Threat Research

Advanced macOS Spyware PasivRobber

Kandji.io
Advanced macOS Spyware PasivRobber
EXTRACT IOC
A suspicious Mach-O file named *wsus* was discovered on VirusTotal, leading researchers to uncover a suite of more than 20 binaries designed to capture data from macOS systems, specifically targeting popular applications among Chinese users. The investigation suggested ties to a Chinese organization involved in surveillance and forensic tools, prompting concerns about the software’s legitimacy and cybersecurity risks. Affected: macOS systems, WeChat, QQ, Chinese user base

Keypoints :

  • Discovery of suspicious Mach-O file named *wsus* on VirusTotal.
  • Over 20 related binaries identified, designed for data capture from macOS systems.
  • Target applications include popular Chinese messaging apps such as WeChat and QQ.
  • Initial analysis suggested possible Chinese origin of the package.
  • Deceptive tactics employed, including misspelled binaries and non-existent queries.
  • Investigation revealed connections to *Meiya Pico*, known for developing surveillance software and linked to Chinese military interests.
  • Software installation employs aggressive methods to establish persistence on macOS.
  • Functionality includes remote updates, data capture, and key logging for communication applications.
  • Multiple methods used for injecting code into target applications like QQ and WeChat.
  • Threat characterized as sophisticated with advanced capabilities for espionage.

MITRE Techniques :

  • TA0003: Credential Access – *CRemoteMsgManager::CRemoteMsgManagerImp::ReadImPasswordInformations()* captures passwords from Instant Messaging applications.
  • TA0005: Defense Evasion – *pkgutil –forget* command is used to remove installation traces.
  • TA0007: Discovery – *Online::CQuickAnalyze::GetOperateSystemInformation()* retrieves system information through various commands.
  • TA0008: Lateral Movement – Injecting into target messaging applications to gain unauthorized access to data.
  • TA0009: Exfiltration – Data capture from applications is uploaded via FTP, as seen in *CRemoteMsgManager::CRemoteMsgManagerImp::DownUpdatePackage()*.

Indicator of Compromise :

  • [SHA256] 0fd32b8f304531e121e19a50f64586a446bf74818caa645bad8d6b71673a350a
  • [SHA256] d82e7ae41f2ed92136343e1ee8cef780704447af476b59e2e3bdd8d1b84dbb23
  • [SHA256] 203e82eb0085701598f21ef2478fad149e8e68335ce8602b118b23638be951e3
  • [IP Address] 116.198.18.202
  • [Signing Signature] weihu chen (QPV7YX8YQ9) – Revoked Apple Team ID Signature

Full Story: https://www.kandji.io/blog/pasivrobber

Views: 37

Tags: MONITOR, CLOUD, PERSISTENCE, APPLE, SPYWARE, MOBILE, TOOL, DEFENSE EVASION