Macs are great, aren’t they? I have many. Aside from the two provided by my employer, I have five working Macs of my own, ranging from 2009 to 2021. I also run macOS on a number of virtual machines for research purposes. In fact, give me a few minutes and I could spin you up an instance of any version of macOS from 10.5.8 Leopard (circa 2008!) right through to the latest beta of macOS 12 Monterey. Yep, I’m an Apple nerd, a Mac geek, a macOS enthusiast, and I’ve spent over a decade now learning how Macs and macOS work. I’m also a Mac security researcher and having a catalogue of older versions of macOS is part of my arsenal of tools when it comes to understanding how to keep Macs and Mac users safe.

Most of my work nowadays revolves around identifying, tracking, and understanding Mac malware in the enterprise, and in the course of my work I inevitably come across more than my fair share of infected Macs. The users of these Macs are more often than not surprised to learn that their Mac got a dose of some nasty adware or malware.

Few ever know how the malware got on their device. Most thought that they didn’t need to take any special security precautions when using a Mac. Some said that not having to run AV products was precisely the reason why they chose a Mac and ditched their previous Windows machine. All had no idea how to remove the infection, or verify that the Mac was indeed healthy after they had tried. Often, IT teams trained and tasked with ironing out problems with Windows devices are equally uncertain.

In this post, I will share with you what I have told those users and many others about macOS security. I will debunk some widely held myths about how to use and administrate Macs safely, and I will explain how you can ensure those in your organization are not the next unfortunate Mac users to begin dangerously searching the internet for a solution to a problem they barely knew they had.

1. I don’t Need to Update My System

Many people believe that older versions of macOS are just as safe to run as the latest versions. While currently macOS Monterey, Big Sur and Catalina are still receiving critical security updates, anything older than that is certainly riddled with vulnerabilities.

But a bigger concern is devices that get the shiny upgrades but don’t keep up with the mundane updates. From a security perspective, point updates  (e.g., from Monterey 12.1 to 12.2 and so on) are far more important than OS upgrades, at least so long as you’re not more than N-2 (more than two major upgrades behind the current OS). If you’re still running Catalina or Big Sur, the only safe versions of those OSs are the most recent ones: 10.15.7 + the January 26 Security Update, and 11.6.3, respectively. At the time of writing, Monterey is on 12.2.

The reason point updates are far more critical is that unlike major OS upgrades, which are timed for marketing reasons and are generally built to add new (and sometimes buggy!) features, point updates are typically focused on fixing bugs and security vulnerabilities, including vulnerabilities known to be actively exploited in the wild. For example, in the recent 12.2 update, Apple patched CVE-2022-22587, of which they said they were “aware of a report that this issue may have been actively exploited”. That update also addressed twelve other CVEs including:

• CVE-2022-22586 – AMD Kernel: A malicious application may be able to execute arbitrary code with kernel privileges
• CVE-2022-22584 – ColorSync: Processing a maliciously crafted file may lead to arbitrary code execution
• CVE-2022-22591 – Intel Graphics Driver: A malicious application may be able to execute arbitrary code with kernel privileges

Recently, I walked into an Apple Reseller store and noted with some surprise that, next to the Mac that was running the point-of-sale software, other staff were using what appeared to be a vintage 2012 MacBook Pro. How did I know? Because the last year Apple made a MacBook with an internal CD drive was 2012, and I could see the tell-tale slot on the side of the machine as I waited to make my purchase.

It’s a testament to the longevity of Apple hardware that in 2022 a business can still use a 2012 machine for productive tasks, but it’s also a potential problem. The mid-2012 MBP was released with OS X 10.8 Mountain Lion! The latest version of macOS that a mid-2012 MacBook Pro could run is Big Sur. I sure hope they updated to that 11.6.3 release the other week!

2. Mac Malware is Rare

The amount of malware that is targeted at Windows machines is truly staggering. It’s no wonder that every year a not-insignificant number of computer buyers turn to Macs for relief from the constant security headaches associated with Windows. While the amount of malware targeted at Macs is a small percentage of that, a small percentage of a large number can still be a large number. Relative to Windows, Mac malware is far less common, but it’s a long way from ‘rare’.

Last year, we saw 10 new targeted macOS malware families emerge, along with the continued expansion of adware delivery platforms like Shlayer, Bundlore, Surfbuyer, Pirrit, WizardUpdate and Adload.

