This week, Kaspersky released a detailed write-up on a piece of Mac malware, called OSX.WildPressure.
One of the primary points of interest is a PyInstaller module (freezing Python packages into executables) that contains a Python script named “Guard.py”. This script shows the malware not only targeting the Windows operating system but macOS, too.
The script takes the base64-encoded text and decodes it into a plist file. It then places this plist file, called"com.apple.pyapple.plist”, in the user’s LaunchAgents directory, enabling the malware to run at reboot. Upon initially running, the script’s path is injected into the plist where the string [pyscript] is used as a placeholder.
The script looks for a config file called ~/.appdata/grconf.dat and reads in the contents between the magic header,“*grds*", and the magic footer, "*grde*".
As we've seen with this particular cross-platform Trojan, it is becoming clear that malware authors are targeting macOS alongside operating systems such as Windows. This is a good reminder that as mac devices continue to increase in popularity, attackers will adapt their tooling to ensure they can reach more victims.
Jamf Protect’s Threat Prevention detects and prevents anytime this malicious script, as well as, many others are executed. In the past, Apple has informed developers that Python will not come pre-installed in a future version of macOS.
This move by Apple will assist in hindering malware families that are primarily written in (or include) Python. Some past examples of these families are GravityRAT, Bella, EvilOSX, Empyre and some variants of Shlayer and Pirrit.