This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan adds the following folders:
- /Users/scbox/Library/Application Support/agent_updater
Dropping Routine
This Trojan drops the following files:
- ~/Library/LaunchAgents/init_agent.plist -> persistence for agent.sh
- ~/Library/Application Support/agent_updater/agent.sh -> detected as Trojan.SH.SLISP
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- https://mobiletraits.s3.{BLOCKED}aws.com/version.json
Information Theft
This Trojan gathers the following data:
- Query String:
- sqlite3 /Users/scbox/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString like \"%stu=3c55805%\" order by LSQuarantineTimeStamp desc
Stolen Information
This Trojan sends the gathered information via HTTP POST to the following URL:
- http://api.{BLOCKED}traits.com/pkl
Other Details
This Trojan connects to the following possibly malicious URL:
- mobiletraits.s3.{BLOCKED}aws.com
- s3-1-w.{BLOKCED}aws.com
- api.{BLOCKED}traits.com
It does the following:
- This malware is a pkg file (updater.pkg) that contains malicious pre-install scripts inside the Distribution.xml file -> detected as Trojan.XML.SLISP.A
- The Distribution.xml file contains javascript codes to run system commands and does the routine:
- Creates file init_agent.plist
- Creates file agent.sh
- Downloads version.plist
- Run init_agent.plist
- agent.sh downloads and runs its payload
- Query Download Data
- Init_agent.plist calls agent.sh every hour
- The url that agent.sh downloads is dependent from another downloaded file from https://mobiletraits.s3.{BLOCKED}aws.com/version.json and is stored in /tmp/version.json
- The .pkg file will also execute the bystander binaries file