[johnisgood]

So I downloaded this file... Apparently it is:

  $ file -b grecaptcha 
  Mach-O universal binary with 2 architectures: [x86_64:\012- Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>] [\012- arm64:\012- Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]

I cannot perform a dynamic analysis as I do not have macOS. :(

May anyone do it for me? Use "otool", "dtruss", and "tcpdump" or something. :D Be careful!

The executable is available here: https://www.amanagencies.com/assets/js/grecaptcha as per decoded base64.

[05]

No need - it's detectable as Trojan:MacOS/Amos by VirusTotal, just Google the description. Spoiler: it's a stealer. Here [0] is a writeup

> AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders.

[0] https://www.trendmicro.com/en_us/research/25/i/an-mdr-analys...

[johnisgood]

Thank you! Nothing too interesting. :(

Got anything better? :D Something that may be worth getting macOS for!

Edit: I have some ideas to make this one better, for example, or to make a new one from scratch. I really want to see how mine would fare against security researchers (or anyone interested). Any ideas where to start? I would like to give them a binary to analyze and figure out what it does. :D I have a couple of friends who are bounty hunters and work in opsec, but I wonder if there is a place (e.g. IRC or Matrix channel) for like-minded, curious individuals. :)

[nijave]

You can spin up an ssh server on GitHub Actions macOS runner or most cloud providers you can rent a box

[nerdsniper]

https://dogbolt.org/?id=42fd4600-5141-427c-88af-77b5d9a94ea3...

The binary itself appears to be a remote-access trojan and data exfiltration malware for MacOS. I posted a bit more analysis here: https://news.ycombinator.com/item?id=45650144

[johnisgood]

Ooh, first time I am hearing of https://dogbolt.org. Thanks for that! :)