![advanced mac cleaner malware advanced mac cleaner malware](https://167974-484938-raikfcquaxqncofqfm.stackpathdns.com/storage/1540/remove-advanced-mac-cleaner-malware.png)
![advanced mac cleaner malware advanced mac cleaner malware](https://sm.pcmag.com/pcmag_ap/news/t/this-mac-a/this-mac-app-is-spyware-that-collects-your-browser-history_ccdk.png)
- ADVANCED MAC CLEANER MALWARE INSTALL
- ADVANCED MAC CLEANER MALWARE VERIFICATION
- ADVANCED MAC CLEANER MALWARE FREE
Some dropped binaries like AMCleaner (93dd0c34a4ec25a508cd6d5fb86d8ccc0c318238d9fee0c93342a20759bf9b7e) already marked as malicious on VirusTotal (VT) 7/56, which could be an indication for vigilant users.Īlso with some fancy nonsense statistic screenshots, intent to scare analyst (:p)Īt this moment, we have got all indicators to make behavioral detection rule and go hunting for other similar adware samples. However previous report detailed it well enough, hence only some screenshots from these features will be showed: Other great things from Cuckoo sandbox are Network analysis and Dropped files.
ADVANCED MAC CLEANER MALWARE INSTALL
So we got several processes created with posix_spawn(): delete Safari, iBooks, Mail cache (likely Advanced Mac cleaner doing its job), install mentioned PUAs and we got some new IOCs. I should add new rule – “MAC address check” later.Īdditionally instead of execve(), MacOS sandbox policy usually invokes processes using XPCProxy or launchd services. Fortunately, my VM framework MAC address was modified long ago since my colleague Yorick Koster at Securify used same trick to abuse my lame framework (thanks Yorick).
ADVANCED MAC CLEANER MALWARE VERIFICATION
In Patrick’s report he said there might be MAC address verification to detect VM (VM MAC usually starts with ’00:xx’). It’s quite surprising because Virustotal behavioral analysis shows a shorter execution trace than mine, which usually means its environment was detected at some point and malware stop running. Filtering system calls logs with some rules of mine, there is no evasion technique been found. Their DNS servers mostly are pointed to Akamai so I suggest we rather use domain as IOC than IP address, which could be different from viewers location. Move on to the network DNS feature, we see a lot of queries and some domains look "suspicious". Screenshots below already included other analysis variant of this campaign. Mughthesec-Player(dmg).dmg: CSSMERR_TP_CERT_REVOKEDįrom captured screenshots, we can see what this adware apparently executes: Install Adobe flash and offer you a bunch of PUA (potential unwanted applications) – Booking, Advanced Mac Cleaner, SafeFinder Safari extension, and AdBlock (in some relevant samples that will be discussed later).īehavioral analysis shows the packed DMG sample invoked a ‘mac’ binary, thereafter ‘Mughthesec’ with a persistence ‘I’ binary. Let’s extend it a bit, 300 sec (5 min) would be enough.įirst result we got, that Apple developer ID “Quoc Thinh”, and he got his certificate revoked from Apple today by the way ?. By default, cuckoo sandbox timeout is 120 sec. In case somebody doesn’t know, it’s my thesis project and and soon to be released right after my judgment day - defense (hopefully).įrom Patrick’s report we understand it’s an adware which installs lots of crabs. So I’m not going too deep in reverse engineering - static analysis, just throw in my Grey-cuckoo framework and grab results.
ADVANCED MAC CLEANER MALWARE FREE
I think you all know the famous Mac free security tools’ author: Patrick Wardle, wrote an amazing report on in Aug 9. The sample was first noticed by Gavriel State on Aug 7, then Thomas A Reed – the Mac malware boss hunter from Malwarebytes - confirmed it relates to OperatorMac on the next day. So why not take a break from desperate thesis, toss adware in my lame automated MacOS analysis framework and see what our ‘countryman’ doing? I’m quite overbusy these days but it got my interest when seeing the name stated in that certificate: “Quoc Thinh”, quite a unique Vietnamese name. It’s going viral on Twitter and other media, since they use valid Apple developer certificate to sign all packed samples. A new variant of adware was just discovered yesterday.