It will receive a command to download Bash scripts from hxxp://46226108171:4444/uploadminersh once the backdoor runs. If it’s not, the script will connect to hxxp://46226108171:4444/login/process.php, which hosts an encrypted Empyre backend capable of pushing arbitrary commands to an infected macOS system. We also found out that the malware connects to hxxps:///jj9a, which contains an encrypted Python script that checks if Little Snitch - a host-based application firewall for macOS - is running. This is the original Adobe Zii.app used to camouflage its malicious background activities. The contents are then extracted and executed in the system.
While running a copy of Adobe Zii.app, we observed that it downloads sample.app from hxxp://46226108171:80/sample.zip and saves it to the user directory ~/.
0 kommentar(er)
