The infection begins with dropping a legit copy of Adobe Flash Player, which is also very common among macOS malware strains. Still, MapperState’s features, encryption scheme, debug symbols, and strings were all hidden, encrypted, or stripped. By digging deeper, the researchers were able to confirm that the malware had the capability to fetch more payloads and also check for installed AV tools, but not much else was discerned.
This is where the flashcard app leaks come into play, as the researchers recently used what decrypted strings they held to search on the internet, and the gods (Google) answered. Someone based in San Diego had created a flashcards app account with content matching what was found in MapperState’s code. In the published flashcards, the researchers found another macOS malware named “Hydromac,” which appears to have the same commands as in their sample.
The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the malware authors’ understanding of how reverse engineering is being done, but also countering the tools we wrote to decrypt their malware.
To close this chapter, it is worth noting that this is not the first time critical information is leaked via Flashcards apps, interestingly this week Bellingcat has reported that US Soldiers exposed Nuclear Weapons Secrets via Flashcard Apps, as they were using them for learning purposes.