https://github.com/dantex86/iremove-malware-analysis
Comprehensive analysis of iRemove malware targeting macOS systems - Security research and threat intelligence
https://github.com/dantex86/iremove-malware-analysis
cybersecurity iocs macos malware-analysis network-forensics security-research threat-intelligence yara-rules
Last synced: 2 months ago
JSON representation
Comprehensive analysis of iRemove malware targeting macOS systems - Security research and threat intelligence
- Host: GitHub
- URL: https://github.com/dantex86/iremove-malware-analysis
- Owner: DanteX86
- License: other
- Created: 2025-06-24T04:37:08.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2025-06-24T14:38:31.000Z (4 months ago)
- Last Synced: 2025-07-05T14:09:26.512Z (3 months ago)
- Topics: cybersecurity, iocs, macos, malware-analysis, network-forensics, security-research, threat-intelligence, yara-rules
- Language: HTML
- Size: 433 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# ๐ต๏ธ iRemove.tools Surveillance Malware Analysis
**Historical Case Study & Threat Intelligence Research**
This repository contains the complete investigative analysis of the iRemove.tools surveillance malware campaign - a comprehensive 3+ year study (2022-2025) that uncovered a sophisticated global criminal enterprise operating surveillance software disguised as MDM bypass tools.
[](docs/threat-intelligence/)
[](LICENSE)
[](iocs_stix.json)
## ๐ฏ **OVERVIEW**
This repository documents the complete investigation into iRemove.tools - what began as analysis of a suspicious MDM bypass tool uncovered a global surveillance operation with advanced evasion techniques, multi-language support, and sophisticated criminal infrastructure.
The investigation led to the development of **ARTEMIS** (now maintained separately), but this repository preserves the original research, methodologies, and findings that exposed this significant threat.
> **๐ฃ IMPORTANT NOTE**: The ARTEMIS malware analysis toolkit has been extracted into its own dedicated repository for ongoing development. For the latest version of the analysis tools, visit:
>
> **๐น [ARTEMIS Malware Analysis Toolkit](https://github.com/your-username/artemis-malware-toolkit)**
>
> This repository remains focused on the historical iRemove.tools investigation and serves as a comprehensive case study in threat research methodology.
### **๐ Investigation Highlights:**
- ๐ **3+ Year Timeline** - Complete operational analysis (2022-2025)
- ๐ **Global Scale** - 9-language international criminal enterprise
- ๐ญ **Advanced Evasion** - Sophisticated techniques to avoid detection
- ๐ฐ **Commercial Operation** - Professional website, payment processing, customer support
- ๐ **Technical Analysis** - Complete malware teardown and IOC extraction
- ๐ **Threat Intelligence** - STIX 2.1 formatted indicators and YARA rules
- ๐๏ธ **Attribution Analysis** - Criminal infrastructure and operational assessment
## ๐ **ACCESSING THE RESEARCH**
```bash
# Clone the research repository
git clone
cd iremove-malware-analysis
# View threat intelligence reports
cat docs/threat-intelligence/FINAL_THREAT_INTELLIGENCE_REPORT.md
cat docs/threat-intelligence/OPERATIONAL_INTELLIGENCE_REPORT.md
# Examine IOC data
cat iocs_stix.json # STIX 2.1 format
cat iocs_csv.csv # CSV format for SIEM
cat src/rules/*.yar # YARA detection rules
# For active malware analysis, see ARTEMIS toolkit:
# https://github.com/your-username/artemis-malware-toolkit
```
## ๐ฆ **TOOLKIT COMPONENTS**
### **Core Analysis Engine:**
- **`src/scripts/auto_analysis.sh`** - Main automated analysis script
- **`src/scripts/ioc_analyzer.sh`** - IOC extraction and analysis
- **`src/scripts/network_monitor.sh`** - Network monitoring setup
- **`src/rules/*.yar`** - YARA detection rules
- **`examples/test_sample.txt`** - Test file with embedded IOCs for validation
### **Professional Threat Intelligence:**
- **`THREAT_INTELLIGENCE_PACKAGE.md`** - Comprehensive threat analysis report
- **`iocs_stix.json`** - STIX 2.1 formatted indicators
- **`iocs_csv.csv`** - CSV format for SIEM integration
- **`iremove_malware.yar`** - YARA detection rules
### **Documentation:**
- **`docs/threat-intelligence/`** - Threat intelligence reports
- **`docs/analysis-reports/`** - IOC and analysis reports
- **`docs/installation/`** - Setup and installation guides
- **`docs/guides/`** - Usage guides and examples
### **Archive:**
- **`archive/analysis-sessions/`** - Historical analysis sessions
- **`archive/legacy-docs/`** - Legacy documentation files
## ๐ **ANALYSIS CAPABILITIES**
### **Static Analysis:**
```bash
โ
File metadata and hashing (SHA256, MD5)
โ
String extraction and analysis
โ
IOC identification (domains, IPs, emails)
โ
Binary symbol extraction
โ
Dependency analysis
โ
macOS .app bundle support
```
### **Threat Intelligence Generation:**
```bash
โ
Professional markdown reports
โ
STIX 2.1 threat intelligence format
โ
YARA rule creation
โ
CSV IOC feeds for SIEM integration
โ
