The article you've shared discusses a method of persistence for macOS malware using the TALAppsToRelaunchAtLogin array in the com.apple.loginwindow.plist file. This technique allows malicious applications to persist across user logouts and logins by leveraging a feature intended for restoring recently used applications.
Key Points:
-
Persistence Mechanism:
- The malware needs to be running in the background when the user logs out.
- Upon logging back in, macOS restores the application as part of its "reopen last apps" functionality.
-
Implementation Details:
- A simple C program is used to create a malicious app that runs indefinitely (
while(1)). - The
Info.plistfile for the app includes settings likeLSBackgroundOnly = true, which prevents the application from appearing in the Dock. - An injector script (written in Python) modifies the
com.apple.loginwindow.plistfile to include the malicious app's path and bundle ID.
- A simple C program is used to create a malicious app that runs indefinitely (
-
Technical Steps:
- The malicious app is moved to a shared directory (
/Users/Shared/meow.app). - The app is launched manually once to ensure it appears in the session state.
- The malicious app is moved to a shared directory (
Read the full article at Malware Analysis, News and Indicators - Latest topics
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
23
Contents
Ali NematiWritten by Ali
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
