Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The binary itself appears to be a remote-access trojan and data exfiltration malware for MacOS. It provides a reverse-shell via http://83.219.248.194 and exfiltrates files with the following extensions: txt rtf doc docx xls xlsx key wallet jpg dat pdf pem asc ppk rdp sql ovpn kdbx conf json It looks quite similar to AMOS - Atomic MacOS Stealer.

It also seems to exfiltrate browser session data + cookies, the MacOS keychain database, and all your notes in MacOS Notes.

It's moderately obfuscated, mostly using XOR cipher to obscure data both inside the binary (like that IP address for the C2 server) and also data sent to/from the C2 server.



I can’t even exfiltrate my MacOS Notes on purpose. Maybe I’ll download it and give it a spin.


God! That cracked me up. :D


I've had great success exporting using the Shortcuts app pretty recently. Do a web search for the relevant terms and you'll find examples.


It now supports markdown export in latest macos


nowadays, restricting outgoing connections initiated by unknown binaries should be a must. Specially if it's launched from /tmp

Lulu or Little Snitch should have warned the user and stopped the exfiltration of data.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: