Colin CowieDay 1️⃣0️⃣ of #100DaysOfYara: MacOS Browser Hijacker Scripts🍎
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/010/010.md
Background on these MacOS malware scripts used by #ChromeLoader aka #ChoziosiLoader:
📖 https://redcanary.com/blog/chromeloader/
📖 https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
📖 https://www.th3protocol.com/2022/Choziosi-Loader
Todays rule did a nice job of detecting the historical ChromeLoader scripts. A more generic yara rule for identifying .command script abuse would potentially be pretty interesting!
