• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Agent Tesla Malware – IOCs
June 30, 2020
Rewterz Threat Alert – GuLoader: a Shellcode-based Downloader
June 30, 2020

Rewterz Threat Alert – New macOS Malware Dropper Delivers VindInstaller Adware

June 30, 2020

Severity

Medium

Analysis Summary

A new macOS malware dropper responsible for the installation of the VindInstaller.B adware is seen being distributed. The initial payload is a DMG disk image containing a shell script, which is becoming an increasingly common technique for installation by macOS malware. This shell script contains a compressed application bundle which will be extracted on execution. A temporary directory is created into which the decompressed bundle is dropped and subsequently executed. The researchers note that this represents the first example of such a script using the funzip utility to assist with the decompression. Analyzing the dropped bundle reveals it is the InstallVibes bundle installer, which is a well-known pay-per-install software provider. Analyzing the executables inside the bundle allowed SentinelOne to classify this installer as VindInstaller.B, which is an adware and pay-per-install bundler that installs potentially unwanted programs or applications on a victim’s machine. Specifically, the “B” version of VindInstaller gathers victim host details, sends them to a remote URL, and retrieves “offers” to deliver to the victim host.

Impact

  • Installation of unwanted applications
  • Data exfiltration

Indicators of Compromise

MD5

  • 6b00f5714c93fd6cfc495c17a36b2c18
  • 979efa6aeb8a63edf8bd1d8f21f61c0b
  • a37eeef5ee8d6f392bd1efd501e2a259
  • 15381a4c5d24c2633bf5d97ec442d4a7
  • 3a6bb21aae84b21b3214f7e4929fbe10
  • c87784c532b5fd113354bb83d80dd5ec
  • 4c50d40bbdc9335fa6f36cd70695f53f
  • 7b80dcbbfd5024cd2e4d895bb3ef63de

SHA-256

  • ee7db16ca9eac460b748957cd0a33548ef015e12f9f6fadcea30671204c3c4ba
  • 709f633b12a335911ce213419c72062d05f538abdc412b659cdb10d4db9006ce
  • 05b9383b6af36e6bf232248bf9ff44e9120afcf76e50ac8aa28f09b3307f4186
  • 3af1c03214cd194b94c6fe0891de6c5201cc8d13d009c04ef383d67e1a750b2b
  • 58490b58afbb533bbcb28cb756e5f91fe0eeb765ca571ac97e9f7104a317562e
  • 4f47a06190cbdaac457d86f77baa22313ce6b1d3939e0ff4fa3cadf5a680b6c9
  • d49ee2850277170d6dc7ef5f218b0697683ffd7cc66bd1a55867c4d4de2ab2fb
  • 907c31b2da15aa14d06c6e828eef6ca627bd1af88655314548f747e5ed2f5697
  • 97ef25ad5ffaf69a74f8678665179b917007c51b5b69d968ffd9edbfdf986ba0

SHA1

  • 7f3cad054b3f2791ea7db178b037bac616e1d18a
  • c4708467b25176c02b16fb1d3eead8be0adc2d05
  • 073a8df0a98badcd1a33bf9261e35efed06fc1e1
  • 0d0fdc86c6d0e7b3c4b2b7382953bccbb8921a42
  • 77c3e490f77d16fd1cb02db011d51b632e6f2910
  • 291e7ae52dfc17c8d73ab36bd615c1dacd9f2851
  • 2a4148b3c68dfebd022c9da486d950b3f10afe6e
  • de3b9697ef373db6fb93c0424844ae35f0a7131b

Source IP

  • 104[.]31[.]88[.]115
  • 104[.]31[.]89[.]115

URL

  • http[:]//tracker[.]installerapi[.]com
  • http[:]//installer[.]yougotupdated[.]com
  • http[:]//tracker[.]installerapi[.]com/statistics/

Remediation

Block the threat indicators at their respective controls.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.