Opened a zip file in a spam email which created a folder in the /net folder
I accidentally opened a zip file from a spam email. There is a text file in the zip file which I have also clicked to view. Later, I checked that this file has the following content:
/net/us.e-fax.org/nfs/Documents
This has created an Archived.app in the root folder /net/us.e-fax.org/nfs/Documents which I can access from my browser. Now I am a little bit scared that it might be some sort of spyware/keylogger or something which can read my files etc. I have tried to remove the folder us.e-fax.org in the /net folder but I was only able to remove it by unmounting the /net folder. How can I clean my system from this pest?
This sounds like someone's trying to use the same security bypass as OSX/Linker (Intego, ZDNet). It's a bug in Gatekeeper originally discovered by Filippo Cavallarin. The way it works is that if you access /net/<someservername>/<somepath>
, macOS will automatically mount that server via NFS and give you direct access to files stored there. Unlike most forms of network download, any files you get this way are not considered quarantined, and thus don't have the usual security checks macOS applies to downloaded files.
First step: delete the zip file and whatever it expanded into.
Second step: unmount the remote volume with sudo umount /net/us.e-fax.org/nfs/Documents
. It sounds like you've already unmounted the entire /net` directory though, which should take care of this (and shouldn't cause any other trouble).
Third step: I checked Archived.app, and it's currently just an empty shell. But its modification time is just a couple of hours ago, so it could easily have had malicious contents earlier, and the trickery the zip file used to mount it might also have been used to launch it. So... we have no idea what (if anything) it might've done to your computer.
So, you need to scan your Mac for any malware it might've installed. You can get Intego VirusBarrier Scanner from the Mac App Store, and Malwarebytes scanner here. Since I have no idea what (if anything) it did, I can't make specific recommendations.
Fourth step (optional, see the "Potential mitigations" part of the Intego article): you can disable the automount mechanism that made this bypass possible by editing the file /etc/auto_master in a text editor (I recommend BBEdit -- it's great for this sort of thing even in free/demo mode), and adding "#" at the beginning of the line that starts with "/net". You can do this from Terminal with the command:
sudo sed -i.orig 's@^/net@#/net@' /etc/auto_master
Be sure to copy this command exactly; any typos (including even just the wrong kind of quotation marks) could cause trouble. Note that it'll prompt you for your admin password, but the password will not show as you type it.