TAU Threat Intelligence Notification: LamePyre (OSX)

Share and earn Cybytes
Facebook Twitter LinkedIn Email


MalwareBytes researcher Adam Thomas recently discovered a malicious MacOS application masquerading as the chat app Discord that they have named “LamePyre.”  Although it is made to look like a typical application installer, it does not attempt to appear legitimate by running a decoy installer program. When executed, an Automator script is launched and no other indication is made to the user that anything is running other than the standard animated gear icon of Automator in the menu bar.  

Screen Shot 2018-12-21 at 3.38.22 PM.png

Figure 1: LamePyre icon

When DiscordApp is executed, it starts the payload “Application Stub” which launches an Automator workflow named document.wflow which Base64 decodes a python script that performs the following actions:

  • Base64 decodes and runs another python script that checks to see if the firewall program Little Snitch is running and attempts to kill it if so
  • Attempts to read data from hxxp://37[.]1.221.204:8080/index.asp, decode the returned data, and execute it (unfortunately this data was unable to be retrieved; however, this code reportedly sets up an EmPyre backdoor)
  • Retrieves the UUID of the infected machine from the SPHardwareDataType
  • Saves a screenshot of the machine to /tmp/alloy.png
  • Sends screenshot to hxxp://37[.]1.221.204/handler.php?uid=$VUID via curl where $VUID represents the UUID obtained previously
  • Creates the hidden directory ~/.system with two hidden scripts
    • .helper – performs screen capture
    • .systemkeeper – checks for Little Snitch and sets up EmPyre backdoor
  • Entrenches ~/.system/.systemkeeper in ~/Library/LaunchAgents/com.apple.systemkeeper.plist

Screen Shot 2018-12-21 at 4.23.01 PM.png

Figure 2: Decoded Python Script

If you are a Carbon Black customer and looking for more information on how CB products defend against this attack, click here. 

The post TAU Threat Intelligence Notification: LamePyre (OSX) appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?