3/5/2023 0 Comments Mplayerx open no windowThere is no functional difference between these two files. The user has the option to install Conduit. The VSearch installation is not optional. The hashes are different due to the way the each DMG file was constructed. Talos reversed two samples of this malware: The Mac OS Malware is the legitimate application MPlayerX bundled with two well-known adware/browser hijackers: Conduit and VSearch. Reversing of the Mac Malware Browser Hijacker VSearch Also each malware is unique each time, which makes the detection harder, as the checksums are different each time. What is special about the attack is that they are targeting Windows and Mac computers alike. There are also specialized domains in the “Kyle and Stan” network that seem to handle the redirecting and act as landing pages. Kyle.mxp(1-4 digits).com or stan.mxp(1-4 digits).com All the domains directly associated to the attackers are hosted by amazon and use a whois privacy protection service to keep the identity protected Most of the 700+ domains follow the naming scheme of: The nickname “Kyle and Stan” comes from the the naming scheme these attackers are using for their domains to distribute the major part of their malware. The list contains a few very popular domains including, , and, which allows the attackers to reach huge numbers of potential victims: Our data indicates that all of the domains below have at different times displayed malicious advertisement that can be linked to the “Kyle and Stan” group. Overall we observed a total of 9541 connections to the malicious domains over the course of our investigation. A full list of the found domains can be downloaded in the IOC Section.įull List of Domains Referring to the “Kyle and Stan” Network The process could be automated, which makes it very easy to register massive amounts of extra domains. This assumption is supported by the strict name-patterns of found domains. This by all means is most likely just the tip of the iceberg. In our research we have found 700+ domains that are part of their network. The size of the “Kyle and Stan” network is hard to judge. Observed connections to the “Kyle and Stan” Network on a log scale. The biggest activities were registered in mid June and early July, but attacks are still ongoing. The graphic is using the logarithmic scale, due to the huge changes in activity of the network. The first hits on our sensors were detected on May 5th. The graphic below illustrates the activity observed since Talos began tracking “Kyle and Stan” network. Timeline and Size of the “Kyle and Stan” Group Please visit the Reversing chapters below for a detailed breakdown of the Windows and Mac malware. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike. No drive-by exploits are being used thus far. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. Once the victim gets redirected to the final URL, the website automatically starts the download of a unique piece of malware for every user. The final page starts the download of a malicious file. We observed that Windows and Mac users get redirected to different malware in order to infect both operating systems
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |