 U-Kseniia Yamburh, Unjiniyela Wocwaningo Lwe-Malware e-Moonlock ngu-MacPaw & Mykhailo Pazyniuk, Unjiniyela Wocwaningo Lwe-Malware e-Moonlock ngu-MacPaw Ababhali:  Isofthiwe yomthombo ovulekile iyisisekelo sokusungula izinto ezintsha kodwa futhi ivula umnyango wokuxhashazwa. Muva nje, abacwaningi be-Checkmarx  iphakethe le-PyPI elisolisayo eliqondise kubasebenzisi be-macOS, eliqanjwe ngokuthi "Meme-Token-Hunter-Bot." Ngenkathi iphakethe liziveza njenge-crypto token hunter bot, ukubukeka okujulile kwembula ukuthi linomthwalo oyinkimbinkimbi wokwebiwa kwedatha.   kungamboziwe  E-Moonlock, lapho sigxile ekuvikeleni abasebenzisi be-macOS, sasazi ukuthi kufanele sijule kulokhu. Njengoba sembula izendlalelo, lokho esikutholile kusiholele kumakhosombe engeziwe angu-10 - ngayinye yabelana ngekhodi ecishe ifane, enokuhlukahluka okucashile. Ingabe lona bekuwumsebenzi wokuthunyelwa okuzenzakalelayo? Umkhankaso ohlanganisiwe? Nansi indlela uphenyo lwenzeke ngayo.   Ukubuka Kokuqala Okungaphezu Kwe-Crypto Bot nje  Indaba iqala ngokuthi "Meme-Token-Hunter-Bot," ebonakala ingelinye nje ithuluzi eliwusizo labathandi be-crypto. I-README yayo iyala abasebenzisi ukuthi basebenzise i-main.py, ifayela ngokuvamile eliqala ukusebenza okuyinhloko ezinhlelweni eziningi ezisekelwe kuPython. Silandela imiyalelo, sangena ku-main.py, kodwa sayithola ibiza iskripthi somsizi esibizwa nge-base_helper.py. Leli fayela losizo lizoba insika yophenyo lwethu.    Ukwenza Imephu Ukugeleza Kokuhlasela  Ukuthola ukuqonda okucacile kokuthi i-Meme-Token-Hunter-Bot ihlasela kanjani, sidwebe ishadi elibonisa isinyathelo ngasinye senqubo yohlelo olungayilungele ikhompuyutha, kusukela ekusethweni kokuqala kuya ekuhlungeni idatha. Lokhu kuvezwa okubonakalayo kuveza izendlalelo zombhalo wekhodi namaqhinga ayimfihlo ashumekwe ngaphakathi kwephakheji, okunikeza umbono ogcwele wokuthi usebenza kanjani.   I-flowchart yethu iqala ngokuthi main.py, indawo yokuqala ebiza i-base_helper.py uma iphakheji ithola ukuthi isebenza ku-macOS.   Leli fayela lihlanganisa ama-URL anekhodi ye-base64 namagama wefayela, agcinwe ezintweni ezihlukile ezifana ne-encoded_base_key kanye namalayisense_afakwe ikhodi.   Lawa manani afakwe ikhodi afihla injongo yangempela yombhalo, efihla i-URL exhumeka ku-https://coinsw[.]app/basec/ futhi alande amanye amafayela kumkhombandlela ~/tmpcode/.   Uma amafayela eselandiwe, isinyathelo esilandelayo ku-flowchart yethu sibonisa uhlelo olungayilungele ikhompuyutha ethula ifayela elibizwa ngokuthi i-MHTBot.py, eqondisa kabusha konke okukhiphayo okubonakalayo kokuthi/dev/null—ukugcina imisebenzi yayo ifihliwe kubasebenzisi namathuluzi okuqapha ngokufanayo.    