![]() Because of this, we focused our attention on the readable strings and codes not found on the official version. ![]() Since the binary is around 10 MB, finding the malware routine is challenging. We compared the malware binary with the official binary with the same version downloaded from this link. I2P can also be seen as an alternative to Tor. Anonymous connections are achieved by encrypting the user's traffic (by using end-to-end encryption) and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world. I2P is an anonymous network layer (implemented as a mix network) that allows for censorship-resistant, peer-to-peer communication. This means that the Mach-O binary will not easily run on Mac systems and might be blocked by Gatekeeper, which is a built-in security feature for macOS that enforces code signing.Īs stated previously, i2pd is an open-source alternate implementation of I2P that is written in C++ (rather than Java). The main Mach-O sample was found to be ad hoc-signed, as seen in Figure 1. XMRig is a command-line app for mining Monero cryptocurrency and is typically used by other malware to perform cryptomining because of its availability and ease of use. ![]() It is a Mach-O file that was flagged by several vendors early since it contains XMRig-related strings that can be easily caught by sourcing tools such as Yara. Previously, other Mac malware samples ( Eleanor, DOK, Keranger) used Tor to hide their network activity, so this usage of i2pd is new. I2P is a universal anonymous network layer that allows for anonymous end-to-end encrypted communications - the participants do not reveal their real IP addresses. I2pd is a C++ implementation of the Invisible Internet Protocol or I2P client. The sample was also found using i2pd (aka I2P Daemon) to hide its network traffic. This sample uses several modified open-source components that the malicious actor modified for their purposes. In this post, we share the results of our analysis of a coinminer sample sourced in early January 2022. In this light, it would be in the best interest of developers to put in the work and continuously improve these miners. The malicious actor can have a coinminer masquerade itself as a legitimate app, trick susceptible users into running it on their systems, and just wait for the profits to roll in. Coinminers are one of the more profitable types of malware for malicious actors, and they require little maintenance once installed on a victim’s device.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |