Whether we dwell into the past and speak about the Apple MAC Trojan FlashBack or we look into the dark gloomy future of MAC malware. Either ways the malware authors are putting in efforts to increase their ROI by including MAC into their arsenal of infected systems.
In the latest, we have trapped quite a huge number of Phishing emails which will mislead the victim and in turn infect their system with the malicious payload.
The tactic is to the scare the victim and letting them know that even though their password was changed, they may very well change it back.
The links provided in the email a dead-giveaway about the malicious intention of the email, however, upon clicking any of the links, will open up the floodgates.
A few applications like Java are common to MS Windows, Linux and Mac systems; hence this is also based on Java applet based infections.
Our Advise:
1: Do not click.
2: View the link, ascertain for yourself and only then take your next step.
Our Analysis, as usual is based on the Statistical URL Analyzer.
Checking : https://fmgdistributors.zymichost.com/Da2XVMXb/index.html Downloading Script : dominicana.zzl.org/NwWuqSWj/js.js Downloading Script : ftp.directorymarket.com/uC855fxe/js.js Downloading Script : liznogud.zxq.net/jhzk09T6/js.js Downloading Site : 209.59.219.55/km71x7kjgdtce.php?m=e91yraxqnckr53if Sc1=1 JsDL=1 ScR=1 Malware Section Start ML1=2 ApInv= 1 Malware Section End Results=5 Analysis Time=0.116241609406985 10.0348619519336
Checking : https://fmgdistributors.zymichost.com/NGUMLQUM/index.html Downloading Script : dominicana.zzl.org/NwWuqSWj/js.js Downloading Script : ftp.directorymarket.com/uC855fxe/js.js Downloading Script : liznogud.zxq.net/jhzk09T6/js.js Downloading Site : 209.59.219.55/km71x7kjgdtce.php?m=e91yraxqnckr53if Sc1=1 JsDL=1 ScR=1 Malware Section Start ML1=2 ApInv= 1 Malware Section End Results=5 Analysis Time=0.123026772537569 10.1604697292001
Checking : https://airyourjunk.com/MjQF36yi/index.html Server Header REDIRECTING to : https://www.airyourjunk.com/MjQF36yi/index.html 12-scripts-12 AcD2=1 #Exp Malware Section Start Malware Section End Results=1 Analysis Time=0.0596871379945094 2.74617057659044
From this analysis, one may observe that the third link, doesn’t have any malware, even we were surprised by this and analyzed the content and didn’t find anything suspicious. Our assumption – those who hacked into this server, to modify the code and serve the malware did a pathetic job i.e. they erred. Well, after all they are humans.
However, any researcher who is interested in reversing (deobfuscation of the JavaScript and De-compiling the Tre.jar found in the applet) , is most welcome. You can find the entire source over here on Paste-Bin.