I-MHTBot  Ku-flowchart, i-MHTBot.py igqama njengendawo yokuguqula ekuhlaselweni. Isebenzisa i-PyQT5, leli fayela lidala i-graphic interface yomsebenzisi elingisa isofthiwe esemthethweni, ebonisa ukwaziswa kwephasiwedi kanye nebha yokuqhubeka. Lokhu kuzifihla kuklanyelwe ukuqinisekisa abasebenzisi, kuyilapho, empeleni, i-MHTBot.py yenza kusebenze ngokunyenya uchungechunge lwamamojula okubamba idatha ngemuva.   I-MHTBot.py isebenzisa indlela ehlakaniphile yokweqa: yenqaba umzamo wokuqala wephasiwedi njengokuthi "awuvikelekile," yamukela owesibili kuphela. Lokhu kulibaziseka okwakhelwe ngaphakathi kungenzeka kuhlose ukugwema ukutholwa kwe-sandbox, njengoba izindawo eziningi ze-sandbox zinesikhathi sokusebenza esilinganiselwe esingase siphele ngaphambi kokuthi uhlelo olungayilungele ikhompuyutha lusebenze ngokugcwele.   Njengengxenye yamaqhinga ayo okubalekela, i-Meme-Token-Hunter-Bot isebenzisa ukubambezeleka ngaphambi kokwethula imisebenzi yayo eyinhloko yokweba idatha. Lokhu kubambezeleka kuphinde kuklanyelwe ukugwema ukutholwa yizindawo ze-sandbox, ezivame ukuba nobude besikhathi esilinganiselwe sokuhlaziya okuzenzakalelayo. Ngokubambezela ukwenza, uhlelo olungayilungele ikhompuyutha lukhulisa amathuba okuthi ludlule kulawa maskeni okuqala futhi lusebenze ngokugcwele kusistimu yomsebenzisi wangempela.  Isithombe-skrini esingezansi sigqamisa ikhodi ethile enesibopho salokhu kubambezeleka. I-start_one_py_main_after_delayfunction iqala ukubambezeleka kwama-millisecond angu-7000 (amasekhondi angu-7) kusetshenziswa i-QTimer.singleShot, ngemva kwalokho ibize umsebenzi we-run_one_py_main. Lo msebenzi ube usucupha imojuli eyinhloko yokwebiwa kwedatha, i-one.py, kuchungechunge oluhlukile.    Ukwebiwa Kwedatha  Njengoba izinguquko ze-MHTBot.py zilawula ku-one.py, imisebenzi eyinhloko yokweba idatha yohlelo olungayilungele ikhompuyutha iyaqala. Amazwibela ekhodi alandelayo aveza ukuthi i-one.py isebenzisa kanjani imisebenzi ehlukahlukene namamojula ukuze iqoqe ulwazi olubucayi ohlelweni lomsebenzisi. Ake sihlukanise ingxenye ngayinye yekhodi kanye nenjongo yayo.  Kumazwibela okuqala, sibona umsebenzi oyinhloko() ulungiselela uhla lwemibhalo olufihliwe lokugcinwa kwesikhashana kwedatha eyebiwe. Uhlelo olungayilungele ikhompuyutha ludala ~/.temp/premium/ njengohlu lwemibhalo olufihliwe ukuze lugcine amafayela ngaphandle kokuxwayisa umsebenzisi. Ngemuva kokusetha lolu hlu lwemibhalo, umsebenzi ubiza izindlela ezahlukahlukene zokuqoqa idatha kusuka kuzinhlelo zokusebenza ezithile:  mediax(): Cishe iqondise Amanothi e-Apple ukuze ikhiphe amanothi agciniwe.  copy_stickies() kanye ne-copy_stickies_database(): Le misebenzi iqoqa idatha kusuka kuhlelo lokusebenza lwe-Stickies.  backup_ssh(): Iqoqa okhiye be-SSH ohlelweni.  copy_terminal_history(): Ikopisha amafayela omlando wetheminali.  copy_ssh_and_keychain(): Imonyula idatha ku-SSH naku-macOS Keychain.  