Question Safari downloads random ZIP file

Page 2 - Seeking answers? Join the Tom's Guide community: where nearly two million members share solutions and discuss the latest tech.
Jun 5, 2019
8
1
15
So, I've been experiencing something weird.

Safari has downloaded a random ZIP file twice so far. The download was made while browsing Facebook and WhatsApp respectively. The ZIP file is called 2018-2019.zip and contains an alias. I did not open the alias file, however, the properties window says the original file is in /net/nfsdelivery.duckdns.org/nfs/2018-2019. I tried to find information on the web about this but found nothing.

I have only one extension installed, Adguard. Which I've been using for years now without a single problem.
I'm running MacOS High Sierra 10.13.6 on a MBP late 2012.

I just don't get it. Maybe I got infected with Malware or spyware somehow?

Thanks in advance.
 

dlouzan

Great
Jun 6, 2019
13
4
65
I haven't experienced it anymore (doesn't mean it won't happen again). I couldn't find any other people complaining about this, so after a couple of days I don't think this is a general issue.

I had also made a report to Safari the day this happened, but if more people complain they might give it a look :)
 
Jun 10, 2019
4
0
10
Hey there,

This just happened to me as well.

The "2018-2019.zip" file information shows it has been downloaded while visiting dle.rae.es (a Spanish dictionary), but originally comes from a different URL. I surf the Internet with Chrome in a MacBook Pro, OS version 10.11.6.
Code:
https://github-production-release-asset-2e65be.s3.amazonaws.com/190018063/a77f2600-898e-11e9-9605-02bbb997091f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190610%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190610T081213Z&X-Amz-Expires=300&X-Amz-Signature=8a64c832f70507dfecfc8eb723e3e378a5add79e481c6a43e675ed8e4403860d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3D2018-2019.zip&response-content-type=application%2Foctet-stream,
https://dle.rae.es/?id=M5vXGGX

I uncompressed the .zip file and found there that "2018-2019" link, as well as a big-sized "..." file.
Code:
albamig:2018-2019 albamig$ ls -lisa
total 3048
43950401    0 drwxr-xr-x@   4 albamig  staff      136 10 jun 11:57 .
  425809    0 drwx------+ 169 albamig  staff     5746 10 jun 10:40 ..
43950403 3040 -rw-r--r--@   1 albamig  staff  1554944  3 jun 15:49 ...
43950404    8 lrwxr-xr-x@   1 albamig  staff       39 10 jun 10:40 2018-2019 -> /net/de802d35.duckdns.org/nfs/2018-2019

Plus, this "..." file creation date first stroke me as somewhat weird, but opening the .zip file with vim revealed it was already there. Thus, I think a remote download might me discarded.
Code:
albamig:2018-2019 albamig$ vi ../2018-2019.zip

  1 " zip.vim version v23
  2 " Browsing zipfile /Users/albamig/Downloads/2018-2019.zip
  3 " Select a file with cursor and press ENTER
  4
  5 2018-2019/
  6 2018-2019/2018-2019
  7 2018-2019/...
If I try to see what is in that remote file system I get no response.
Code:
albamig:2018-2019 albamig$ ls -lisa /net/de802d35.duckdns.org/nfs/2018-2019
ls: /net/de802d35.duckdns.org/nfs/2018-2019: Operation timed out
 
Last edited:

dlouzan

Great
Jun 6, 2019
13
4
65
Have you tried uploading the zip file to one of the online scanners, such as virustotal?

Additionally, I find it funny that you found this on a Spanish website, I'm also a Spaniard and visit that website quite often. Are you all by chance based in Spain? maybe in the Telefónica network? Might be a country-targeted issue.
 

dlouzan

Great
Jun 6, 2019
13
4
65
Found it!, and it is actually 100% malware, looks like a combination of the issue linked below plus the attackers found another issue, some way to trigger auto-download of the zip files without user intervention:

I'm still reading the technical details, so I'm not sure how worried we should be.
 
Jun 10, 2019
4
0
10
I'm based in Germany, so that cannot be the problem. Virustotal does not report any issue either.

I am reading that link you just posted. Let's see...
 

dlouzan

Great
Jun 6, 2019
13
4
65
I'm based in Germany, so that cannot be the problem. Virustotal does not report any issue either.

I am reading that link you just posted. Let's see...

Not surprised virustotal did not find anything, the vulnerability is based on auto-mounting remote locations and the implicit trust gatekeeper puts in those locations. The file does not actually contain any binary, just the tailored zip content to mount a remote resource.

That's why I was seeing in the net directory the duckdns nfs directory.

As long as you didn't access the mounted directory with finder and executed anything contained in there, I think you should be safe.
 
