iThreats

Installation: What happens when you ‘double click’ it?  You’ll notice that it requires root privilege.

In this stage, it is already too late because even if you decide to discard or cancel the authorization, the tricky ‘StarfieldInstall.app’ has already installed itself as follows:

1)  It creates a ‘Starfield’ folder in the Application directory.  In this folder, you’ll find a copy of itself and an update component.

/Application/Starfield/StarfieldInstall.app

/Application/Starfield/starfieldupdate.app

2) It is set to run at login by adding ‘starfieldupdate’ in the Login Items.

3) It is always running in the background.

So, when you thought it’s gone, it’s not because ‘StarfieldInstall’ sleeps and activates again to request your password. It will continue to annoy you with repeated request until it gets authorized.

• OS version and CPU Type
• Local user
• Previous installation
• Starfield installation component versions

And performs the following:

• Checks user privilege on the system by checking if user is admin or if the user can be elevated to admin.
• StarfieldInstall launches ‘starfieldupdate.app’ which is kept in the background.
• ‘starfieldupdate.app’ is responsible for initial installation (first run) and updates.
• The initial installation path of Starfield would be:

• Dumps data log of its activity especially the installation. Notice the name ‘starfield’ in the ~/Library/Logs/ folder.

Payload:

The payload is mainly handled by ‘StarfieldInstall.app’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:

‘Moduleinfo’ is a JSON text which ‘StarfieldInstall.app’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.


{ "win" :

…

, "mac" :

It also evaluates the installation requirement, example:

‘StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:

starfieldinstall.zip

starfieldupdate.zip

fileedittool64.plugin.zip

fileedittool.zip

WBETools14.plugin

wbetools64.zip

copypaste.xpi

zoomext.xpi

offdavhelper_mac4.zip

offdavhelper_mac.zip

offsettings.bundle.zip

wbesettings.bundle.zip

drivemapreconnect.zip

backupstatus.zip

offsync_mac.zip

desktoptools.zip

wbedesktopnotifier.zip

So far we have 17 files here and 4 of these files do not require root password. It is important to take note that  ’StarfieldUpdate.app’ is always running in the background and launch ‘StarfieldInstall.app’ to perform the following:

- Evaluating JSON text ‘moduleinfo’ for update

- Download and installation of latest versions

- Discovery of products installed

- Running privileged shell command

It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:

Another notable process created is ‘OffSyncService’ which is always running in the background .

In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.