Le misebenzi inikezelwe ekuqoqeni idatha ebanzi evela ezinhlelweni zokusebenza, izifakazelo zomsebenzisi, nokulungiselelwa kwe-SSH, okwenza i-one.py ibe isiqoqi sedatha esihlanganisa konke.   Umsebenzi we-search_files(), obonwa kumazwibela ekhodi olandelayo, unweba ukufinyelela kokuqoqwa kwedatha ngokukhomba izinhlobo ezithile zamafayela. Lo msebenzi usesha ezinhlwini zemibhalo ezivamile (Okulandiwe, Amadokhumenti, Ideskithophu, nohla lwemibhalo lwasekhaya) ukuthola amafayela abucayi anezandiso ezifana ne-.txt, .csv, .json, .config, kanye ne-.env. Lezi zinhlobo zamafayela zivame ukuqukatha izilungiselelo zokucushwa, okhiye be-API, nolunye ulwazi olubalulekile.  Amafayela atholiwe abe esekopishelwa kuhla lwemibhalo lwesikhashana, acindezelwe, futhi alungiselwe ukucwiliswa. Lesi sinyathelo siqinisekisa ukuthi noma iyiphi idatha ngokuvamile egcinwe ohlwini lwemibhalo lomsebenzisi noma amafayela okulungiselelwa kwephrojekthi iyaqoqwa.   Kumazwibela alandelayo, imisebenzi ye-copy_terminal_history() kanye ne-copy_ssh_and_keychain() ithwebula idatha yomsebenzisi ebalulekile. Uhlelo olungayilungele ikhompuyutha lukhipha umlando wetheminali kumafayela we-.zprofile kanye ne-.zsh_history, imiyalo engase yembule umsebenzisi ayisebenzisayo, okuhlanganisa noma yiluphi ulwazi olubucayi noma izifakazelo ezithayiphiwe kutheminali.  Ukwengeza, inkomba ye-macOS Keychain ne-SSH ifinyelelwa ukuze kuthathwe izifakazelo ezibethelwe, amaphasiwedi, nokhiye be-SSH abagcinwe ohlelweni, okuhlinzeka abahlaseli ngemininingwane yenani eliphezulu.   Enye yezingxenye eziphawuleka kakhulu zalolu hlelo olungayilungele ikhompuyutha ukukhomba kwayo ama-crypto wallet. Umsebenzi we-zip_additional_wallets() ubheka ngokuqondile izinkomba ezihlotshaniswa namawalethi e-cryptocurrency adumile. Uhlelo olungayilungele ikhompuyutha lusesha ngokuhlelekile amafayela wesikhwama se-Bitcoin, Electrum, Coinomi, Exodus, namanye ama-crypto wallets amakhulu. Uma sezihlonziwe, lezi zinkomba ze-wallet zip futhi zigcinwe kuhla lwemibhalo lwesikhashana, zilungele ukukhishwa.   Uhlelo olungayilungele ikhompuyutha luhlanganisa nemisebenzi ethile yokwebiwa kwedatha yeTelegram. Imisebenzi ye-backup_telegram() kanye ne-backup_tdata() ibheka izinkomba zedatha ye-Telegram, izama ukufinyelela imilayezo, abathintwayo, nemidiya egcinwe kuhlelo lokusebenza. Ngokukopisha lawa mafayela, uhlelo olungayilungele ikhompuyutha lungavumela abahlaseli ukuthi bakhe kabusha ukuxhumana kwe-Telegram nomsebenzisi nomlando wemidiya.    Exfiltration  Ngemva kokuqoqa ulwazi olubucayi, i-Meme-Token-Hunter-Bot iyaqhubeka nokukhipha idatha kuseva ekude. Lokhu kukhishwa kwenziwa ngochungechunge lwemisebenzi ephatha ukuqamba kabusha ifayela, ukulayisha, nokwazisa ibhodlela yeTelegramu yomhlaseli. Amazwibela ekhodi alandelayo abonisa ukuthi le nqubo yenzeka kanjani.   