In 2021, Craig Federighi – Apple’s VP of Software Engineering – said that he’d “had a couple of family members who have gotten some malware on their Macs”. In comments that surprised many Mac users but absolutely no security researchers, Federighi further noted that “Each week, Apple identifies a couple of pieces of malware on its own or with help of third parties” and that Apple was fighting “an endless game of whack-a-mole” and facing a “significantly larger malware problem” now than in the past.

3. Adware Isn’t Dangerous

To those that hold this view, my first reaction is: define ‘Dangerous’.

Adware is code running on your machine, often without your knowledge or consent, that fingerprints your device and collects PII about you, exfiltrates it to unknown 3rd parties and installs persistence agents, makes itself difficult to remove, and – as the name suggests – serves up unwanted adverts while you’re browsing by hijacking your searches.

Adware like Adload and Shlayer typically contact obscure URLs and download unwanted software in the background without informing the user.

Some adware is akin to spyware, and some adware developers take such extreme measures to avoid detection by security software or analysis by security professionals that they could legitimately go into business teaching malware authors a few new tricks. So, what’s your definition of ‘dangerous’?

4. Apple Is All The Security You Need

Apple has worked hard to establish the reputation of “the safe Mac”, but the gap between the marketing message and the reality is increasingly clear to see. It’s not that Apple doesn’t take security seriously – it really does, and we are always pleased to support Apple’s product security team by sharing intelligence when we can. The problem is that Apple’s security technologies on macOS are easily defeated, and it’s worth exploring for a moment why that is the case.

Unlike iOS and Apple mobile devices, macOS and the Mac provide – and we hope always will provide – an environment where device owners are able to customize and use their computers in all sorts of novel, interesting and creative ways. The use case for a powerful computing platform is utterly different from that of a mobile device, and for that reason there is only so much Apple can do with security without falling into the trap that Microsoft has fallen into of becoming an after-sales vendor to shore up the security of its own OS.

With the Mac, Apple tread lightly. Gatekeeper, Codesigning and Notarization provide barriers to entry but they do not keep out professional adware and malware authors. On-device protection like XProtect and MRT.app also help clean up some of the main discovered malware and adware variants, but there are many that they do not. XProtect is an old-fashioned file scanning technology that needs to be updated (something Apple does silently in the background, more or less once a month or so) after new malware has already struck some hapless victims.

Crucially, it’s simple for malware authors to inspect XProtect on their own machines and see how the signatures are catching their work. MRT.app is a little more obtuse to inspect, but regardless of how well Apple tries to obfuscate their signatures, there’s always a simple test available to a malware author: test your malware on your Mac and if it’s removed or blocked, adjust it till it isn’t.

Malware authors always have direct access to the very software that Apple is using to block or remove malware. In part, notarization was supposed to help Apple get around this, but threat actors soon discovered that the automated malware service could be beaten, and the game of ‘whack-a-mole’, as Mr Federighi rightly described it, goes on.

5. I’d Know If My Mac Was Infected

One of the most overlooked weaknesses of the Mac is the paucity of end user tools it provides both for security and administration purposes. The once useful Console.app is now a no-go zone for anyone other than the most masochistic of Mac diehards; the Terminal provides some useful but obscure command line tools for examining things like running processes, listing open files and ports and gathering certain kinds of system and user data.

But – and it’s a big but – none of these provide users or admins with any actual way to look at, track or identify malicious changes. None of the native tools allow a user to see what process was responsible for changing which file(s), executing which binaries, or changing what system data.

Deep-dive IR and digital forensics investigations can, sometimes, recreate certain historical chains of events, but these require expertise, time and money.

In short, the question that no Mac user can really answer without adding some 3rd party software is: how would I know if my Mac was infected by some backdoor such as SysJoker or spyware like DazzleSpy or XcodeSpy?

6. My Data Is Safe On My Mac

Data privacy has become increasingly important, and increasingly targeted, in recent years as almost all of us have moved some or all of our most sensitive data onto our devices.

In line with this trend, Apple has made a number of changes to macOS to try and protect PII and other data on our Macs, but the results have been less than stellar. In the first instance, all Apple’s user privacy protections are bypassed by any app that requests, and is granted by the user, Full Disk Access (FDA). Apple’s default assumption is that user’s won’t grant that permission without understanding the risks, but that’s an assumption that is fatally flawed. Many common apps request this permission to function properly, and users are more interested in having the apps work than making detailed inquiries of developers about how that permission will be used or could be abused.

