Malware, tea.app (AtomicStealer)

Bill Cole macportsusers-20171215 at billmail.scconsult.com
Fri Apr 11 21:31:13 UTC 2025


On 2025-04-11 at 11:13:09 UTC-0400 (Fri, 11 Apr 2025 11:13:09 -0400)
Bill Cole <macportsusers-20171215 at billmail.scconsult.com>
is rumored to have said:

> On 2025-04-11 at 10:38:37 UTC-0400 (Fri, 11 Apr 2025 10:38:37 -0400)
> Bill Cole <macportsusers-20171215 at billmail.scconsult.com>
> is rumored to have said:
>
> [...]
>
>> I was unable to build the port from source with MacPorts on Sonoma.
>
> I've opened a Trac ticket for the port to be updated and rebuilt.
>
> https://trac.macports.org/ticket/72329

Ryan pointed me at the solution for the build failing. I built from 
source and also uploaded that to VT for analysis. The app package I 
built is being tagged as malicious by *some* of the same AV scanners: 
https://www.virustotal.com/gui/file/31cc5d34455850009013e936d71d27d34a685f0b9675c5f6bfa4851aaa63e47c/detection

My build shows some of the same behaviors in the VirusTotal sandbox 
environment as the one downloaded from MacPorts. It does NOT show some 
some of the most concerning ones with dropped (i.e. new) and modified 
files.

I do not know what to make of this. I don't do much malware analysis, 
but it looks like IF (BIG if) the MacPorts build was somehow 
compromised, it was somewhere in the build automation and packaging, not 
in the original source. However, I am leaning towards this all being a 
false positive...



More information about the macports-users mailing list