L0Psec

3K posts

L0Psec banner
L0Psec

L0Psec

@L0Psec

reverse engineer | arm64 :) | macOS/iOS | YouTube: https://t.co/VdHNCl0Qfl

NC Katılım Ekim 2017
1.8K Takip Edilen3.6K Takipçiler
Sabitlenmiş Tweet
L0Psec
L0Psec@L0Psec·
My new site for learning macOS malware reverse engineering: l0psec.github.io/Malware_RE_Blo… I got my start in RE by using @patrickwardle's awesome blog. I would download samples and follow along. So I created this to complement that with dives into specific code from recent samples.
English
8
91
407
25K
L0Psec
L0Psec@L0Psec·
both Alex Lopez (VLV25ZF66P) singed: 0517ca4649e33faefa3a6bfcd2707a8376a981be4b42b9d19146ebb93e7f8a35 - has telegram function c02c1f13c76f598634d32de19166db6f3f89b14eabd884bdde52bdcf3cf3d163 - more detections, no telegram functionality.
English
0
1
2
141
L0Psec
L0Psec@L0Psec·
Interestingly, it checks if macOS version is > 24.6 with the macOSProductVersionGreaterThan_26_4() function. If greater, then the telegram function is called. Also the use of "best effort" in function deleteSelfExecutableBestEffort() is hilarious.
L0Psec tweet media
English
1
1
4
180
L0Psec
L0Psec@L0Psec·
More DPRK (mach-O man) Alex Lopez signed samples shared by @malwrhunterteam: 0517ca4649e33faefa3a6bfcd2707a8376a981be4b42b9d19146ebb93e7f8a35 - winapp. 6 VT hits, very similar to last one covered but there's a couple updates I'll add here. 🧵
L0Psec tweet media
English
1
3
16
2.1K
L0Psec
L0Psec@L0Psec·
Another cool share by @malwrhunterteam: 5d67f810bea19b9c3489e0981559af4340be39f188460938c7b11fea854ed06e. Currently has 7 VT hits, potentially DPRK? (based on detections) Most interesting thing is that it is signed: Alex Lopez (VLV25ZF66P)
L0Psec tweet media
English
3
11
31
7.2K
L0Psec
L0Psec@L0Psec·
postInfo() does what is expected. curl is used for the post request. set up and passed to system()
L0Psec tweet media
English
0
1
4
189
L0Psec
L0Psec@L0Psec·
get_browser_extentions() called from buildPostBody() has readable strings related to most common browser paths. mixing camelCase and snake_case....
L0Psec tweet media
English
1
1
6
298
L0Psec
L0Psec@L0Psec·
sys_info() func passes command strings via arg1 to runOne() which calls popen(). Can see related commands via references.
L0Psec tweet media
English
1
1
4
347
L0Psec
L0Psec@L0Psec·
Quick summary. This looks familiar. C2 is passed via launch arg. Can see that with normalizeBaseUrl() func. Most functions called from buildPostBody() which does the info gathering.
L0Psec tweet media
English
1
1
7
542
Thijs Xhaflaire
Thijs Xhaflaire@txhaflaire·
@L0Psec Thanks for sharing @patrickwardle and uploading it onto the Objective-see malware repo. It also has made it's way onto other platforms fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142
English
1
0
1
71
L0Psec
L0Psec@L0Psec·
Anyone have the hash of the python backdoor ~/.local/share/kitty/cat.py related to the Nx Console VSCode ext?🐱 sets persistence via LaunchAgent: com.user.kitty-monitor.plist. plist looks like it was uploaded to VT: 9ba33f7b640f1fbe9304c969978278a73664b9b9989689f352e5f973ae31cbf5
English
6
7
25
3.2K
L0Psec
L0Psec@L0Psec·
@txhaflaire 🤣 had a feeling I was not the only one looking.
English
2
0
4
212
Thijs Xhaflaire
Thijs Xhaflaire@txhaflaire·
@L0Psec Been looking for this as well! we could ask the user "heyang" hah!
English
1
0
5
210
L0Psec
L0Psec@L0Psec·
@SquiblydooBlog great question by the way. still possible to exec with clearing the quarantine flag (which a lot of samples do with xattr anyways). But this is different to adhoc in that gatekeeper expects a file be notarized when signed with dev ID.
English
0
0
0
37
L0Psec
L0Psec@L0Psec·
@SquiblydooBlog Signing and notarization are two separate things. So these are an example of a the dev using their cert to sign the app. BUT not submitting it to Apple to be notarized (which does get scanned) and is for distributing out of App Store. So with a quarantine flag you'll see this.
L0Psec tweet media
English
1
0
0
47
L0Psec
L0Psec@L0Psec·
Here's two potentially interesting ones shared by @malwrhunterteam. They have many adaptixC2 detections BUT were signed. com.shizhuang.itrustd. Several other files have this signature. 🧵
L0Psec tweet media
English
1
7
26
8.2K
L0Psec
L0Psec@L0Psec·
afe15045abdbd4a64f7d865e39d4ee0d3e9deb4d68261652a3aeb74529fc7f08 43fdeb2d20581ec089e01ab48ba6acc7266389c65cc22ea921abdc895f6f4725
Français
0
1
5
363
L0Psec
L0Psec@L0Psec·
They both talk to 43.133.164\.200 which currently has 2 VT hits. And there are other files with detections that are communicating as well, including PE files.
L0Psec tweet media
English
1
2
6
519