One app that has Full Disk Access regardless of the user’s preference is Apple’s own Finder. This allows a sneaky backdoor via automation that only requires a consent click (rather than a password authorization) to get past the users.

Further, in many enterprise settings, administrators will require the Terminal to have Full Disk Access. Unfortunately, there’s no granularity here, so when one user grants FDA to the Terminal, it’s now available to all users (and all processes).

As we’ve noted before, this isn’t an accident or a bug, it’s by design, but bugs in the same framework (aka TCC) responsible for user data privacy protection have become so common they are almost uninteresting!

7. Criminals Aren’t Interested in Mac Users

It’s a common myth in computer security that most malware authors aren’t interested in Mac users because “the market is too small” to be worth their time. After all, it is supposed, it takes a considerable investment in resources to develop, distribute and manage malware infections, and for that effort criminals want a good ROI. Consequently, it’s assumed, they don’t bother targeting Macs and stick to the easier pickings of Windows users.

There’s plenty of fallacy to unpack here. First, the market is too small? This thinking is about 15 years out of date, or pre-iPhone’s 2007 launch to be accurate. Macs may have once been the niche buy of certain kinds of ‘creatives’ and a few vociferous enthusiasts, but their market share has steadily increased over the last decade or so.

At first, this was off the back of iOS/macOS (or OS X as it was then) ecosystem integration, but it’s long been the case that Macs have become popular in their own right for their longevity, stability and – relative to Windows – security. Developers of all stripes love them, executives love them, and this last quarter Apple reported that Mac sales alone accounted for more than $10 billion of revenue. That’s a pretty healthy-sized market to attack for any malware author, just ask the developers of XLoader, XCSSET and OSAMiner.

Second, mac malware isn’t particularly difficult to create. If you can create any kind of Mac app, making it do something malicious is a fairly trivial tweek (an unfortunate fact that makes macOS malware difficult to catch for certain kinds of security solutions that rely on identifying malware by file characteristics rather than behavior). Add to that that macOS malware is increasingly cross-platform – malware authors are targeting multiple platforms with the same source code written in languages like Java, Go and Kotlin – and the “heavy investment for no return” argument doesn’t really hold any water.

8. Nation-States Don’t Target Mac Users

Well, if the criminals looking to make a quick buck are on board, what about the APTs? As noted above, developers and execs love to buy Macs – they’re powerful and chic – and they have a reputation for being secure (although we note it’s Chromebooks that now enjoy the “these don’t get viruses” meme).

APTs have always been busy targeting Macs just as they have any other devices used by “persons of interest”. This past year, we saw not only targeted attacks against political activists but also what was very likely an espionage attack against a US business.

We also learned last month that, while most Mac malware requires some level of social engineering, there are in-the-wild exploits that can infect a Mac user who simply visits the wrong website. Both macOS.Macma and OSX.DazzleSpy were delivered by leveraging exploits to drop and execute code with privileges in a watering-hole attack. And as noted above, CVE-2022-22587 patched a few weeks ago was an actively exploited zero-day that allowed malicious attackers to execute arbitrary code with kernel privileges. At this time, we have no idea who the targets were.

9. Apps Downloaded from the App Store are Safe

The Mac App Store, and its counterpart the iOS App Store, occupy a special place in Apple’s ecosystem. Such apps run in sandbox environments on the user’s device, are vetted by Apple, and distributed by identified developers. The vast majority are, indeed, safe, there’s no questioning that. But there are, nevertheless, questions about a small minority.

App Store apps are mostly safe, but the origin of the download doesn’t guarantee that you’re not getting malware. Developers of legitimate App Store apps have noticed scam apps on the App Store blatantly copying legitimate apps and being boosted with fake ratings and reviews, themselves purchased in bulk from other criminals. It’s been estimated that such apps could be scamming users out of $2 million a year or more.

10. The Best Security Apps Are in the App Store

If you’re thinking you want some extra security solution for your Macs, the one place not to look is the App Store. This has nothing to do with our previous point about the dubiousness of some App Store apps, but rather the nature of what kind of apps are allowed in the App Store.

As we already said, App Store apps must be sandboxed – that’s one of Apple’s conditions of entry – but a good security app by definition can’t operate in a sandbox environment. A sandbox is like a container that isolates an app from other apps and other data on a device. It’s one of a number of techniques that can be utilized to help make certain kinds of apps safer.

