Malicious Dmg Files On Mac

Dmg
  1. Malicious Dmg Files On Mac Free
  2. Mac Dmg File
  3. Malicious Dmg Files On Mac Windows 10

Apr 23, 2019  If you know which app on your Mac is malicious, you’re half-way through the problem. Do a quick search for virus-infected.DMG files within your Downloads. The potential culprits could be recently downloaded files, especially media-related ones. Delete them and empty the Trash bin. MacPaw uses cookies to personalize your experience on.

Update as of 6:00 P.M. PST, May 3, 2019: Our continued observation of the malware sample showed that it spoofs popular Mac apps, instead of being included in the app installers themselves as previously reported. We made the corrections in the technical analysis in this post. We would also like to thank Objective Development for clarifying this issue.

Update as of 5:00 P.M. PST, February 18, 2019: Further analysis on the sample indicated that it does not bypass the Gatekeeper mechanism as previously reported. We made the necessary changes in the technical analysis in this post. We would also like to thank Apple Product Security team for reaching out to us to clarify this issue.

Malicious

By Don Ladores and Luis Magisa

EXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification.

However, we found EXE files in the wild delivering malicious payload on macOS recently. While no specific attack pattern is seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States.

Behavior

Logic pro x dmg free

The samples pose as installers of popular apps and are often available for download from various torrent websites. Examples of the applications they pose as are as follows:

  • Paragon_NTFS_for_Mac_OS_Sierra_Fully_Activated.zip
  • Wondershare_Filmora_924_Patched_Mac_OSX_X.zip
  • LennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip
  • Sylenth1_v331_Purple_Skin__Sound_Radix_32Lives_v109.zip
  • TORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip
  • Little_Snitch_583_MAC_OS_X.zip

When the downloaded .ZIP file is extracted, it contains a .DMG file hosting the supposed installer of the spoofed app.

Figure 1. Sample of the malicious file.

Figure 2. Installer contained in the .DMG sample we analyzed posing as a legitimate application.

Inspecting the installer contents, we found the unusual presence of the .EXE file bundled inside the app, verified to be a Windows executable responsible for the malicious payload.

Figure 3. Suspicious .EXE bundled for Mac app installer.

When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.

Once run, the malware collects the following system information:

  • ModelName
  • ModelIdentifier
  • ProcessorSpeed
  • ProcessorDetails
  • NumberofProcessors
  • NumberofCores
  • Memory
  • BootROMVersion
  • SMCVersion
  • SerialNumber
  • UUID

Under the /Application directory, the malware also scans for all the basic and installed apps and sends all the information to the C&C server:

  • App Store.app
  • Automator.app
  • Calculator.app
  • Calendar.app
  • Chess.app
  • Contacts.app
  • DVD Player.app
  • Dashboard.app
  • FaceTime.app
  • Font Book.app
  • Image Capture.app
  • iTunes.app
  • Launchpad.app
  • Mail.app
  • Maps.app
  • Messages.app
  • Mission Control.app
  • Notes.app
  • Photo Booth.app
  • Photos.app
  • Preview.app
  • QuickTime Player.app
  • Reminders.app
  • Safari.app
  • Siri.app
  • Stickies.app
  • System Preferences.app
  • TextEdit.app
  • Time Machine.app
  • UtilitiesiBooks.app

It downloads the following files from the Internet and saves it to the directory ~/Library/X2441139MAC/Temp/:

  • hxxp://install.osxappdownload.com/download/mcwnet
  • hxxp://reiteration-a.akamaihd.net/INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg
  • hxxp://cdn.macapproduct.com/installer/macsearch.dmg

Figure 4. Downloaded files saved in the directory.

These .DMG files are mounted and executed as soon as they are ready, as well as displaying a PUA during execution.

Figure 5. One of the adwares downloaded posing as a popular app.

This malware runs specifically to target Mac users. Attempting to run the sample in Windows displays an error notification.

Figure 6. Error notification when installer is executed in Windows.

Currently, running EXE on other platforms would have no impact on non-Windows systems such as MacOS. A mono framework installed in the system is required to compile or load these executables and libraries. In this case, however, the bundling of the said framework with the malicious files becomes a workaround to enable EXE files to run on Mac systems. As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts. Overall, this technique may be done to overcome a malicious user’s Objective-c coding limitations.

Conclusion

We suspect that this specific malware can be used for future inter-platform attacks, where a single executable can perform its payload on different operating systems. We believe that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites. We will continue investigating how cybercriminals can use this information and routine. Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems.

