Malware Wiki

Summary

Gatekeeper overriding bash script distributed through torrents

Class

Potentially Unwanted Program (PUP)

Class Summary

PUPs are not inherently malicious, but they can affect user experience negatively. Examples include unwanted browser toolbars, system optimizers, or ad injectors. They often come bundled with legitimate software downloads or through deceptive advertising techniques. If you detect a PUP, review your installed applications list and uninstall any unrecognized or unnecessary software. Be cautious with future software installations, and always opt for the 'custom' installation process to deselect any bundled software. Pups can often be removed by looking for odd LaunchAgents, LaunchDaemons, and unexpected 3rd-party browser extensions.

Description

TNT is a Bash script distributed through torrent sites that overrides macOS's built-in Gatekeeper security. It is dropped by a trojanized pirated software installer called "Open Gatekeeper Friendly". When executed, TNT moves the application to /tmp and uses xattr to recursively remove the quarantine bit. This allows the software to bypass future Gatekeeper checks. While TNT itself is not malware, its presence alongside pirated software and purpose of subverting security controls warrants blocking its execution.

References

https://gist.github.com/RobertYim/4b73199f571d83c4a39ad24ec09898f5

Example Hashes

9e9a5f8d86356796162cee881c843cde9eaedfb3

VirusTotal