Umsebenzi send_telegram_message uthumela umlayezo ku-Telegram bot emiswe ngaphambilini, ixwayisa abahlaseli ukuthi iqoqo elisha lamafayela antshontshiwe lilayishiwe. Lo msebenzi uqinisekisa ukuthi abahlaseli bathola izibuyekezo ezifika ngesikhathi ekukhishweni ngakunye, okubavumela ukuthi baqaphe inqubo yokuntshontshwa kwedatha ngesikhathi sangempela.  Ukuze kuthuthukiswe ubukhona bayo, uhlelo olungayilungele ikhompuyutha luqamba kabusha amafayela antshontshiwe ngesandiso se-.minecraft—iqhinga elingajwayelekile okungenzeka lihloselwe ukweqa amasistimu okutholwa kokungena kwenethiwekhi aqapha izinhlobo ezithile zamafayela. Uma seliqanjwe kabusha, upload_file liqala ukudluliswa kwedatha kuseva ekude yomhlaseli. Ifayela livulwa ngemodi yokufunda kanambambili futhi lilayishwa kusetshenziswa okuthi requests.post() ku-https://store1.gofile[.]io/, inkundla yokwabelana ngamafayela esesidlangalaleni.  Uma ukulayisha kuphumelela (okuboniswa ikhodi yesimo engu-200), umsebenzi ubuyisela isixhumanisi sokulanda, esithunyelwa kumhlaseli nge-Telegram.    11 Amakhosombe Engeziwe: Isithombe Esikhulu  Phakathi nophenyo lwethu, sasola ukuthi i-Meme-Token-Hunter-Bot ingase ingabi iphakheji elilodwa. Ukusebenzisa i-GitHub ehlosiwe  ('b25lLnB5' KANYE ne-'requests.get(url)'), sithole amakhosombe engeziwe angu-10 anekhodi ecishe ifane. Lawa makhosombe abonise izinguquko ezincane emagameni wefayela namalebula e-UI, okungenzeka akhiqizwe ngesu lokuphakela elizenzakalelayo ukuze kugcinwe amakhophi amaningi ohlelo olungayilungele ikhompuyutha, okuqinisekisa ukutholakala kwalo ngisho noma inqolobane eyodwa imakiwe noma isusiwe.    umbuzo  Kuyathakazelisa ukuthi ngenkathi i-Meme-Token-Hunter-Bot isinezinyanga eziyi-10 ikhona, iqale ukufaka ikhodi enonya ngo-Agasti 2024, lapho i-base_helper.py—ifayela elibhekele ukulanda isigebengu se-Stage-2 Python—lethulwa okokuqala. Isibuyekezo sakamuva saleli fayela senziwe ngoSepthemba 28, 2024. Ngakolunye uhlangothi, amakhosombe engeziwe ayi-11 athole izibuyekezo zawo ezinonya cishe ezinyangeni ezimbili ezedlule, lapho i-base_helper.py yengezwa. Lesi sikhathi esihlanganisiwe siphakamisa ukuthi lezi zindawo zokugcina zahlelelwa ukusabalalisa uhlelo olungayilungele ikhompuyutha, kwakhiwa empumelelweni yokuqala nezindlela ezibonwa ku-Meme-Token-Hunter-Bot.  Siphinde sathola imiyalelo yokudlula i-Gatekeeper kwamanye ala makhosombe, aklanyelwe ukuqondisa abasebenzisi ngokudlula izexwayiso zokuphepha ze-macOS. Imiyalo yethulwe ngefomethi ebonakalayo yesinyathelo nesinyathelo, ekhuthaza abasebenzisi ukuthi bachofoze kwesokudla uhlelo lokusebenza, bakhethe "Vula," futhi badlule isixwayiso soMgcini-sango.   