OSX/WireLurker [Threat Name] go to Threat

OSX/WireLurker.A [Threat Variant Name]

Category trojan
Aliases Trojan.OSX.WireLurker.a (Kaspersky)
  OSX.Wirelurker (Symantec)
  MacOS:WireLurker-K (Avast)
Short description

OSX/WireLurker.A is a trojan that installs iOS/WireLurker.A malware on a mobile device with Apple iOS operating system.


When executed, the trojan may create the following files:

  • /Users/Shared/run.sh
  • /Users/Shared/start.sh
  • /Users/Shared/FontMap1.cfg
  • /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /usr/bin/globalupdate
  • /Library/LaunchDaemons/com.apple.globalupdate.plist
  • /tmp/machook.log
  • %malwarefilepath%2

The trojan may create the following folders:

  • /usr/local/machook

OSX/WireLurker.A attempts to gain administrative privileges on the system.

The trojan extracts /Users/shared/FontMap1.cfg archive content into the following folder:

  • /usr/local/machook

The trojan may execute the following commands:

  • /bin/launchctl load -wF /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /bin/launchctl load -wF /Library/LaunchDaemons/com.apple.globalupdate.plist
  • /bin/launchctl load /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /bin/launchctl load /Library/LaunchDaemons/com.apple.globalupdate.plist

The following files are deleted:

  • /Users/shared/FontMap1.cfg
  • /Users/shared/start.sh
  • %malwarefilepath%2

The trojan may execute the following commands:

  • chflags hidden "%malwarefilepath%"
  • chflags hidden "%malwarefilepath%_"
  • chmod +x /Users/Shared/run.sh;/Users/Shared/run.sh&
  • /usr/local/machook/watch.sh

The trojan tries to copy following files onto mobile device:

  • /usr/local/machook/sfbase.dylib (iOS/WireLurker.A, 296288B)
Information stealing

The trojan collects following information about the connected mobile device:

  • name, type and version of the device
  • operating system version
  • telephone number
  • iTunes          account data
  • the list of installed software

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (4) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • install and execute applications located on mobile device
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.