It works by first infecting the Mac by manually opening a .sh program from the USB stick, which acts as an installer, creating a folder on the Mac’s hard drive so it can stay even when the USB is removed. It then copies a file called SystemUpdate, which contains the code for the actual logger; it also copies a relay_bot.py file, which acts as a sender to relay the logs to a Webhook URL in Discord. Lastly, for the infection is places a .plist file into the Mac’s LaunchAgents folder, so that the program starts every time the user logs in.
Every 20 sec the relay_bot.py script wakes up and encrypts everything SystemUpdate has collected using a Fernet Key, then it packages the text and posts it to a Discord Webhook URL, once it confirms the message is sent it also clears the local log. A Discord bot then un encrypts the message from the Webhook and posts it to a different channel in the server.
Log in to leave a comment
