user
GET query value, members count in August 2017, 22nd, is nearly two thousand.sudo
:vHook
is the installer. It is packed with UPX, probably to avoid user analysis and bypass some security products.bootstrap.dylib
and vhook.dylib
from https://vlone.cc/portal/gateway.php
as assets.zip
to /Library/Application Support/
:bootstrap.dylib
from osxinj project. If Counter-Strike: Global Offensive is running, it downloads and extracts some fonts (https://vlone.cc/fontfix.zip
as vlone.zip
to /Library/Fonts/
), and injects vhook.dylib
into csgo_osx64
Best thunderbolt hub for mac os x sierra. process.vHook
also sneaky downloads and extracts https://vlone.cc/abc/assets/asset.zip
as fonts.zip
to /var/
, changes directory to /var
and runs sudo ./helper &
.helper
is the miner downloader dropper. It is also packed with UPX.https://www.vlone.cc/abc/assets/b.zip
as /b.zip
, extracts its contents to /var/.log/
, changes directory to /var/.log/
and runs sudo ./com.dynamsoft.WebHelper &
.https://www.vlone.cc/abc/assets/b.zip
URL response is a File Not Found 404 error code, but https://www.vlone.cc/abc/assets/bz.zip
URL is live and send the expected archive.com.dynamsoft.WebHelper
is the miner downloader. Despite the name, it is not related to Dynamsoft.WebTwainService
from https://www.vlone.cc/abc/assets/d.zip
to /var/.log/
com.dynamsoft.WebTwainService.plist
from https://www.vlone.cc/abc/assets/p.zip
to /Library/LaunchDaemons/
meetsRequirements()
, i.e. running as root
and not in a debugger:https://www.vlone.cc/abc/assets/helper.zip
to /var/.trash/.assets/
cd /var/.trash/.assets/; ./com.apple.SafariHelper
with appropriate argumentsWebTwainService
tries to take care of com.dynamsoft.webhelper
persistency. It is again packed with UPX./var/.log
and runs sudo ./com.dynamsoft.webhelper &
, then recursively sleeps for one hour…com.apple.SafariHelper
actually is the official MinerGateCLI v4.04:com.dynamsoft.WebHelper
so the user enjoys the delight of computer’s fans background music:[email protected]
, and [email protected]
email address was also found hardcoded in another sample.com.dynamsoft.WebHelper
and the C&C server:vLoader
, the private installer, and, once more, it is packed with UPX./var/.old/
:boots.dylib
from http://vlone.cc/clear/sadmio.zip
.uhdexter.dylib
from http://vlone.cc/clear/getout.zip
vLoader
doesn’t uninstall any of the free version naughty payloads.vhook.dylib
. The source code was available on GitHub (archive) and videos of the hack are also available on YouTube here and there.libvHook.dylib
and in all analyzed binaries:pwnednet
. Shortened to pwnet, it sounds like poney in French, i.e. pony in English and, everybody loves ponies, so here you have OSX.Pwnet.A!