The fake SnailSVN website Download server However, all of these domains were inaccessible at the time of writing.įigure 7.
MAC OS 9 TERMINAL EMULATOR FOR MAC OS
We were able to access one of these fake websites, snailsvn.cn, but the download link on its page was empty at that time, so it remains uncertain whether this website had been used to distribute a trojanized version of SnailSVN, an Apache Subversion (SVN) client for Mac OS X, in the wild (Figure 7). As shown in Figure 6, all of these websites resolved to the same IP address, 43129218115.įigure 6. Searching VirusTotal for the Secure Sockets Layer (SSL) thumbprint that used revealed several other fraudulent websites. The file downloaded from the fake website (left) and the official website (right)Ĭomparing the folder structure of the DMG and ZIP files shows numerous differences between them:
MAC OS 9 TERMINAL EMULATOR ZIP FILE
The files that are downloaded from the legitimate website come in a ZIP file format, as opposed to the DMG file from the fraudulent website, as shown in Figure 2.įigure 2. The user is redirected to this download URL for iTerm.dmg regardless of the app version the user selects to download from the fake website the real website has different URLs and files for various versions. Instead, the website contains a link, hxxp://, from which users are able to download a macOS disk image file (DMG) called iTerm.dmg. However, the malicious file is not hosted on this website directly.
The trojanized appĪs of September 15, is still active. This blog entry covers the malware's details. This, in turn, downloads and runs other components, including the aforementioned g.py script and a Mach-O file called "GoogleUpdate" that contains a Cobalt Strike beacon payload.
Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib. This malware, which Trend Micro has detected as, collects private data from a victim's machine.įigure 1. When this app is executed, it downloads and runs g.py, a malicious Python script from 4775123111. A fake version of the iTerm2 app, a macOS terminal emulator, can be downloaded from a link found in. Earlier this month, a user on Chinese question-and-answer website Zhihu reported that a search engine result for the keyword "iTerm2" led to a fake website called that mimics the legitimate (Figure 1).
0 kommentar(er)