Trend Micro Solutions

The following Trend Micro products detect and block this threat:

Indicators of Compromise

Main Executables

File

SHA256

Detection

setup.dmg

c87d858c476f8fa9ac5b5f68c48dff8efe3cee4d24ab11aebeec7066b55cbc53TrojanSpy.MacOS.Winplyer.A

Installer.exe

932d6adbc6a2d8aa5ead5f7206511789276e24c37100283926bd2ce61e840045TrojanSpy.Win32.Winplyer.A

OSX64_MACSEARCH.MSGL517

58cba382d3e923e450321704eb9b09f4a6be008189a30c37eca8ed42f2fa77afAdware.MacOS.MacSearch.A

chs2

3cbb3e61bf74726ec4c0d2b972dd063ff126b86d930f90f48f1308736cf4db3eAdware.MacOS.GENIEO.AB

Installer (2)

e13c9ab5060061ad2e693f34279c1b1390e6977a404041178025373a7c7ed08aAdware.MacOS.GENIEO.AB

macsearch

b31bf0da3ad7cbd92ec3e7cfe6501bea2508c3915827a70b27e9b47ffa89c52eAdware.MacOS.MacSearch.B
C&C server
hxxp://54.164.144.252:10000/loadPE/getOffers.php

Related posts:

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

DMG is a file of Apple Disk Image. The Apple Disk Images are disk image files commonly used by the Mac OS X operating system. When opened, an Apple disk image is 'mounted' as a volume within the Finder. Several Apple proprietary disk image formats can be used to create these images, including the Universal Disk Image Format (UDIF) and the New Disk Image Format (NDIF). Apple disk images usually have the .dmg file extension.

Apple disk images allow secure password protection as well as file compression and hence serves both security and file distribution functions; they are most commonly used to distribute software over the Internet.

Universal Disk Image Format (UDIF) is the native disk image format for Mac OS X. Disk images in this format typically have a .dmg extension. New Disk Image Format (NDIF) was the previous default disk image format in Mac OS 9, and disk images with this format generally have a .img (not to be confused with raw .img disk image files) or .smi file extension. Files with the .smi extension are actually applications that mount an embedded disk image, thus a 'Self Mounting Image', and are intended only for Mac OS 9 and earlier. A previous version of the format, intended only for floppy disk images, is usually referred to as 'Disk Copy 4.2' format, after the version of the Disk Copy utility that was used to handle these images. A similar format that supported compression of floppy disk images is called DART. Apple disk image files are published with a MIME type of application/x-apple-diskimage.

Different file systems can be contained inside these disk images, and there is also support for creating hybrid optical media images that contain multiple file systems. Some of the file systems supported include Hierarchical File System (HFS), HFS Plus, File Allocation Table (FAT), ISO9660 and Universal Disk Format (UDF).

Open/Extract DMG File on Windows

Easy 7-Zip opens/extracts DMG file easily on Windows. The Easy 7-Zip was developed based on 7-Zip. 7-Zip is a famous open source file archiver. The Easy 7-Zip is an easy-to-use version of 7-Zip. The open source freeware keeps all features of 7-Zip and adds a few useful features that makes the software more user-friendly.

Easy 7-Zip works on Windows 10/8.1/8/7/Vista/2008/2003/XP/2000 (both 32-bit and 64-bit compatible).

  1. Free Download Easy 7-Zip
  2. Install Easy 7-Zip by step-by-step instructions
  3. The installation will associate DMG with Easy 7-Zip automatically
  4. Double-click on DMG file to open DMG file with Easy 7-Zip

  5. You will see files or folders within the DMG file then, click button Extract to extract the DMG file.
  6. Alternatively, Right-click on DMG file on Windows Explorer

  7. And then, choose Extract files.., Extract Here, or Extract to 'folder' to extract the DMG file.
  8. Done

Easy 7-Zip Download Links:

You can install and use other alternative freeware that opens/extracts DMG file without burning the DMG file to disc. For example:

  • Free DMG Extractor
  • HFSExplorer
  • PeaZip

Open/Extract DMG File on Mac

B1 Free Archiver opens/extracts DMG file on Mac. B1 Free Archiver is a free software for creating archive folder and extracting archive file. B1 Archiver works on all platforms - Windows, Linux, Mac and Android. The freeware supports most popular formats including DMG.

B1 Free Archiver is compatible with:

  • Mac OS X 10.9 Mavericks
  • Mac OS X 10.8 Mountain Lion
  • Mac OS X 10.7 Lion
  • Mac OS X 10.6 Snow Leopard

Alternative freeware that opens/extracts DMG file on Mac.

  • Apple Disk Utility
  • Keka
  • GUI Tar

Open/Extract DMG File on Linux

You can use command mount to mount DMG file as a virtual drive.

First, you must login as a root user, and then create a directory for DMG image

# mkdir -p /mnt/macimage

Use mount command as follows to mount DMG file called image.dmg:

# mount -o loop -t hfsplus image.dmg /mnt/macimage

If the DMG is HFS file system, use:

# mount -o loop -t hfs image.dmg /mnt/macimage

Change directory to list files stored inside an DMG image:

# cd /mnt/macimage
# ls -l

Unmount the DMG image, type:

# umount /mnt/macimage

Alternatively, you can use p7zip to extract the DMG file. p7zip is the Unix command-line port of 7-Zip, a file archiver that archives with high compression ratios.

Install p7zip-full on CentOS and Fedora

# yum install p7zip-full

Malicious Dmg Files On Mac Free

Install p7zip-full on Debian and Ubuntu

$ sudo apt-get install p7zip-full

List directories and files in DMG file

$ 7z l image.dmg

Extract DMG file on Linux

Mac Dmg File

$ 7z x image.dmg

Malicious Dmg Files On Mac Windows 10

Copyright © 2013-2017 James Hoo All rights reserved.
Comments are closed.