New Mac MalWare

There’s a new MalWare affecting macOS. It even affects the new M1. The file names are here-

~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)

The locations are here, if you’re interested in checking to see if your Mac is affected-

/tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh

It’s pretty crazy because it doesn’t do anything yet, really. It does check and outside server or delivery network, assuming to check for new commands or instructions? It also has a self destruct. That it already affects M1 means that the creator is ahead of the curve. Most developers are still recoding their apps for M1.

This infection is in over 30,000 machines. Red Canary was first to discover this MalWare.

Leave a Reply

Your email address will not be published. Required fields are marked *