Go back to previous topic
Forum nameGeneral Discussion
Topic subjectI think MalwareBytes will detect and remove it
Topic URLhttp://board.okayplayer.com/okp.php?az=show_topic&forum=4&topic_id=13424756&mesg_id=13424778
13424778, I think MalwareBytes will detect and remove it
Posted by handle, Mon Feb-22-21 03:58 AM
No clear instructions yet, but here are files that indicate you have it

https://redcanary.com/blog/clipping-silver-sparrows-wings/

In Versions 1 & 2
~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)

Other versions
~/Library/Application Support/agent_updater/agent.sh (v1 script that executes every hour)
/tmp/agent (file containing final v1 payload if distributed)
~/Library/Launchagents/agent.plist (v1 persistence mechanism)
~/Library/Launchagents/init_agent.plist (v1 persistence mechanism)