However, there’s no such thing as an effective sandboxed security app. So-called “security apps” found in the App Store have no visibility into other processes and no capability to block or remove malware (itself almost always unsandboxed) on your device. They are, by and large, at best useless, and at worst fraudulent.

If you want effective security, you need a solution that can actually protect your device against threats and offer visibility into malicious actions; in other words, you need something that runs outside of a sandbox.

Conclusion

Macs are great. Let’s not forget that! But we can admire our Macs as great work machines without falling into the naive belief that they are some kind impregnable fortresses that don’t need any help to keep them secure against a growing crowd of threat actors.

Computer security is a moving target, and certainly in the enterprise that requires a dedicated security solution provider who is at the forefront of keeping up with the latest threats. Help your Macs – and your Mac users – to help themselves by being aware of the reality of the macOS security threatscape and being proactive in your security posture.

If you would like to see how SentinelOne can help protect your macOS devices, contact us or request a free demo.

The Good

This week brings another welcome victory for law enforcement. This time around we focus on darknet market site CanadaHQ (Canadian Headquarters) and individuals connected to the site. CanadianHQ was notorious for trading in spamming services, phishing kits, stolen credentials and access to compromised computers before it was taken offline.

The CRTC (Canadian Radio-television and Telecommunications Commission) provided an update this past week stating that four suspects involved with the site, including the creator of the market, had been handed penalties for violating Canada’s Anti Spam Legislation (CASL) totaling $300,000.

The CRTC indicated that these individuals were responsible for sending “emails mimicking well-known brands in order to obtain personal data including credit card numbers, banking credentials, and other sensitive information”. The individuals charged in violation of the CASL are:

• Chris Tyrone Dracos (aka “Poseidon”)
• Marc Anthony Younes (aka “CASHOUT00” and “Masteratm”)
• Souial Amarak (aka “Wealtyman” and “Supreme”)
• Moustapha Sabir (aka “La3sa”)

It is alleged that Dracos was the creator and primary administrator of the market. As such, he received the harshest penalty with a fine of $150,000. The three remaining individuals were given fines of $50,000 each. Chief Compliance Officer of the CRTC, Steven Harron, indicated that this was one of the more “challenging and complex” cases they had worked on under the Canada Anti-Spam Legislation.

However, there is indication of a broader scope to these actions as CRTC also indicate they have “identified a number of other vendors…actions will be taken against them in the near future”. It sounds like we can look forward to more of these efforts and resulting market closures in the future.

The Bad

The FBI on Tuesday released a new PSA (public service announcement) around the ongoing tactics used by scammers and cybercriminals. PSA I-020122-PSA focuses on the exploitation of security weaknesses on job recruitment websites. Scammers use these to post fraudulent job postings with the intention of extracting personal information or money from would-be applicants. According to the FBI, on average, victims are duped out of almost $3000 a time.

While the tactic is hardly new, it continues to pay rich dividends for cybercriminals precisely because many employment-oriented networking sites fail to use strong security verification measures. Scammers have exploited such weaknesses to post fake job offerings on legitimate company pages alongside genuine job postings. Users of such sites are left to determine the real from the fake for themselves, with predictably unfortunate outcomes.

Similarly, scammers reproduce genuine job postings on other sites, changing the contact details to capture interested job seekers. They even go so far as to spoof the identity of legitimate company employees, conduct fraudulent interviews, and even make fake job offers to victims in their quest to gather as much PII as possible. The PII is then later sold or used in additional scams.

The PSA provides several further examples of these tactics in use over the past three years, and they go on to outline how the scams also impact the reputation of businesses that are repeatedly scammed. The PSA contains a set of recommendations for both companies and job seekers to assist in curtailing the impact or damage caused via this tactic and to avoid falling victim to such scams. We encourage all to read and review the PSA for further guidance.

The Ugly

This week saw one of the UK’s largest food and snack companies, Leicester-based KP Snacks (aka Kenyon Produce), provide further details around last Friday’s ransomware attack. On Wednesday, the company informed partners that as a result of the attack, it was unable to “safely process orders or dispatch goods”.

According to reports, the Conti ransomware group, which is developed and maintained by the same team that brings us Trickbot, was behind the attack. The operators are said to have breached KP Foods’ internal network and gained access to sensitive files such as employee details, credit card statements, birth certificates and financial documents, exfiltrating the data before encrypting it.

