macOS Python Script Replacing Wallet Applications with Rogue Apps

MITRE Techniques

• [T1518.001] Software Discovery – The script searches for installed apps like Exodus and Bitcoin-Qt by listing directories in /Applications and /System/Applications. “def get_installed_apps(): processor_series = is_mac_intel() application_paths = [‘/Applications’, ‘/System/Applications’] app_names = [] for applications_path in application_paths: try: app_dirs = os.listdir(applications_path) except FileNotFoundError: # If the directory is not found, skip to the next continue for app in app_dirs: if app.endswith(‘.app’): app_name = app[:-4]”
• [T1105] Ingress Tool Transfer – The malware downloads payloads (fake Exodus app, Electron framework, Apple Script (.scpt), and icon (.icns)). “The script downloads a fake Exodus app, an instance of the Electron framework, an Apple Script file (a .scpt file), and an icon (a .icns file).”
• [T1059.006] Command and Scripting Interpreter – Python – The C2 server may reply with Python commands to be executed on the victim’s computer. “The C2 server might reply with some Python commands to be executed on the victim’s computer:”
• [T1059.005] Command and Scripting Interpreter – AppleScript – The script uses osacompile to compile Apple Scripts. “osacompile’, to compile Apple Scripts (note that this tool requires Xcode to be installed!)”
• [T1036] Masquerading – Exodus is replaced with an Apple Script and a downloaded icon to mimic the legitimate Exodus app. “The official app is replaced by an Apple Script. That’s why an icon file has been downloaded, it will replace the default icon and mimick a valid Exodus.”
• [T1082] System Information Discovery – The malware collects OS and user-related data before exfiltration. “s = json.dumps({ “os”: platform.platform() or “empty”, “cm”: get_subfolders(“/USERS/”) or “empty”, “av”: “”, “apps”: get_installed_apps() or “empty”, “ip”: meta_ip, “ver”: “” }, indent=None).encode(‘utf8’)”