Just like technology, the cyber threats have become ubiquitous and becoming more aggressive with time. It is not new that cyber criminals work over different ways to attack your machine with malware. However, a recent incident was caught when a malware, posing to be Adobe Zii (a tool used to crack Adobe tools) was found stealing credit card information and mining Monero cryptocurrency over Mac OS systems. This is for sure is one of the most unusual ways to attack machines.
Technical Analysis:
Upon scrutinizing its process, it was found that the malware comes on any target machine as ‘Adobe Zii.app’ file, which upon execution uses the automator.app to begin the Bash script codes from Adobe Zii.app\Contents\document.wflow.
Must Read : Business Data Is Crucial: Keep It Safe!
When the copy of Adobe Zii.app was launched, it was observed that it downloads sample.app from hxxp://46[.]226[.]108[.]171:80/sample.zip, and saves it to the user directory ~/. Then, the contents are extracted and launched on the system. Here, it uses the original Adobe Zii.app to camouflage its ill activities in the background.
The research team also reveals that the malware connects to hxxps://ptpb.pw/jj9a that contains an encrypted Python script. This script checks the status of Little Snitch (a host-based application firewall for MacOS) status. If it’s found not active, the script then further connects to hxxp://46[.]226[.]108[.]171:4444/login/process.php.
How does fake Adobe Zii steals credit card info?
The uploadminer.sh consists of routines that are capable of identity theft from Google Chrome web browser. Target information includes origin URL, credit card, expiration date, username,and password.
The malware connects to hxxp://46[.]226[.]108[.]171/harmlesslittlecode[.]py and saves the Python script on your Mac at ~/Library/Application Support/Google/Chrome/Default. This script is used to display all the decrypted information from Google Chrome browser. Once the malware finds the desired data, it is collected as a .txt file and would be .zip-compressed along with Google Chrome cookies. The file then be saved as ~/Library/Application Support/Google/Chrome/Default/{username}.zip and simultaneously be uploaded to hxxp://46[.]226[.]108[.]171:8000.
Also Read : How To Bypass Credit Card & ATM Skimmers?
How does it mine the cryptocurrency?
The fake Adobe Zii malware downloads plist file from hxxp://46[.]226[.]108[.]171/com[.]apple[.]rig2[.]plist and stores it to ~/Library/LaunchAgents. This plist is used to run the xmrig2 to mine cryptocurrency.
The malware also downloads plist file from hxxp://46[.]226[.]108[.]171/com[.]apple[.]proxy[.]initialize[.]plist that contains Python commands that are similar to the one that checks the Little Snitch’s status and connects to the encrypted Empyre backend. To get it auto started, the plist files are loaded in the system through the launchctl command.
To mine the cryptocurrency, the malware connects to hxxp://46[.]226[.]108[.]171/xmrig2 and saves a file to /Users/Shared/xmrig2. The saved file works as a commandline app that is used to mine Monero specifically.
It uses below credentials to mine cryptocurrency on an infected machine.
Overall, the fake Adobe Zii may turn up to be an evil malware if it gets through your machine. It may collect all the information of your credit card and even ignite a mining process for Monero cryptocurrency. It is important that you keep your Mac machine intact with a dedicated anti malware for Mac and practice healthy browsing.
Nathalia
Hi! Great. I just got the so called free Photoshop from these 2 videos below, and I'm just realizing that I might have done something real stupid. Could you please gimme a hand? https://www.youtube.com/watch?v=6sv438QAv_0&t=12s https://www.youtube.com/watch?v=Ajy9hUljy3Q&feature=youtu.be How do I know if it's safe? I saw someone mentioning something about AUTOMATOR and I did get that little dude sitting on my Aplications! I really suck at these things! Please gimme a hand? :-( kisses from Brazil!
Preeti Seth
Hello Nathalia, Regarding the problem, we suggest you do not click on the links that you suspect. If you find the information misleading never trust the site or video. Also, we suggest you run an updated anti-virus to stay safe from threats.