The Conti leaks site listed KP Snacks with the usual countdown timer for payment, which is due to “expire” around February 6th. It is not known at this time whether the company is negotiating with the attackers, but per their official statement they have initiated their “cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist” them in their investigation. The company has also said that “it is unknown when this will be resolved”.

Once again, such attacks only highlight the need for companies to deploy security solutions that can truly prevent ransomware attacks, while also ensuring all staff are given good cybersecurity awareness training on a regular basis. The ransom amount is only part of the cost of failure here, and often not even the most significant part at that.

As last year closed out, we provided a round up of the previous 12 months of Mac malware, making the observation that, among other things, 2021’s macOS malware cohort saw a focus on spyware and the targeting of users in Asia, particularly China and Hong Kong. The first month of 2022 has seen those trends continue with two new malware campaigns discovered in January, namely SysJoker and DazzleSpy.

In this post, we give brief overviews of these two new malware families, offering both additional details not previously reported along with indicators for detection and threat hunting.

SysJoker (11th Jan, 2022)

The first new Mac malware report of 2022 came courtesy of researchers at Intezer in the form of a threat they dubbed SysJoker, which comes in Windows, Linux and macOS variants. Researchers say that the Linux version was found in-the-wild infecting a server belonging to “a leading educational institution”.

The Mac-specific variant of this malware is a Universal binary named types-config.ts, compiled for both Intel x86 and Apple silicon M1 arm64 architectures.

Upon execution, the Mach-O installs a persistence LaunchAgent that masquerades as an Apple launch service ~/Library/LaunchAgents/com.apple.update.plist.

The fake service targets an executable called ~/Library/MacOsServices/updateMacOs. This file is also written by the types-config.ts file and is in fact a straight copy of itself. The SentinelOne agent captures the chain of execution and displays it in the Management console for easy pivoting and threat hunting.

The malware is written in C++ and much of the initial action occurs in the entry.init0 function. Using r2, we can get a quick summary of the function’s important strings.

The “drive.google.com” address delivers a file “domain.txt” that contains an obfuscated domain name address. The key shown above at address 0x1000139e2 is used to decode the contents of “domain.txt”, which turns out to to be the DNS address “graphic-updater.com”.

Other hardcoded strings are then concatenated with the decoded DNS address to form a full C2.

https://graphic-updater[.]com/api/attach

We note that SysJoker has a peculiarity that, to our knowledge, has not been described by other researchers. In our tests, if the malware is run as root when the path

/Users/root/Library/SystemNetwork

does not exist, the malware will abort.

That’s an unusual path, as the root user on macOS typically exists under /var/root, not /Users/root.

Whether this is an oversight or a peculiarity of SysJoker’s intended target is unclear. At this point, we have no explanation for this behaviour, but merely note that if /Users/root does exist, then the malware executes as expected, and drops the components under that file path hierarchy.

According to previous researchers who also analyzed the Windows and Linux variants, SysJoker’s primary purpose is to await commands from the C2. We, and our sample, did indeed wait, but the C2 appeared to be uninterested in talking to either of us. Intezer has more details on the backdoor’s functionality.

How To Protect Against OSX.SysJoker

The SentinelOne Singularity platform fully detects OSX.SysJoker.

Aside from the one reported in-the-wild incident against a “leading educational institution”, it is unclear at this time how SysJoker is distributed, who it targets, or what the authors’ objectives are. However, the cross-platform nature of the malware suggests that it may be part of a wider campaign, and it is imperative that organizations have a capable multi-engined security solution in place to defend against these kinds of attacks.

DazzleSpy (25th Jan)

OSX.DazzleSpy was discovered by ESET researchers following the same trail as Google’s Project Zero from a poisoned watering hole targeting Hong Kong pro-democracy activists. Whereas Google’s investigation led them to macOS.Macma, researchers Marc L’Etienne and Anton Cherepanov caught a quite different payload.

OSX.DazzleSpy comes in the form of an unsigned, Mach-O file compiled for Intel x86 architecture, although it’s perfectly possible that undiscovered ARM versions exist as well.

On execution, the Mach-O installs a persistence LaunchAgent that masquerades as an Apple launch service at ~/Library/LaunchAgents/com.apple.softwareupdate. This fake service targets an executable called “softwareupdate” written inside a hidden folder of the user’s home folder, ~/.local/softwareupdate.