Ukwengeza, phakathi kwezindawo zokugcina ezingu-10 ezengeziwe ezikhonjiwe, okuhlukile okubizwa ngokuthi "i-Solana-Bot" kwagqama. Nakuba ilandela ukugeleza okunonya okufanayo njenge-Meme-Token-Hunter-Bot, sibone izinguquko ezincane, ikakhulukazi emagameni wefayela nasekusetshenzisweni komsebenzi. Ukuhlaziywa kwe-diff side by side kwefayela lika-Solana-Bot's base_helper.py kanye nele-Meme-Token-Hunter-Bot kugqamisa lo mehluko.  Umehluko oyinhloko phakathi kwe-Solana-Bot ne-Meme-Token-Hunter-Bot ihlanganisa izinguquko ze-URL.   "aHR0cHM6Ly9jb2luc3cuYXBwL2Jhc2VjLw==" + "UENTQm90LnB5" = "https://coinsw.app/basec/PCSBot.py" <-- Solana-Bot "aHR0cHM6Ly9jb2luc3cuYXBwL2Jhc2VjLw==" + "TUhUQm90LnB5" = "https://coinsw.app/basec/MHTBot.py"   Isiphetho  Lolu phenyo lwe-Meme-Token-Hunter-Bot nokuhluka kwalo okuhlobene luveza umkhankaso ohlelwe ngokucophelela oqondiswe kubasebenzisi be-macOS. Iqale yavezwa yi-Checkmarx, leli phakethe lokweba ekuqaleni elafihlwa njengethuluzi le-crypto selikhule laba usongo olubanzi. Ukuhlaziya kwethu kwembule amakhosombe engeziwe angu-11, ngalinye liqukethe ukuhluka okuncane kwekhodi yokuqala. Abahlaseli babonakala besebenzise okuzenzakalelayo ukukhiqiza ngokushesha lawa makhosombe, besebenzisa ukuguqulwa okuncane emagameni, amalebula e-UI, kanye nokusebenza ukuze bagweme ukutholwa nokuqinisekisa ukutholakala okuqhubekayo.  Noma kunjalo, siphinde sabona amaqhinga ajwayelekile wobunjiniyela bezenhlalo aqondiswe kubasebenzisi be-macOS, ikakhulukazi imiyalelo yokudlula i-Gatekeeper. Lokhu kubonisa ukuthi abalingisi abasabisayo basathembele kakhulu ekuxhaphazeni ukwethenjwa komsebenzisi. Ngaphandle kwamasu athuthukile abonwa kulo mkhankaso, lokhu kuncika kuma-bypasses asizwa ngabasebenzisi kugcizelela isidingo sokuqhubeka kwemfundo yabasebenzisi.  Ukuqwashisa kuyisivikelo esingcono kakhulu. Izinsiza ezifana ne-Moonlock blog  hlinzeka abasebenzisi be-macOS ngemininingwane ewusizo ezinsongweni zamanje nezindlela zokuthuthukisa ukuphepha kwabo.   moonlock.com/blog  Ama-IoC ayatholakala eqoqweni:   https://www.virustotal.com/gui/collection/68e7bff75a6ceb5d3d4faabfdb0e106b6527382a2b29a17c59ec3ce7d8f4233b/iocs

This story contains new, firsthand information uncovered by the writer.

Join Moonlock's Newsletter

Lo msindo ukhiqizwa ngolimi lokuqala lwendaba!

Kude kakhulu; Uzofunda

Download free Tech Leaders Productivity Report!

Ithuluzi le-Crypto noma Isela Ledatha? Indlela i-Meme-Token-Hunter-Bot nama-Clones ayo antshontsha ngayo kubasebenzisi be-macOS

About Author

IMIBONO

HANG TAGS

LESI SIHLOKO SETHULWE NGAPHAKATHI

Related Stories

Zulu Network: Moving The Bitcoin Economy Forward With a Two-Tiered Bitcoin Layer 2 Architecture

The Billionaires F*cked Up

Zulu Network: Moving The Bitcoin Economy Forward With a Two-Tiered Bitcoin Layer 2 Architecture

The Billionaires F*cked Up

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps