Login

Hotger – Malware that wipes out the Mac’s disk space.

Author: Roy Avni, Malware Researcher @ Airo Labs

June 8th, 2020

Recently, we’ve spotted a malware that hijacks a user’s search over Chrome,Safari, Firefox all together (MacOS 10.15.4).

But hey, we dealt with that enough. The interesting thing here is something completely different – the malware appears to bite into the machine’s memory hard. After a few weeks of the Mac running, we’ve been prompted with “low memory on machine”.

We also looked it up in the storage panel to confirm [we’ve seen fake apple pop-ups that hide a confirmation behind them] it was nearly out of space (120GB):

Searching for the cause, we’ve found that the “/Shared” directory (that has +rwx) is filled with 4990 tar.gz files, each named with a pattern of ‘App_[GUID of 53 characters]’. Each file weighs 4.8MB. Each file was extracted and contains a folder by the same name with “Tapufind” search AppExt inside, weighing 13.6MB.

View of /Shared/:

Here is the certificate:

 

The installer flow is pretty much normal and is as follows:

Initial dmg (”FYDMac_out2conv.dmg”)

→ 

Agent (/var/root/Library/Application Support/”X-“tech/ICehold) that downloads the search component and extracts its persistence plist. But what a nasty agent is this one.

Associated plist (“/Library/LaunchDaemons/tapufind.plist”):

It downloads TapuFind and writes a persistence plist for it into ~/Library/LaunchAgents/ and keeps downloading it non-stop! Lucky for us, it doesn’t create a plist per TapuFind instance. [then we would have 4990 plists]

TapuFind agent (“/Users/Shared/App_B1C97402-4666-4BDA-8015-ABBC26941B0C-7894-00000295EB1B4788/Tapufind.app/Contents/MacOS/Tapufind”) that makes sure search modification is active.

Associated plist (‘/Users/stan/Library/LaunchAgents/TapufindOd.plist”):

Let’s see the bug (or evil developer) responsible for the directory flood, in “ICehold” daemon:

 

[var_18 remoteService] != 0x0 – we enter this “If” as long as the search plist exists in ~Library/LaunchAgents/. So the search components + plist are removed by the “removeService” function. Next execution (every 5 mins given as “ThrottleInterval” in tapufind.plist) actually no search exists on machine, so this time we enter the Else condition twice and arrive at [ [&var_50 super] download: rac to:var_30]; – download a new .tar.gz archive.

 

It’s clear that [var_18 remoteService] != 0x0 condition should have been == 0x0, because if the search plist exists (!= 0x0) we’re just fine and no need to remove this service.

Additionally, currently the code never enters the condition “isServiceAlreadyRun != 0x0”, as either daemon removes search and exits (because of [var_18 remoteService] != 0x0), or if search doesn’t exist (because last run the daemon removed it) – it downloads a new .tar.gz. Actually not the wanted behaviour.

For the matter of curiosity, this malware belongs to “Hotger” (actor that monetizes user’s traffic) which doesn’t intend to hide itself and deploys the following directory:

 

Final thoughts:

What worries us is how lightheaded malware developers are when releasing their software to the world. We can see in this blog the severe effect that a malware can have on a user’s machine, just because they wanted to release a new version to the world as quickly as possible.

Releasing quick new versions is a direct result of increased pressure from Apple security, in the form of new releases of xprotect and MRT. We can clearly see how this pressure results in malware distributors releasing more new versions than ever, in order to evade Apple’s security mechanisms, in this case without checking them properly. 

 

FYDMac_out2conv.dmg – 0f872ed4337837ac3be704a12f1d45930bdc009da968d07bd59061ea5be11938

ICehold – e98fdee1ac4459d73d7e937681a0f4df78076256e8287e0f8215ef7e8d522c72

tapufind.plist – c45a9f6c4b6d460a7077dd71c89c858750e9af467ee51aa6775c9314e517bf3c

App_B1C97402-4666-4BDA-8015-ABBC26941B0C-7894-00000295EB1B4788.tar.gz-

ca454b92a31ccd22d5fcd484d29d14137fae278a912006014a6fa51b8d3cc171

TapufindOd.plist – 95435909203850f01aa84f7ca24f4ac89fe3705980b095a60a4671bf1598fd1f

 

Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo