Malware stealing user credentials and credit card information Target information includes origin URL, username, password, and credit card name, number, and expiration date.įigure 3.
Uploadminer.sh contains routines capable of stealing saved information from Google Chrome browsers. The file uploadminer.sh will be saved to the system and executed. It will receive a command to download Bash scripts from hxxp://46226108171:4444/uploadminersh once the backdoor runs. If it’s not, the script will connect to hxxp://46226108171:4444/login/process.php, which hosts an encrypted Empyre backend capable of pushing arbitrary commands to an infected macOS system.
We also found out that the malware connects to hxxps:///jj9a, which contains an encrypted Python script that checks if Little Snitch - a host-based application firewall for macOS - is running. This is the original Adobe Zii.app used to camouflage its malicious background activities. The contents are then extracted and executed in the system. While running a copy of Adobe Zii.app, we observed that it downloads sample.app from hxxp://46226108171:80/sample.zip and saves it to the user directory ~/.
0 kommentar(er)
