Created
January 30, 2025 14:58
-
-
Save christopheranderton/c031aad1267fe16a484d6f756da33eaa to your computer and use it in GitHub Desktop.
"Open Gatekeeper Friendly" Malware. Malicious Script Detection and Mitigation Script macOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Malicious Script Detection and Mitigation Script | |
# This script checks for traces of the malicious AppleScript payload on macOS systems and removes them if found. | |
# More info: https://rentry.co/ogf_malware | |
# Global variable to track if anything suspicious is detected | |
suspicious_found=false | |
# Function to check and clean suspicious temporary files and directories | |
check_and_clean_tmp() { | |
echo "[+] Checking /tmp for suspicious artifacts..." | |
local suspicious_files=( | |
"out.zip" | |
"*.sqlite" | |
"*.sqlite-wal" | |
"*.sqlite-shm" | |
) | |
for file in "${suspicious_files[@]}"; do | |
find /tmp -name "$file" 2>/dev/null | while read -r line; do | |
echo " [!] Found: $line" | |
suspicious_found=true | |
read -p " [?] Do you want to remove this file? (y/n): " confirm | |
if [[ "$confirm" =~ ^[Yy]$ ]]; then | |
rm -f "$line" | |
alert_user "Artifact detected and removed: $line" | |
else | |
echo " [!] Skipped removal of: $line" | |
fi | |
done | |
done | |
# Check for temporary directories matching the malicious pattern | |
find /tmp -maxdepth 1 -type d -name '[0-9][0-9][0-9][0-9]' 2>/dev/null | while read -r dir; do | |
echo " [!] Found potential staging directory: $dir" | |
suspicious_found=true | |
if [ -n "$(ls -A "$dir" 2>/dev/null)" ]; then | |
echo " [!] Directory contains files." | |
ls -la "$dir" | |
read -p " [?] Do you want to remove this directory and its contents? (y/n): " confirm | |
if [[ "$confirm" =~ ^[Yy]$ ]]; then | |
rm -rf "$dir" | |
alert_user "Suspicious directory detected and removed: $dir" | |
else | |
echo " [!] Skipped removal of: $dir" | |
fi | |
else | |
echo " [!] Directory is empty. Removing..." | |
rm -rf "$dir" | |
alert_user "Empty suspicious directory detected and removed: $dir" | |
fi | |
done | |
} | |
# Function to check system logs for suspicious curl activity | |
check_logs() { | |
echo "[+] Checking system logs for suspicious activity..." | |
grep -i "http://81.19.135.54/joinsystem" /var/log/system.log 2>/dev/null | while read -r line; do | |
echo " [!] Suspicious network activity: $line" | |
suspicious_found=true | |
alert_user "Suspicious network activity detected: $line" | |
done | |
} | |
# Function to check and kill running instances of the malicious script | |
check_and_kill_processes() { | |
echo "[+] Checking running processes for osascript or curl activity..." | |
ps aux | grep -E 'osascript|curl' | grep -v grep | while read -r line; do | |
echo " [!] Found suspicious process: $line" | |
suspicious_found=true | |
local pid=$(echo "$line" | awk '{print $2}') | |
echo " [!] Killing process with PID: $pid" | |
kill -9 "$pid" && alert_user "Suspicious process detected and killed: $line" | |
done | |
} | |
# Function to alert the user when artifacts are detected | |
alert_user() { | |
local message="$1" | |
echo "[ALERT]: $message" | |
# Optional: Use macOS notifications (uncomment if desired) | |
# osascript -e "display notification \"$message\" with title \"Malicious Activity Detected\"" | |
} | |
# Function to provide a summary of the results | |
provide_summary() { | |
if [ "$suspicious_found" = true ]; then | |
echo " | |
[RESULT]: Suspicious activity or artifacts were detected and handled." | |
else | |
echo "[RESULT]: No suspicious activity or artifacts were found." | |
fi | |
} | |
# Function to provide next steps if suspicious artifacts are found | |
provide_guidance() { | |
echo " | |
[+] If suspicious artifacts or processes were detected and cleaned, take the following steps: | |
1. Disconnect your machine from the internet if not already done. | |
2. Change your passwords for potentially compromised accounts. | |
3. Scan your system with antivirus software. | |
4. Monitor your system for any unusual activity." | |
} | |
# Main script execution | |
echo "[+] Starting detection and mitigation for malicious activity..." | |
check_and_clean_tmp | |
check_logs | |
check_and_kill_processes | |
provide_guidance | |
provide_summary | |
echo "[+] Detection and mitigation complete." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment