* thread #1, queue = '-thread', stop reason = breakpoint 1.1 * thread #1, stop reason = breakpoint 1.1 (lldb) /Volumes/iTerm/iTerm.app/Contents/MacOS/iTerm2 (lldb) target create "/Volumes/iTerm/iTerm.app/"Ĭurrent executable set to '/Volumes/iTerm/iTerm.app' (x86_64).īreakpoint 1: where = libcrypto.2.dylib`+, address = 0x0000000101783040 …and following this link, as the malicious site was a clone, perhaps not realize anything was amiss. Specifically, as noted by Zhi and in aforementioned writeup, users who searched for ‘iTerm2’ on the Chinese search engine Baidu would have been presented with the sponsored link to the malware: The fact the the malicious site, masquerades as the legitimate one is unsurprising as the malware’s attack vector is based on simple trickery. This malicious site, appears identical to the legitimate and popular iTerm2 website ( ): Here, we build upon this posting, providing an analysis that focuses on uncovering the technical details of the attack, such as the specific method of trojanization.Īs Zhi noted, the malware was hosted on the site. Moreover, it appears to be the first mention of this attack, and as such, should be credited with the discovery of this (widespread?) attack. ℹ️ The posting mentioned in his tweet, /p/408746101, provides a detailed overview of the attack.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |