Ddos 
A recent discovery by Kandji’s research team has brought to light a sophisticated threat targeting macOS systems: a suite of applications dubbed “PasivRobber.” The initial discovery on VirusTotal of a suspicious mach-O file named “wsus” led to the unearthing of over 20 related binaries designed to capture data from a variety of macOS applications.
Kandji’s analysis reveals that this multi-binary suite demonstrates a deep understanding of macOS and its target applications, including popular communication tools like WeChat and QQ.
What immediately raised red flags for researchers were the deceptive tactics employed by this software. The main binary, “goed,” appears to be a misspelled version of Apple’s legitimate “geod” daemon. Furthermore, the suite queries “com.apple.goed,” which is not a valid component of a clean macOS installation. This tactic aims to mislead users into believing the binary is a legitimate part of macOS.
The suite also hides its plugin dylibs by using the “.gz” file extension instead of “.dylib,” and it attempts to conceal the initial package from the installed software list. According to the analysis, “The suite attempts obfuscation through naming similarities and by hiding the initial package from the list of software when installed.”
The complexity of PasivRobber is evident in its architecture. As the analysis points out, “The suite has multiple binaries that spawn other binaries and load dylibs up to five deep.” This intricate web of interconnected components makes it challenging to analyze and underscores the sophistication of the threat.
Here are some of the key components and their functionalities:
- goed: This binary is responsible for launching “wsus.”
- wsus: Suspected to handle remote actions.
- center: This binary behaves like an agent and handles many on-device actions.
- libIMKeyTool.dylib: This dylib is used to extract keys from QQ and WeChat.
The report highlights the use of “libIMKeyTool.dylib” for capturing data from within Instant Messaging applications, noting that “This dylib is used later for capturing data from within Instant Messaging applications.”
Kandji’s investigation suggests a probable Chinese origin and target user base for PasivRobber. This conclusion is supported by several factors, including the software’s focus on collecting data from applications popular among Chinese users, such as WeChat and QQ.
The analysis also delves into potential connections to Meiya Pico, a company known for developing forensic tools and surveillance software. A United States Treasury press release has identified “Eight Chinese Tech Firms as Part of The Chinese Military-Industrial Complex,” including Meiya Pico, which “has developed a mobile application designed to track image and audio files, location data, and messages on ordinary citizens’ cellphones.”
While a definitive link to Meiya Pico remains unconfirmed, the evidence uncovered by Kandji points towards a highly sophisticated threat with significant data capturing capabilities.
The discovery of PasivRobber underscores the evolving threat landscape targeting macOS. The report’s findings highlight the importance of proactive security measures and continuous monitoring to detect and mitigate such sophisticated attacks. As the analysis concludes, “The threat capabilities we observed indicate a deep understanding of macOS,” emphasizing the need for vigilance in protecting macOS systems from advanced threats.
The analysis concludes, “The threat capabilities we observed indicate a deep understanding of macOS,” emphasizing the need for vigilance in protecting macOS systems from advanced threats.
Related Posts:
About The Author
