It seems a new trojan is going around and affecting @Apple #iOS builds. I don't know the original method of infection, but I'm starting to see some public repos on GitHub being affected
github.com/search?fbclid=…
github.com/search?fbclid=…
If you care to de-obfuscate the HEX, it downloads and executes a script from sidelink.xyz/a (a server in Moscow) which in turn downloads a binary from the same site...
Do I know someone besides @k8em0 and @Fox0x01 that could spread a couple of words in the right places?
Do I know someone besides @k8em0 and @Fox0x01 that could spread a couple of words in the right places?
Kudos to our team @OetkerDigital for first finding this out, and thanks @acquavascia for spreading the word!
Some other variants download from icloudserv DOT com (pointing to the same IP as sidelink DOT xyz)... Still going through some of the variants 😀
Another one found: nodelink DOT xyz
So far, I found the following:
• linebrand DOT xyz
• mantrucks DOT xyz
• linebrand DOT xyz
• sidelink DOT xyz
• monotel DOT xyz
• nodeline DOT xyz
• icloudserv DOT com
All pointing to 194.87.186.66
• linebrand DOT xyz
• mantrucks DOT xyz
• linebrand DOT xyz
• sidelink DOT xyz
• monotel DOT xyz
• nodeline DOT xyz
• icloudserv DOT com
All pointing to 194.87.186.66
Maybe this can be relevant for @GitHubSecurity
The AppleScript payload is interesting!
gist.github.com/pfumagalli/a45…
I love the comments "DO NOT REMOVE THIS BLOCK (ask Cheng why??)"
Or the breadcrumbs "if userName contains "ritvik" or serialNumber is equal to "C02CH2XSMD6R" then"
Who is "ritvik" with this 16" 2019 MBP? 😱
gist.github.com/pfumagalli/a45…
I love the comments "DO NOT REMOVE THIS BLOCK (ask Cheng why??)"
Or the breadcrumbs "if userName contains "ritvik" or serialNumber is equal to "C02CH2XSMD6R" then"
Who is "ritvik" with this 16" 2019 MBP? 😱
• • •
Missing some Tweet in this thread? You can try to
force a refresh
