![]() ![]() ![]() To test this hypothesis, I threw a quick script together that included a ‘sudo’ command. With the executable missing as noted in numerous ASC reports, that leaves open the possibility that a malicious process could install its own executable at the path to aid in persistence or re-infection if the original infection were to be discovered or removed. It’ll execute whatever is at the program argument path with root privileges. The ‘LaunchOnlyOnce’ and ‘RunAtLoad’ keys tell us the program argument will be run just once on every reboot. The binary is 23kb, and the strings section contains the following, giving some indication of its purpose: Inside the Locked Files folder is the cleanup_installer binary. The Locked Files folder indicated in the program argument path is hidden in the Finder, but revealed in Terminal. ![]() A clean install with the full installer does not appear to create either the properly list or the program argument. After rolling back to an earlier version first, I found that the macOS Install Data folder is created when a user runs the Upgrade installer (along with the Launch Daemon plist). rw-r-r- 1 root wheel 446 Oct 10 06:52 .plistĪfter discussion with a few colleagues about this oddity, I decided to see if I could catch a copy of the missing program argument. Some time shortly after the release of High Sierra public betas last year, I started noticing a lot of user reports on Apple Support Communities that included something odd: an Apple Launch Daemon called .plist appeared, but oddly its program argument, a binary located at /macOS Install Data/Locked Files/cleanup_installer was missing.īeing an Apple Launch Daemon, of course, the ist is owned by root: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |