassemble, decompile and debug your applications” …or malware specimens!ĮlectroRAT is a cross-platform remote “administration” tool (RAT), designed to steal information from cryptocurrency users.ĭownload: OSX.ElectroRAT (password: infect3d)ĮlectroRAT was uncovered by Intezer, who note: The de-facto commandline debugger for macOS. ![]() ![]() My open-source light weight network monitor. My open-source utility that displays code-signing information, via the UI. My open-source utility that monitors file events (such as creation, modifications, and deletions) providing detailed information about such events. My open-source utility that monitors process creations and terminations, providing detailed information about such events. While there are a myriad of malware analysis tools, these are some of my favorites, and include: Throughout this blog, I reference various tools used in analyzing the malware specimens. What was the purpose of the malware? a backdoor? a cryptocurrency miner? or something more insidious…Īlso, for each malware specimen, I’ve added a direct download link to the malware specimen, case you want to follow along with my analysis or dig into the malware more! □️ Malware Analysis Tools & Tactics How it installed itself, to ensure it would be automatically restarted on reboot/user login. However at the end of this blog, I’ve included a section dedicated to these other threats, that includes a brief overview, and links to detailed write-ups.įor each malicious specimen covered in this post, we’ll identify the malware’s: Adware and/or malware from previous years, are not covered. So as you might have guessed from the intro above, Hopper has the ability to analyse the procedures within a binary and generate pseudo code for you.In this blog post, we focus on new Mac malware specimens or significant new variants that appeared in 2021. However, there’s something that up until today (26 February 2014), Hopper couldn’t offer me and that is the ability to export the generated pseudo code.įor today, we’ll be using an example OSX application which I’m currently in the process of developing. I’ve been using Hopper as part of my assessments for the past while and the more I use it the more I love it. It’s got everything you need to get started, it’s affordable and it has a python API to plug in your own scripts. #Hopper #HopperApp #Disassembler #Pseudocode #Decompile #Hopper Plugin #iosįirst off I want to start by saying that if any of you are interested in binary analysis, reverse engineering, or iOS/OSX thick client pen-testing then I recommend you pick up a copy of Hopper Disassembler.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |