Malware Wiki

Summary

Malware that executes arbitrary payloads from a remote server

Class

Trojan

Class Summary

A Trojan is malware that masquerades as a legitimate program. Once executed, it can perform harmful activities like creating backdoors for unauthorized access, modifying or deleting files, or even downloading additional malware. Trojans commonly spread through software downloads or social engineering via malicious email attachments. Trojans are often focused on espionage capabilities rather than monetary gain, but some overlap may occur depending on attacker objectives. They generally include multiple different functionalities such as remote shell capabilities, keyloggers, infostealers and more.

Description

iWebUpdate is a persistent downloader designed to fetch and execute arbitrary payloads from a remote server. It maintains persistence through a user launch agent named iwebupdate.plist. Upon activation, it performs reconnaissance by executing commands like system_profiler to collect OS version information, which is then sent to a command and control server. Payloads are downloaded to a temporary file at /tmp/iwup.tmp, unzipped, and subsequently executed. The malware checks back with the server every hour for additional tasking.

References

https://objective-see.org/blog/blog_0x72.html

Example Hashes

f33373701e5e2fc5451b05f935cd465662679a2b

VirusTotal