052. Detecting Poseidon Stealer's Anti-Analysis Techniques

Hello everyone! We already talked about macOS stealers, but let's talk a bit more about this threat. Today we'll look at Poseidon Stealer and some of its anti-analysis techniques.


So, the first technique we'll look at is abusing pkill to terminate processes related to Terminal:

pkill Terminal

To detect it, we can search for pkill process creation events with Terminal in arguments:

event_type: processcreate

AND

proc_file_name: "pkill"

AND

cmdline: "Terminal"

The second thing we'll look at - abusing AppleScript to check for common user names to identify analysis environment and terminate execution:

osascript -e 'if (short user name of (system info)) is "maria" or (short user name of (system info)) is "run" or (short user name of (system info)) is "jackiemac" or (short user name of (system info)) is "bruno" then error number -1'

Here we can search for osascript process creation events with those user names in the script:

event_type: processcreate

AND

proc_file_name: "osascript"

AND

cmdline: ("maria" AND "run" AND "jackiemac" AND "bruno")

If you want to learn more about this stealer, here's a fresh report by eSentire.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!