052. Detecting Poseidon Stealer's Anti-Analysis Techniques
Hello everyone! We already talked about macOS stealers, but let's talk a bit more about this threat. Today we'll look at Poseidon Stealer and some of its anti-analysis techniques.
So, the first technique we'll look at is abusing pkill to terminate processes related to Terminal:
pkill Terminal
To detect it, we can search for pkill process creation events with Terminal in arguments:
event_type: processcreate
AND
proc_file_name: "pkill"
AND
cmdline: "Terminal"
The second thing we'll look at - abusing AppleScript to check for common user names to identify analysis environment and terminate execution:
osascript -e 'if (short user name of (system info)) is "maria" or (short user name of (system info)) is "run" or (short user name of (system info)) is "jackiemac" or (short user name of (system info)) is "bruno" then error number -1'
Here we can search for osascript process creation events with those user names in the script:
event_type: processcreate
AND
proc_file_name: "osascript"
AND
cmdline: ("maria" AND "run" AND "jackiemac" AND "bruno")
If you want to learn more about this stealer, here's a fresh report by eSentire.
See you tomorrow!
Comments
Post a Comment