The executable “softwareupdate” contains a mixture of public and private frameworks. On the public side, the malware authors have adopted the tonymillion Reachability framework to determine network connections, YYModel for efficient parsing of JSON data, and GCDAsyncSocket to handle TCP/IP socket networking tasks. A date comparison method, +(int)compareOneDay:(NSDate *)oneDay withAnotherDay:(NSDate *)anotherDay, also appears to have been lifted from a Chinese-language programming forum.

For functionality, DazzleSpy contains code for searching and writing files, exfiltrating environmental info, dumping the keychain, running a remote desktop and running shell commands, among others.

DazzleSpy collects and drops a number of other files in the hidden ~/.local directory related to espionage and data collection.

~/.local/softwareupdate
~/.local/security/keystealDaemon
~/.local/security.zip
~/.local/SearchFiles
~/.local/RecoveryFiles
~/.local/security

Although we only saw the first of these files dropped in our tests, analysis of the static code suggests that another hidden directory, .Documenty, may also be used by the malware.

The authors appear to have been careless (or perhaps deliberate!) in leaving artifacts from the development environment. As noted by ESET, one user name embedded in the malware is “wangping”, but we also note two others: “wp” and “XpathX”.

Of these, “XpathX” seems to have a number of paths typical of an active user, but why these should have found their way into the code is both mysterious and suspicious.

There’s no obvious mechanism that would easily result in those being embedded accidentally, and one could be forgiven for thinking that these paths were deliberately placed. We might also wonder about the authenticity of other paths such as /Users/wangping/pangu/.

How To Protect Against OSX.DazzleSpy

OSX.DazzleSpy, like macOS.Macma before it, appears to be aimed at visitors to certain websites holding content about, or of interest to, Hong Kong pro-democracy activists and activism. Although that is a small demographic, the threat actors also exploited a (now-patched) local privilege escalation, CVE-2021-30869, to run the payload as root.

SentinelOne’s behavioral engine detects OSX.DazzleSpy on execution. In order to prevent infections like DazzleSpy, be sure to install a good behavioral AI engine that can recognize novel threats based on what they do. Legacy AV scanners that rely on known signatures or cloud reputation services alone will not be able to stop threats that have not previously been detected in the wild.

Admin users can view details including threat indicators in the Management console and pivot directly from there to Deep Visibility for extended threat hunting across the estate if required.

Conclusion

These two new Mac malware families continue trends we noted previously in macOS malware. DazzleSpy’s use of vulnerabilities is a clear warning to those that continue to insist Mac users cannot get malware if they engage in “safe behavior”: such a stance does not match today’s threatscape.

Meanwhile, SysJoker’s cross-platform backdoor functionality shows that threat actors are factoring in Mac targets along with Windows and Linux as they develop new ways to steal data and compromise organizations. As with all your other endpoints, it is vital to keep your Mac fleet protected by a capable, defense-in-depth security solution such as the SentinelOne platform.

If you would like to learn more about how SentinelOne can protect your Mac, Windows, Linux, ChromeOS, IoT and Cloud workload endpoints, contact us or request a free demo.

Indicators of Compromise

OSX.SysJoker

DNS REQUESTS
drive.google.com.
googlehosted.l.googleusercontent.com.
graphic-updater.com.

DNS RESPONSES
142.250.199.14
216.58.199.225
216.58.203.78
23.254.131.176
36.4.104.0

COMMANDS EXECUTED
/bin/sh
/bin/bash
/usr/bin/whoami

FILEPATHS
/Users/root/Library/SystemNetwork
~/Library/MacOsServices/updateMacOs

HASHES
updateMacOs
554aef8bf44e7fa941e1190e41c8770e90f07254 1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac

types-config.ts
01d06375cf4042f4e36467078530c776a28cec05
d0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0

OSX.DazzleSpy

FILEPATHS
~/Library/LaunchAgents/com.apple.softwareupdate.plist
~/.local/softwareupdate
~/.local/security.zip
~/.local/security/keystealDaemon
.Documenty/security/libkeystealClient.dylib
.Documenty/security/keys.err
.Documenty/security/security-unsigned
.Documenty/security/keystealDaemon

C2
88.218.192[.]128:5633

HASHES
server.enc
ee0678e58868ebd6603cc2e06a134680d2012c1b
f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348