![]() It also checks for the hidden file containing the server response and uses its content to decrypt a file that Trend Micro suspects contains additional malicious routines.Īlso using a copy of Stockfolio version 1.4.13 to hide its malicious intent, the second sample contains a much simpler routine. The second script executed by the malware is in charge of copying additional files, as well as with decoding and deleting some others. If a response is received from the server, it would be written to another hidden file. The collected data is encoded and saved in a hidden file, then sent to the attackers’ server. The first of the scripts is in charge of collecting a broad range of information on the infected system, including username, IP address, apps in /Applications, files in ~/Documents, files in ~/Desktop, OS installation date, file system disk space usage, graphics/display information, wireless network information, and screenshots. When executed, the threat displays a trading app interface on the screen, but it also executes bundled shell scripts in the Resources directory, the researchers discovered. A copy of the legitimate Stockfolio version 1.4.13 signed with the malware developer’s digital certificate is included in the archive. The first sample is a ZIP archive file containing an app bundle (Stockfoli.app) and a hidden encrypted file (.app). To date, two malware samples were discovered, revealing an evolution of the threat. A Mac Trojan focused on stealing users’ information was found masquerading as a legitimate trading application, Trend Micro’s security researchers report.ĭetected by Trend Micro products as, the software poses as the Mac-based trading app Stockfolio, but contains shell scripts that allow it to perform malicious activities. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |