I’ve pulled the Red Canary blog link [redcanary.com] from above linked arstechnica article for those that want to jump straight to the nitty gritty details.

We all know the decreasing ratio of scan post vs click through to linked article vs click through to linked origin...
and of course we also know the number of angels able to dance on the head of a pin is greater than the number of webdevs whose [thumbs prick | eyes dance] when [something evil | malware] this way comes...

iamlost and content to so be

Code delectable code
Shall we play a game?

Once an hour, infected Macs check a control server

Whose server? In what country?
:: closer study of linked article ::

Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder.

Can’t say I perfectly understand this.

I have a subscription to ArsTechica. Since I cannot link to it--even if you had a subscription--Below is what I found in the comments (ArsTechica didn't make it easy, there was some luck involved) from a poster with the name of effgee who wrote this on May 20, 2021. (Note that I have not done this and have no idea if it works or is safe. You go first and report back.

Go and read Red Canary's blog post. [redcanary.com ] Study the section "Indicators of Compromise" in depth. If you find that your system shows signs of infection, i.e. you have files with these names in the locations described in the post, proceed as follows:

To get rid of an offending file when you know the actual path (= "the file location"):

Open "Terminal.app" in "Applications/Utilities".
Type the command "rm" followed by a single space (no quotes).
Enter the complete "file path + file name", e.g. "/Users/Joe/Library/Caches/evilfile.ext" (no quotes). Here you can save time and copy & paste the file names and paths from Red Canary's blog post, e.g. "~/Library/Launchagents/init_agent.plist". (See below re: tilde character "~")
Your command line now looks like this: "rm /Users/Joe/Library/Caches/evilfile.ext".
Hit "Return" on your keyboard and the offending file will be deleted. This can not (easily) be undone, double-check your paths and file names before hitting return!

Do the above for all the files in the blog post that are listed with a complete file path; the tilde character "~" simply denotes your user name in macOS and will be resolved correctly in Terminal.app. Meaning it will automatically turn "~" into "/Users/Joe/", assuming your user name really is Joe.

When you're not certain where a file may be located, you've got to search for it first. In Finder, open a new search window with "Cmd-F", In the window, click in the menu labeled "Kind", click in "Other...", scroll to "System files", click that once so it is highlighted and click in "OK". Click in "aren't included" and change it to "are included". Then, in the upper right corner of that window click once in the "Search" text field and enter the file name, e.g. "evilfile.ext" (no quotes). If present, all files with that name will appear in list form inside the Finder window we just opened. (*)

Leave that Finder window with the search results open, we'll need it again in a sec.

Next, check the md5 hash that will uniquely identify the offending file, for example the file "Update.pkg" you may have downloaded inadverdently and/or moved.

Open "Terminal.app", enter the command "md5" followed by a single space (no quotes), and then drag and drop the file from the Finder search result window into the Terminal window, roughly behind the command you just typed – the file's path and name will appear in the Terminal window. Your command line will look something like: "md5 /Users/Joe/path/to/evilfile.ext". Hit "Return" on your keyboard and the hash for "evilfile.ext" will be calculated.

The result will be an insane-looking string of 32 characters like "30c9bc7d40454e501c358f77449071aa". Compare the one from your Terminal window with the ones from Red Canary's blog post. If they are identical remove the file as shown above with the Terminal command "rm". Rinse and repeat for all the files in RC's post that do not have a file path associated with them.

Voilŕ, two or three minutes and a reboot later your Mac will be infection-free.


(* – This is not currently needed, but future versions of this malware may very well try to obfuscate their files further by making them invisible. To make sure we find those as well as all system files, simply create an additional search criterion like so... In the Finder window, to the very right of "are included" you'll see a "–" and a "+" button. Click in the "+" once, click in the menu labeled "Name", click once in "Other...", scroll to "File invisible", click that once so it is highlighted and click in "OK". Click in "Visible Items" and change it to "Visible or Invisible" – we are now searching for files by name, including system files and regardless of whether or not they are visible in Finder.)

@lucy24: one can use CDNs in various ways to both add an additional layer of obfuscation as well as increase target breadth.

One way is to leverage the pass through aspect of a CDN - what the CDN cuts is a link not an hosted site so the malware site can simply upload a different URL and be back in business - a game of whack-a-mole until some authority goes far enough down the rabbit hole to identify an actual site, which may well move to another domain, rinse, repeat.
Note: many/most malware command and control are not quite this resilient but some are.

A more recent development is to leverage Cloudflare worker resolvers as C&C directly or pass through via eg ReactJS Strapi App/JSON parser to pass server arguments. Until rooted out this means blocking all Cloudflare edge IPs.

Add in Akamai CDN for another layer and here mole mole where’s the mole?