Rewterz Threat Alert – Agent Tesla Malware – IOCs
June 30, 2020Rewterz Threat Alert – GuLoader: a Shellcode-based Downloader
June 30, 2020Rewterz Threat Alert – Agent Tesla Malware – IOCs
June 30, 2020Rewterz Threat Alert – GuLoader: a Shellcode-based Downloader
June 30, 2020Severity
Medium
Analysis Summary
A new macOS malware dropper responsible for the installation of the VindInstaller.B adware is seen being distributed. The initial payload is a DMG disk image containing a shell script, which is becoming an increasingly common technique for installation by macOS malware. This shell script contains a compressed application bundle which will be extracted on execution. A temporary directory is created into which the decompressed bundle is dropped and subsequently executed. The researchers note that this represents the first example of such a script using the funzip utility to assist with the decompression. Analyzing the dropped bundle reveals it is the InstallVibes bundle installer, which is a well-known pay-per-install software provider. Analyzing the executables inside the bundle allowed SentinelOne to classify this installer as VindInstaller.B, which is an adware and pay-per-install bundler that installs potentially unwanted programs or applications on a victim’s machine. Specifically, the “B” version of VindInstaller gathers victim host details, sends them to a remote URL, and retrieves “offers” to deliver to the victim host.
Impact
- Installation of unwanted applications
- Data exfiltration
Indicators of Compromise
MD5
- 6b00f5714c93fd6cfc495c17a36b2c18
- 979efa6aeb8a63edf8bd1d8f21f61c0b
- a37eeef5ee8d6f392bd1efd501e2a259
- 15381a4c5d24c2633bf5d97ec442d4a7
- 3a6bb21aae84b21b3214f7e4929fbe10
- c87784c532b5fd113354bb83d80dd5ec
- 4c50d40bbdc9335fa6f36cd70695f53f
- 7b80dcbbfd5024cd2e4d895bb3ef63de
SHA-256
- ee7db16ca9eac460b748957cd0a33548ef015e12f9f6fadcea30671204c3c4ba
- 709f633b12a335911ce213419c72062d05f538abdc412b659cdb10d4db9006ce
- 05b9383b6af36e6bf232248bf9ff44e9120afcf76e50ac8aa28f09b3307f4186
- 3af1c03214cd194b94c6fe0891de6c5201cc8d13d009c04ef383d67e1a750b2b
- 58490b58afbb533bbcb28cb756e5f91fe0eeb765ca571ac97e9f7104a317562e
- 4f47a06190cbdaac457d86f77baa22313ce6b1d3939e0ff4fa3cadf5a680b6c9
- d49ee2850277170d6dc7ef5f218b0697683ffd7cc66bd1a55867c4d4de2ab2fb
- 907c31b2da15aa14d06c6e828eef6ca627bd1af88655314548f747e5ed2f5697
- 97ef25ad5ffaf69a74f8678665179b917007c51b5b69d968ffd9edbfdf986ba0
SHA1
- 7f3cad054b3f2791ea7db178b037bac616e1d18a
- c4708467b25176c02b16fb1d3eead8be0adc2d05
- 073a8df0a98badcd1a33bf9261e35efed06fc1e1
- 0d0fdc86c6d0e7b3c4b2b7382953bccbb8921a42
- 77c3e490f77d16fd1cb02db011d51b632e6f2910
- 291e7ae52dfc17c8d73ab36bd615c1dacd9f2851
- 2a4148b3c68dfebd022c9da486d950b3f10afe6e
- de3b9697ef373db6fb93c0424844ae35f0a7131b
Source IP
- 104[.]31[.]88[.]115
- 104[.]31[.]89[.]115
URL
- http[:]//tracker[.]installerapi[.]com
- http[:]//installer[.]yougotupdated[.]com
- http[:]//tracker[.]installerapi[.]com/statistics/
Remediation
Block the threat indicators at their respective controls.