TrojanSpy.MacOS.AMOS.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Otros detalles

Hace lo siguiente:

• Upon execution, it prompts a fake warning alert asking for user’s password to lure the victim into inputting the password using osascript command, this password will be used to access the user’s keychain database – this is where sensitive information is stored such as passwords, certificates, and wallet information.
  • osascript -e 'display dialog "macOS needs to access System settings %s Please enter your password." with title "System Preferences" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns" default answer "" giving up after 30 with hidden answer
• It executes the following commands:
  • system_profiler SPHardwareDataType → used to gather hardware information from the victim’s machine
  • security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}' → used to steal Chrome password
• Target browsers:
  • Chrome
  • Brave
  • Edge
  • Vivaldi
  • Opera
  • OperaGX
  • Chromium
• Target wallets:
  • Exodus
  • Electrum
  • TronLink
  • Metamask
  • Binance Chain
  • Keplr