Showing results for 
Show  only  | Search instead for 
Did you mean: 
Claim your free VMworld 2020 ticket now for a completely digital experience to learn about how VMware Carbon Black can protect you from sophisticated threats.



Threat Analysis Unit - Threat Intelligence Notification

Title: TAU-TIN - OSX.Yort



In March of 2019 Kaspersky published an article about the Lazarus APT group continued targeting of financial entities. Their report noted that this new campaign being tracked was targeting both Windows and macOS users. The campaign used both malicious powershell scripts on windows as well as macOS specific malware. Recently new versions of the previously reported macOS malware have been identified and are being distributed via a fake photo album viewing application.

Behavioral Summary

The malware dropper extracts the backdoor binary from itself and attempts to save it to the user’s home directory. It then tries to persist by installing a launch agent into the user’s ~/Library/LaunchAgents directory. Next it executes the backdoor application. After dropping and executing the backdoor payload the malware will execute a hidden binary so that the end user thinks the photo album application is running properly. You can see the process tree and TTPs for the malware dropper below:


1 - Process Tree.png

2 - Spider Graph and TTPs.png

The backdoor malware will attempts to contact a list of C2 servers over HTTPS and run perpetually waiting for commands. It can collect host information, upload and download files as well as execute arbitrary shell commands.


TID Tactic Description
T1152 Defense Evasion, Execution, Persistence Launchctl
T1159 Persistence LaunchAgent
T1005 Collection Data from Local System
T1105 Command And Control, Lateral Movement Remote File Copy
T1071 Command And Control Standard Application Layer Protocol


Indicators of Compromise (IOCs)

Indicator Type Context
735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02 SHA256 OSX.Yort Dropper Sample
6f7a5f1d52d3bfc6f175bf2bbb665e4bd99b0453e2d2e27712fe9b71c55962dc SHA256 OSX.Yort Sample
crabbedly[.]club DNS C2 server
craypot[.]live DNS C2 server
indagator[.]club DNS C2 server
Labels (1)
0 Kudos
Article Information
Creation Date: