Convuster: macOS adware now in Rust
#1
Bug 
Quote:
[Image: convuster_adware-scaled-e1615997060845-1200x600.jpg]

Introduction

Traditionally, most malicious objects detected on the macOS platform are adware: besides the already familiar Shlayer family, the TOP 10 includes Bnodlero, Cimpli, Adload and Pirrit adware. As a rule, most tend to be written in C, Objective-C or Swift. Recently, however, cybercriminals have been paying increased attention to new programming languages, seemingly in the hope that such code will be more opaque to virus analysts who have little or no experience with the newer languages. We have already seen quite a few samples written in Go, and recently cybercriminals turned their attention to Rust as well.

The first to write about suspicious files in this programming language was a Twitter user, @gorelics:

https://twitter.com/gorelics/status/1295...wcon%5Es1_&ref_url=https%3A%2F%2Fsecurelist.com%2Fconvuster-macos-adware-in-rust%2F101258%2F

In the screenshot the tweet shows, one can see that several samples of suspicious code are run by configuration PLIST files through the LaunchAgents/LaunchDaemons mechanism. Alongside the suspicious names of the PLIST files, this is the first wakeup call that the program is dangerous, given the low popularity of Rust-based executables.

We examined these samples for malicious behavior. The analysis showed these executables to be a new adware program, that has subsequently been called Convuster.

Technical detailsSample in Rust

It can be deduced that the analyzed sample was written in Rust from the frequent use of the language’s standard library, as well as several code lines containing paths to files with the .rs extension, which is the standard Rust source file extension.

At startup, the executable checks the configuration PLIST files ~/Library/LaunchAgents/com.ist.up.plist and /Library/LaunchDaemons/com.ist.up.plist for keys needed to run the sample, such as RunAtLoad, StartInterval and Version. We were not able to retrieve these files, but presumably they are used to run the sample under investigation when the user logs in to the system.

After these checks, the program obtains the device ID, as well as the system version and bitness, and forwards the gathered data to the following server: hxxps://post.convstats[.]com/hb/. In response, Convuster receives a JSON file and sends a request to the host specified in this file. The response to this request is a Bash script that gets executed by the Bash shell and then removed from the system.

At the time of analysis, the server was not responding to requests. However, after examining information about the suspicious convstats[.]com domain, we detected the update.convstats[.]com and trk.convstats[.]com subdomains (in addition to the already known post.convstats[.]com).

Sample in Swift

In the update.convstats[.]com subdomain, at the address hxxps://update.convstats[.]com/Player.dmg, we found a DMG disk image containing another Convuster executable, this time in the Swift programming language.
...
Continue Reading
Reply


Messages In This Thread
Convuster: macOS adware now in Rust - by harlan4096 - 21 March 21, 08:44

Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Kaspersky 21.19.7.527b
Kaspersky 21.19.7....harlan4096 — 09:53
AdGuard Browser Extension 5.0.170 (MV3)
AdGuard Browser Ex...harlan4096 — 09:51
Vivaldi 7.0 Build 3495.18
Vivaldi 7.0 Build ...harlan4096 — 09:50
Brave Search introduces AI follow-up que...
I have used Brave ...harlan4096 — 09:49
Microsoft accused of Malware-like Bing W...
Microsoft released...harlan4096 — 09:48

[-]
Birthdays
Today's Birthdays
avatar (56)Stefanos
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>