Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center
ProcessHub stealer is a relatively new finding attributed to China, and is designed to collect user files including bash history, zsh history, GitHub configuration, SSH information, and the Keychain. It completes these actions in a multi-stage process including the downloading of a script from its command and control server, the collection of user files, and the uploading these files.
Symptoms
You might observe the following artifacts associated with this threat:
- Unfamiliar applications or processes.
- Download and execution of arbitrary scripts.
- Unusual network activity or data usage.
Technical Breakdown
ProcessHub stealer's main goal is to download additional files to execute from the command and control server. It is modular since it is able to execute arbitrary scripts that it downloads. One script that is executes was made public and has the capability of collecting, zipping, and uploading user files to its command and control server.
Some of ProcessHub Stealer's capabilities include:
- Downloading and executing arbitrary scripts.
- Collecting system information.
- Exfiltrating Keychain passwords.
- Exfiltrating Github configuration files.
- Exfiltrating user Terminal command history.
- Exfiltrating user SSH related data.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.