Malware, tea.app (AtomicStealer)
Bill Cole
macportsusers-20171215 at billmail.scconsult.com
Fri Apr 11 21:31:13 UTC 2025
On 2025-04-11 at 11:13:09 UTC-0400 (Fri, 11 Apr 2025 11:13:09 -0400)
Bill Cole <macportsusers-20171215 at billmail.scconsult.com>
is rumored to have said:
> On 2025-04-11 at 10:38:37 UTC-0400 (Fri, 11 Apr 2025 10:38:37 -0400)
> Bill Cole <macportsusers-20171215 at billmail.scconsult.com>
> is rumored to have said:
>
> [...]
>
>> I was unable to build the port from source with MacPorts on Sonoma.
>
> I've opened a Trac ticket for the port to be updated and rebuilt.
>
> https://trac.macports.org/ticket/72329
Ryan pointed me at the solution for the build failing. I built from
source and also uploaded that to VT for analysis. The app package I
built is being tagged as malicious by *some* of the same AV scanners:
https://www.virustotal.com/gui/file/31cc5d34455850009013e936d71d27d34a685f0b9675c5f6bfa4851aaa63e47c/detection
My build shows some of the same behaviors in the VirusTotal sandbox
environment as the one downloaded from MacPorts. It does NOT show some
some of the most concerning ones with dropped (i.e. new) and modified
files.
I do not know what to make of this. I don't do much malware analysis,
but it looks like IF (BIG if) the MacPorts build was somehow
compromised, it was somewhere in the build automation and packaging, not
in the original source. However, I am leaning towards this all being a
false positive...
More information about the macports-users
mailing list