ALIASES:

OSX/WireLurker.A (ESET), Trojan-Downloader.OSX.WireLurker.a (Kaspersky)

 PLATFORM:

Mac OS X (64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This is the Trend Micro detection for Trojanized apps that belong to the Wirelurker malware family.

This Trojan may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size: Varies
File Type: Other
Memory Resident: Yes
Initial Samples Received Date: 07 Nov 2014
Payload: Steals information

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

  • /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /Library/LaunchDaemons/com.apple.globalupdate.plist
  • /Users/Shared/start.sh
  • /Users/Shared/FontMap1.cfg
  • /usr/bin/globalupdate
  • /usr/local/macbook/watch.sh
  • /usr/local/machook/sfbase.dylib
  • /tmp/machook.log

Information Theft

This Trojan gathers the following data:

  • Serial number
  • Phone number
  • Model number
  • Product version
  • Product type
  • AppleID

Other Details

This Trojan connects to the following website to send and receive information:

  • http://{BLOCKED}baby.com/app/app.php?sn={serial number}&pn={Phone number}&mn={Model number}&pv={Product version}&appid={value}&os=macservice&pt={Product type}&msn={value}&yy={value}
  • http://{BLOCKED}baby.com/mac/saveinfo.php

NOTES:

The component globalupdate (detected as OSX_WIRELURK.A) enables the malware to download an updated copy of itself from the server and save it as follows:

  • /usr/local/machook/update/update.zip

It connects to the following URL to retrieve a link of its updated copy:

  • http://{BLOCKED}baby.com/app/getversion.php?sn={serial number}

It constantly checks for plugged in iOS devices. Once found, it connects to http://{BLOCKED}onewiki.com/wiki/AFC.com.apple.afc2 (AFC2 service) to allow access to the device. It then copies the following file to the device:

  • /usr/local/machook/sfbase.dylib to /Library/MobileSubstrate/DynamicLibraries/sfbase.dylib

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 11.262.04
FIRST VSAPI PATTERN DATE: 07 Nov 2014
VSAPI OPR PATTERN File: 11.263.00
VSAPI OPR PATTERN Date: 08 Nov 2014

NOTES:

  1. Scan using the Trend Micro product and take note of the path of files detected as OSX_WIRELURK.A.
  2. Identify and terminate the running processes using the noted path in the previous step.
    1. Open the Terminal
      • Applications>Utilities>Terminal or type ‘Terminal’ in Spotlight.
    2. Type the following in the terminal:
      • ps –A
    3. Look for the detected files and take note of their PID. If the detected file is not found to be running, please proceed to the next step.
    4. In the same terminal, type the following:
      • kill {PID}
  3. Remove the detected files
    1. In the same terminal, type the following and press enter:
      • sudo rm -R /Library/LaunchDaemons/com.apple.machook_damon.plist
      • sudo rm -R /Library/LaunchDaemons/com.apple.globalupdate.plist
      • sudo rm -R /Users/Shared/start.sh
      • sudo rm -R /Users/Shared/FontMap1.cfg
      • sudo rm -R /usr/bin/globalupdate
      • sudo rm -R /usr/local/macbook/watch.sh
  4. Scan your computer with your Trend Micro product to delete files detected as OSX_WIRELURK.A.


Did this description help? Tell us how we did.