![]() ![]() With the Internet Keywords feature of Smart Browsing activated (as it is by default), each address you type passes through Netscape's keyword server (disable the feature if you're concerned about privacy issues). So, typing "powerbook" in the Address field takes you to the Apple home page (instead of Apple's PowerBook page, which is what "does) if there is no keyword match, Netscape offers a page of suggestions, with a banner ad, of course. Smart Browsing also features a What's Related button that offers site suggestions based on the site you're viewing. MALWARE USED RUNONLY APPLESCRIPTS AVOID DETECTION MAC OSĬommunicator 4.5 includes the Netscape AOL Instant Messenger (whether or not you specify it), the Shockwave Flash plug-in, RealNetworks' RealPlayer client, and enhancements to the Messenger and Composer modules of Communicator. ![]() MALWARE USED RUNONLY APPLESCRIPTS AVOID DETECTION FOR MAC.MALWARE USED RUNONLY APPLESCRIPTS AVOID DETECTION HOW TO.2 Introduction We have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we learned that a developer s Xcode project at large contained the source malware which leads to a rabbit hole of malicious payloads. Most notably, we found two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults another is used to abuse the development version of Safari. ![]() The malware has the capability to hijack Safari and inject various Javascript payloads. This scenario is quite unusual in this case, malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates when affected developers share their projects via platforms such as GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat in other sources including VirusTotal and Github, which indicates this threat is at large. In this technical brief, we will discuss our investigation into this attack which includes the hidden Mach-o executable, its Applescript payload functions along with the three zero-day exploits we discovered, and the JS payloads it injects to exfiltrate and manipulate data from browsers. Initial Entry Xcode is an integrated development environment (IDE) used in macos for developing Apple-related software and is available for free from the Mac AppStore. #Malware used runonly applescripts avoid detection for free Since its release, plenty of developers have used Xcode for their Apple software needs. #Malware used runonly applescripts avoid detection software A sample Xcode project and its contentsģ When creating a project in Xcode, a project file (.xcodeproj) is generated that contains the code and resources to be built together. Inside the project, schema files that contain how each part is mapped are also generated. For this incident, we initially traced an infected project s Xcode work data files and found that a reference to another folder was listed instead of to the main folder this workspace has. Modified workdata string We were able to identify a hidden folder located in one of the.xcodeproj files for the project. The hidden folder contains the following: 1. Assets.xcassets shell script to call the Mach-O malware Figure 3. Hidden contents of project In one of the project files (.pbxproj), a reference to Assets.xcassets was found. Once the project is built and compiled, we suspect that the malicious code is executed. #Malware used runonly applescripts avoid detection code Reference to hidden contents In our testing, executing the Mach-O xcassets shows that it drops the following files in the folder ~/Library/Caches/GameKit/. Note that the symbol ~ indicates the current user.domain refers to the file containing the target command and control (C&C) server address.report refers to the file containing the file path and app bundle dropped its use will be discussed in the next section. #Malware used runonly applescripts avoid detection code.#Malware used runonly applescripts avoid detection software. ![]()
0 Comments
Leave a Reply. |