"value":"The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I\u00e2\u20ac\u2122ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers."
"comment":"The perl script, among other things, communicates with the following command and control (C&C) servers:",
"deleted":false,
"disable_correlation":false,
"timestamp":"1484767858",
"to_ids":true,
"type":"ip-dst",
"uuid":"587fc272-e8ac-4372-83b6-4b2402de0b81",
"value":"99.153.29.240"
},
{
"category":"Network activity",
"comment":"The perl script, among other things, communicates with the following command and control (C&C) servers:",
"deleted":false,
"disable_correlation":false,
"timestamp":"1484767859",
"to_ids":true,
"type":"hostname",
"uuid":"587fc273-ecb8-47bc-ba0d-4aa102de0b81",
"value":"eidk.hopto.org"
},
{
"category":"Payload delivery",
"comment":"afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.",
"comment":"afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"comment":"afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"deleted":false,
"disable_correlation":false,
"timestamp":"1484768044",
"to_ids":true,
"type":"md5",
"uuid":"587fc32c-27ec-4800-bc47-b06d02de0b81",
"value":"7bb4f5d962a5b3bb18db9ce08c0b6cbf"
},
{
"category":"External analysis",
"comment":"afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"comment":"quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"comment":"quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"deleted":false,
"disable_correlation":false,
"timestamp":"1484768046",
"to_ids":true,
"type":"md5",
"uuid":"587fc32e-7b7c-4acc-a7d4-b06d02de0b81",
"value":"f8e3c8e43593ecbd9b62f6e18c8d6474"
},
{
"category":"External analysis",
"comment":"quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"deleted":false,
"disable_correlation":false,
"timestamp":"1484768048",
"to_ids":true,
"type":"md5",
"uuid":"587fc330-2b6c-4b22-bc05-b06d02de0b81",
"value":"3adf6025eb710f2bf1918ee2f116153d"
},
{
"category":"External analysis",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
"deleted":false,
"disable_correlation":false,
"timestamp":"1484768050",
"to_ids":true,
"type":"md5",
"uuid":"587fc332-1ae4-4394-8893-b06d02de0b81",
"value":"d4a14a1516d5ec9452a29de24ba85d0e"
},
{
"category":"External analysis",
"comment":"We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
