Skip to content

Instantly share code, notes, and snippets.

@christopheranderton
Created January 30, 2025 14:58
Show Gist options
  • Save christopheranderton/c031aad1267fe16a484d6f756da33eaa to your computer and use it in GitHub Desktop.
Save christopheranderton/c031aad1267fe16a484d6f756da33eaa to your computer and use it in GitHub Desktop.
"Open Gatekeeper Friendly" Malware. Malicious Script Detection and Mitigation Script macOS
#!/bin/bash
# Malicious Script Detection and Mitigation Script
# This script checks for traces of the malicious AppleScript payload on macOS systems and removes them if found.
# More info: https://rentry.co/ogf_malware
# Global variable to track if anything suspicious is detected
suspicious_found=false
# Function to check and clean suspicious temporary files and directories
check_and_clean_tmp() {
echo "[+] Checking /tmp for suspicious artifacts..."
local suspicious_files=(
"out.zip"
"*.sqlite"
"*.sqlite-wal"
"*.sqlite-shm"
)
for file in "${suspicious_files[@]}"; do
find /tmp -name "$file" 2>/dev/null | while read -r line; do
echo " [!] Found: $line"
suspicious_found=true
read -p " [?] Do you want to remove this file? (y/n): " confirm
if [[ "$confirm" =~ ^[Yy]$ ]]; then
rm -f "$line"
alert_user "Artifact detected and removed: $line"
else
echo " [!] Skipped removal of: $line"
fi
done
done
# Check for temporary directories matching the malicious pattern
find /tmp -maxdepth 1 -type d -name '[0-9][0-9][0-9][0-9]' 2>/dev/null | while read -r dir; do
echo " [!] Found potential staging directory: $dir"
suspicious_found=true
if [ -n "$(ls -A "$dir" 2>/dev/null)" ]; then
echo " [!] Directory contains files."
ls -la "$dir"
read -p " [?] Do you want to remove this directory and its contents? (y/n): " confirm
if [[ "$confirm" =~ ^[Yy]$ ]]; then
rm -rf "$dir"
alert_user "Suspicious directory detected and removed: $dir"
else
echo " [!] Skipped removal of: $dir"
fi
else
echo " [!] Directory is empty. Removing..."
rm -rf "$dir"
alert_user "Empty suspicious directory detected and removed: $dir"
fi
done
}
# Function to check system logs for suspicious curl activity
check_logs() {
echo "[+] Checking system logs for suspicious activity..."
grep -i "http://81.19.135.54/joinsystem" /var/log/system.log 2>/dev/null | while read -r line; do
echo " [!] Suspicious network activity: $line"
suspicious_found=true
alert_user "Suspicious network activity detected: $line"
done
}
# Function to check and kill running instances of the malicious script
check_and_kill_processes() {
echo "[+] Checking running processes for osascript or curl activity..."
ps aux | grep -E 'osascript|curl' | grep -v grep | while read -r line; do
echo " [!] Found suspicious process: $line"
suspicious_found=true
local pid=$(echo "$line" | awk '{print $2}')
echo " [!] Killing process with PID: $pid"
kill -9 "$pid" && alert_user "Suspicious process detected and killed: $line"
done
}
# Function to alert the user when artifacts are detected
alert_user() {
local message="$1"
echo "[ALERT]: $message"
# Optional: Use macOS notifications (uncomment if desired)
# osascript -e "display notification \"$message\" with title \"Malicious Activity Detected\""
}
# Function to provide a summary of the results
provide_summary() {
if [ "$suspicious_found" = true ]; then
echo "
[RESULT]: Suspicious activity or artifacts were detected and handled."
else
echo "[RESULT]: No suspicious activity or artifacts were found."
fi
}
# Function to provide next steps if suspicious artifacts are found
provide_guidance() {
echo "
[+] If suspicious artifacts or processes were detected and cleaned, take the following steps:
1. Disconnect your machine from the internet if not already done.
2. Change your passwords for potentially compromised accounts.
3. Scan your system with antivirus software.
4. Monitor your system for any unusual activity."
}
# Main script execution
echo "[+] Starting detection and mitigation for malicious activity..."
check_and_clean_tmp
check_logs
check_and_kill_processes
provide_guidance
provide_summary
echo "[+] Detection and mitigation complete."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment