More active DPRK macOS malware "Contagious Interview"
Contents
More active DPRK macOS malware "Contagious Interview" - thanks @MalwareHunterTeam :) Main Swift app (MediaPatcher) detected on VT. Domain undetected and there's a couple parts including a golang backdoor and infostealer behavior.
Let's dive in :)
🧵
ClickFix stuff - The "Algorand Hiring Assessment" leads to a warning prompt to fix a "race condition"🤣 by updating @FFmpeg macOS drivers, which results in the download and execution of a script covered next.
This script is executed from /var/tmp and does what we've come to expect. Determines CPU and curls out to either an arm or intel release zip. Unzips to /var/tmp/CDrivers, but the launchAgent persistence is interesting and it involves a go backdoor.
drivfixer\.sh is set to execute which runs "./bin/go run driv.go" After the launchAgent is setup, the Swift app bundle is executed which leverages Dropbox and captures the user's password via NSAlerts (covered before). Attached is some of the drive.go …
Let's dive in :)
🧵
ClickFix stuff - The "Algorand Hiring Assessment" leads to a warning prompt to fix a "race condition"🤣 by updating @FFmpeg macOS drivers, which results in the download and execution of a script covered next.
This script is executed from /var/tmp and does what we've come to expect. Determines CPU and curls out to either an arm or intel release zip. Unzips to /var/tmp/CDrivers, but the launchAgent persistence is interesting and it involves a go backdoor.
drivfixer\.sh is set to execute which runs "./bin/go run driv.go" After the launchAgent is setup, the Swift app bundle is executed which leverages Dropbox and captures the user's password via NSAlerts (covered before). Attached is some of the drive.go …