Jun 10, 2019
4
0
10
Have you tried uploading the zip file to one of the online scanners, such as virustotal?

Additionally, I find it funny that you found this on a Spanish website, I'm also a Spaniard and visit that website quite often. Are you all by chance based in Spain? maybe in the Telefónica network? Might be a country-targeted issue.
Also, in the zip information you should be able to find, besides the AWS server your download was triggered from, the webpage which launched the file request or accepted it (who knows how did that happen...). If it reports the RAE webpage as well, there is definitely an issue there that we must report.
 

dlouzan

Great
Jun 6, 2019
13
4
65
Also, in the zip information you should be able to find, besides the AWS server your download was triggered from, the webpage which launched the file request or accepted it (who knows how did that happen...). If it reports the RAE webpage as well, there is definitely an issue there that we must report.
Unfortunately I don't know how, I had the safari setting for auto uncompressing zip files (bad idea), so what ended in my downloads folder was the uncompressed folder. The original zip file I guess was somehow in the temp safari files, but since then I restarted, so I can't see it anymore.

If you have a way to get the original file, I'm all ears :)
 
Jun 10, 2019
4
0
10
Found it!, and it is actually 100% malware, looks like a combination of the issue linked below plus the attackers found another issue, some way to trigger auto-download of the zip files without user intervention

That definitely seems to be whole thing. Nice catch. Somebody in the Apple forum reported something concerning a PDF app, which is exactly the PoC given by Filippo Cavallarin https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass. It has been embellished with other features, though - I cannot download the zip file anymore and the original machine is hidden behind a DNS/AWS S3 server -

That's why I was seeing in the net directory the duckdns nfs directory.

As long as you didn't access the mounted directory with finder and executed anything contained in there, I think you should be safe.

To the best of my knowledge, I do not think your security has been compromised if you have not run any pice of software from that NFS server. Even if you have mounted it.
Thank God I could not even mount it...

If you have a way to get the original file, I'm all ears :)

The one thing I can think of is to recover all files marked as deleted from your hard disk, but it would take a lot of time and effort at your end.

Anyway, thank you for all the information you have brought to light!
 
Jun 6, 2019
2
2
15
Well, now that you mention RAE I now recall using it a few seconds before that dubious download downloaded itself. Besides, for some strange reason said search did not appear in my history. Could it be related to that particular webpage (which Chrome always dubs as unsafe)?
 

dlouzan

Great
Jun 6, 2019
13
4
65
Well, now that you mention RAE I now recall using it a few seconds before that dubious download downloaded itself. Besides, for some strange reason said search did not appear in my history. Could it be related to that particular webpage (which Chrome always dubs as unsafe)?

Well, the main page seems to have https disabled, but the dictionary itself is available via https. The attackers might have found a way to inject js code into the main (unprotected) page and that triggered the download. Not sure.
 

dlouzan

Great
Jun 6, 2019
13
4
65
Same problem here. I posted a thread at Apple Support Communities — https://discussions.apple.com/thread/250417600.

The network volume was mounted, but I didn't open any file from there. Should I take any measure? Pretty scared about this.

From the information we could gather until now, it should be ok as long as you didn't execute anything inside the mounted nfs. The zip file itself seems to not have any malware. I myself also had it uncompressed automatically (my Safari had on that damned setting to auto-open "safe" files). Analysis programs didn't find anything bad in my system either.

By the way, I find it interesting that you are also a Spaniard by your name? Might be a country-specific target, who knows.

In any case it would be nice to get a proper answer from Apple...
 
  • Like
Reactions: Psles
Jun 5, 2019
8
1
15
I find it interesting that you lot were browsing Spanish websites. I am not a Spaniard myself but I live in spanish-speaking country. I don't recall having the RAE website open when the shady download occurred, but I do check that site quite often.
 
  • Like
Reactions: Psles
Jun 13, 2019
3
0
10
From the information we could gather until now, it should be ok as long as you didn't execute anything inside the mounted nfs. The zip file itself seems to not have any malware. I myself also had it uncompressed automatically (my Safari had on that damned setting to auto-open "safe" files). Analysis programs didn't find anything bad in my system either.

By the way, I find it interesting that you are also a Spaniard by your name? Might be a country-specific target, who knows.

In any case it would be nice to get a proper answer from Apple...

Yep, I'm also from Spain. A bit weird that most of us are Spaniards. I haven't noticed anything unusual on my laptop and haven't run any file from the network volume. Thank you for your reply. 💪

The malicious file has been downloaded to my Mac a few more times—from the Spanish newspaper 20minutos and, like others, also from the RAE dictionary. It also happened while browsing with Firefox. It may be some code injection in an ad server or something.
 
Last edited: