Instead, the website contains a link, hxxp://from which users are able to download a macOS disk image file (DMG) called iTerm.dmg. However, the malicious file is not hosted on this website directly. The trojanized appĪs of September 15, is still active. This blog entry covers the malware’s details. This, in turn, downloads and runs other components, including the aforementioned g.py script and a Mach-O file called “GoogleUpdate” that contains a Cobalt Strike beacon payload. Objective-see previously published a blog entry about this malware, which analyzed how the threat actor repacks the iTerm2 app to load the malicious libcrypto.2.dylib.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |