Re: Malware, tea.app (AtomicStealer)

Fri, 11 Apr 2025 07:39:06 -0700 

On 2025-04-10 at 15:17:36 UTC-0400 (Thu, 10 Apr 2025 14:17:36 -0500)
Ryan Carsten Schmidt <ryandes...@macports.org>
is rumored to have said:


On Apr 10, 2025, at 13:21, Forrest Aldrich wrote:
My malware checker has identified potential malware (AtomicStealer) distributed from MacPorts. I'd like to confirm with the community what else is known: 


/Applications/MacPorts/tea.app
➜  /Applications cd MacPorts


I know that tea is a text editor.

https://ports.macports.org/port/tea

I am not aware of it containing malware.
I uploaded the executable from the MacPorts binary package (x86/Sonoma) here: 

https://www.virustotal.com/gui/file/114b5c6106adcc581253cac07343157b9e6ff4a477d294df977190517b27ab7b/detection
9 of the 63 AV tools used there mark it as malicious. Including Microsoft, Symantec, and Avast, which are usually pretty good with FPs.
The behavior in the VT sandbox is not definitively suspect, but it does try some network connections which could be problematic. I don't see why a text editor does all that on its own.
I was unable to build the port from source with MacPorts on Sonoma. It emits this in config stage, while executing qmake (ewww.)
Project WARNING: Qt has only been tested with version 13 of the platform SDK, you're using 14. Project WARNING: This is an unsupported configuration. You may experience build issues, and by using Project WARNING: the 14.5 SDK you are opting in to new features that Qt has not been prepared for. Project WARNING: Please downgrade the SDK you use to build your app to version 13, or configure Project WARNING: with CONFIG+=sdk_no_version_check when running qmake to silence this warning.
It then proceeds to crash out on missing includes (from the c++ tree?) in qt5 header files. It is not clear how the binary package got built with this problem. This raises the possibility of a compromise in the MacPorts build system.
As far as I know, Atomic Stealer is distributed by tricking a user into downloading and installing what looks like a browser update or a cracked commercial application. It seems unlikely that it would appear in an esoteric open source text editor so my initial assumption is that this is a false positive from your malware checker. 

That would be my first guess too, but the 9 hits in VT make me nervous.
Atomic Stealer is a trojan that has seen multiple variants, as it is designed to hide in or as other apps. 


--
 Bill Cole
 b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) 
 Not Currently Available For Hire

Reply via email to