We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. However, we have not found such a sample. This suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. The presence of Linux shell commands in the original script led us to try running this malware on a Linux machine, where we found that – with the exception of the Mach-O binary – everything ran just fine. macsvc SHA256: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0Īnother file downloaded from the C&C server was named “afpscan”, and it seems to try to connect to other devices on the network. This script uses mDNS to build a map of all the other devices on the local network, giving information about each device including its IPv6 and IPv4 addresses, name on the network and the port that is in use. It also appears to be making connection attempts to devices it finds on the network.
We also observed the malware downloading a perl script, named “macsvc”, from the C&C server. This component appears to be intended to provide a kind of rudimentary remote control functionality. The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998. These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. The binary itself seems primarily interested in screen captures and webcam access, but interestingly, it uses some truly antique system calls for those purposes, such as: SGGetChannelDeviceList In the case of the Java class file, it is run with set to true, which means that it does not show up in the Dock. Found there are a Mach-O binary, a second perl script and a Java class, which the script extracts, writes to the /tmp/ folder and executes. The most interesting part of the script can the found in the _DATA_ section at the end.
#Java osx 2017 01 code#
It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command.
The script also includes some code for taking screen captures via shell commands. The latter is a domain name managed by the dynamic DNS service. The perl script, among other things, communicates with the following command and control (C&C) servers: 99.153.29.240 It took the form of a minified and obfuscated perl script. client file was where things got really interesting. plist file itself couldn’t have been much simpler, simply keeping the. The malware was extremely simplistic on the surface, consisting of only two files: ~/.client This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers. Java version "1.8.0_144" Java(TM) SE Runtime Environment (build 1.8.0_144-b01) Java HotSpot(TM) 64-Bit Server VM (build 25.The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. I'm working on Linux mint 18.2 and I have this configuration for java I have the same error with workstation.jnlp. Now when you run the installation again it will launch successfully."īut it didn't work.
#Java osx 2017 01 install#
The /tmp partition can fill with files that will not allow the install to run. I sarched this error on the web and I found this proposal solution: JRE libraries are missing or not compatible. Configuring the installer for this system's environment. Extracting the installation resources from the installer archive. Extracting the JRE from the installer archive. "./IntroscopeWorkstation10.5.1.8linux.bin Preparing to install. I'm trying to install Workstation and I get this message:
0 kommentar(er)
