Trojan.MacOS.SLISP.A

N它可能是用户在访问恶意网站时在无意中下载而来。

新病毒详细信息

它可能是用户在访问恶意网站时在无意中下载而来。

安装

它添加下列文件夹：

• /Users/scbox/Library/Application Support/agent_updater

植入例程

它植入下列文件：

• ~/Library/LaunchAgents/init_agent.plist -> persistence for agent.sh
• ~/Library/Application Support/agent_updater/agent.sh -> detected as Trojan.SH.SLISP

信息窃取

它收集下列数据:

• Query String:
  • sqlite3 /Users/scbox/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString like \"%stu=3c55805%\" order by LSQuarantineTimeStamp desc

窃取信息

它通过 HTTP POST 将收集的信息发送到下列 URL：

• http://api.{BLOCKED}traits.com/pkl

其他详细信息

It connects to the following possibly malicious URL:

• mobiletraits.s3.{BLOCKED}aws.com
• s3-1-w.{BLOKCED}aws.com
• api.{BLOCKED}traits.com

该程序执行以下操作：

• This malware is a pkg file (updater.pkg) that contains malicious pre-install scripts inside the Distribution.xml file -> detected as Trojan.XML.SLISP.A
• The Distribution.xml file contains javascript codes to run system commands and does the routine:
  • Creates file init_agent.plist
  • Creates file agent.sh
  • Downloads version.plist
  • Run init_agent.plist
  • agent.sh downloads and runs its payload
  • Query Download Data
• Init_agent.plist calls agent.sh every hour
• The url that agent.sh downloads is dependent from another downloaded file from https://mobiletraits.s3.{BLOCKED}aws.com/version.json and is stored in /tmp/version.json
• The .pkg file will also execute the bystander binaries file