Network monitoring setup
โ
Attribution analysis
```
## ๐ **SAMPLE OUTPUT**
```bash
$ ./auto_analysis.sh "/Applications/1Password.app"
๐ Starting Automated Malware Analysis
Target: /Applications/1Password.app/Contents/MacOS/1Password
Analysis Directory: malware_analysis_20250624_013624
๐ PHASE 1: Basic File Information โ
๐ค PHASE 2: String Analysis โ
๐ง PHASE 3: Binary Analysis โ
๐ PHASE 4: Network Monitoring Setup โ
๐ PHASE 5: Generating Analysis Report โ
๐ Quick Summary:
File: /Applications/1Password.app/Contents/MacOS/1Password
SHA256: b5e29be38a8ee1bde467edf46a0aceda924904b017165a1cdbb1eb41c620cc27
Strings: 3077 extracted
Potential domains: 151 identified
Analysis files: 6 generated
```
## ๐ **REAL-WORLD CASE STUDY**
ARTEMIS was developed during the analysis of a sophisticated surveillance campaign:
- **Target**: iRemove.tools MDM bypass malware
- **Duration**: 3+ year surveillance operation (2022-2025)
- **Scope**: Global criminal enterprise with 9-language support
- **Impact**: Professional threat intelligence package generated
- **Outcome**: Complete operational disruption analysis
[View Complete Case Study โ](FINAL_THREAT_INTELLIGENCE_REPORT.md)
## ๐ ๏ธ **SYSTEM REQUIREMENTS**
### **Operating System:**
- macOS 10.15 or later (tested on macOS Sonoma)
- ARM64 or Intel architecture
### **Dependencies:**
```bash
# Built-in macOS tools (no additional installation required)
- file, strings, shasum, md5
- nm, otool (Xcode Command Line Tools)
- grep, find, sort, wc
# Optional enhancements
- class-dump (for detailed Objective-C analysis)
- tcpdump (for network monitoring)
```
## ๐ **USAGE EXAMPLES**
### **Basic Analysis:**
```bash
# Analyze system binary
./src/scripts/auto_analysis.sh /usr/bin/ssh
# Analyze downloaded application
./src/scripts/auto_analysis.sh ~/Downloads/suspicious.app
# Analyze with test sample
./src/scripts/auto_analysis.sh examples/test_sample.txt
```
### **Professional Workflow:**
```bash
# 1. Run analysis
./src/scripts/auto_analysis.sh suspicious_file
# 2. Review generated reports
cd malware_analysis_YYYYMMDD_HHMMSS/
cat analysis_report.md
# 3. Check IOCs
cat potential_iocs.txt
# 4. Set up monitoring (if needed)
sudo ./src/scripts/network_monitor.sh
```
## ๐ **PROFESSIONAL APPLICATIONS**
### **Cybersecurity Career Development:**
- **Resume Enhancement**: "Developed automated malware analysis toolkit"
- **Portfolio Projects**: Working security tools with professional output
- **Interview Preparation**: Concrete examples of technical capabilities
- **Certification Support**: Practical experience for GCIH, GCFA, GCTI
### **Security Operations:**
- **Incident Response**: Rapid analysis of suspicious files
- **Threat Hunting**: IOC extraction and intelligence generation
- **Forensic Analysis**: Professional documentation and reporting
- **Security Research**: Methodology template for threat investigation
## ๐ **DOCUMENTATION**
- [๐ Usage Guide](docs/guides/USAGE_GUIDE.md)
- [๐งช Lab Setup Instructions](docs/installation/LAB_SETUP_GUIDE.md)
- [๐ Threat Intelligence Reports](docs/threat-intelligence/)
- [๐ Analysis Reports](docs/analysis-reports/)
- [๐ Contributing Guidelines](CONTRIBUTING.md)
- [๐ Security Policy](SECURITY.md)
## ๐ค **CONTRIBUTING**
ARTEMIS was developed through real-world malware investigation. Contributions are welcome:
1. **Fork the repository**
2. **Create feature branch** (`git checkout -b feature/enhancement`)
3. **Commit changes** (`git commit -am 'Add new feature'`)
4. **Push to branch** (`git push origin feature/enhancement`)
5. **Create Pull Request**
## ๐ **LICENSE**
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## ๐ **ACKNOWLEDGMENTS**
- **iRemove.tools Investigation**: Real-world case study that drove development
- **Cybersecurity Community**: Threat intelligence sharing and methodology
- **macOS Security Research**: Apple platform analysis techniques
## ๐ **CONTACT**
For questions, collaboration, or professional inquiries:
- **GitHub Issues**: For bug reports and feature requests
- **Security Research**: For threat intelligence collaboration
- **Professional Development**: For career and certification discussions
---
## ๐ฏ **VALIDATION TESTING**
ARTEMIS has been successfully tested on multiple platforms:
### **Test Results:**
```bash
โ
Custom Test Sample: 4 domains, 1 IP, 1 email extracted
โ
System Binary (/usr/bin/curl): 2441 strings, 27 domains
โ
macOS Application (1Password): 3077 strings, 151 domains
โ
Binary Analysis: Symbols, dependencies, class dumps
โ
Report Generation: Professional markdown with timestamps
```
### **Production Readiness:**
- โ
**Error Handling**: Comprehensive file validation and helpful messages
- โ
**macOS Integration**: Native .app bundle support with automatic executable detection
- โ
**Professional Output**: Industry-standard analysis reports and IOC formats
- โ
**Real-world Validation**: Successfully analyzed legitimate applications
---
**ARTEMIS - From Surveillance Detection to Security Excellence** ๐น