![]() Shlayer itself performs only the initial stage of the attack - it penetrates the system, loads the main payload, and runs it. The ZIP archive was found to contain an application package with the executable file 84cd5bba3870:Īfter unpacking the archive, the main python script uses the chmod tool to assign the file 84cd5bba3870 permission to run in the system:įor added effect, the sample copies the icon of the original mounted DMG image to the directory with the newly downloaded application package using the moveIcon and findVolumePath functions:Īfter that, the Trojan runs the downloaded and unpacked application package using the built-in open tool, and deletes the downloaded archive and its unpacked contents: The ZIP archive downloaded to the /tmp/%(sessionID) directory is unpacked to the /tmp/tmp directory using the unzip function: Based on this data, the GET query parameters are generated to download the ZIP file: ![]() Next, the main script generates a unique user and system ID, and also collects information about the version of macOS in use.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |