Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mac IOS. Show all posts

Pirated Software Puts Mac Users at Risk as Proxy Malware Emerges

 


Malware is being targeted at Mac users who receive pirated versions of popular apps from warez websites after they choose to download them from those websites. Various reports state that cybercriminals are infecting macOS devices with proxy trojans and turning them into terminals to spread the malware and run phishing and hacking campaigns on them.

It has been reported recently that an ongoing campaign called the Kaspersky Campaign was discovered earlier in the year in April. According to the report, the campaign sells proxy access that turns into botnets such as Qakbot, which was recently dismantled by the Federal Bureau of Investigation and removed from around 7,00,000 machines. 

According to Kaspersky's report, this campaign is targeting users who are not willing to pay for premium versions of apps or who are unwilling to upgrade their current apps. The cybersecurity firm's research found that the virus was injected into pirated versions of 35 popular apps that edit images, compress videos, edit videos, recover lost data, scan networks, and recover passwords. 

The latest attack is targeting Mac users by spreading a new proxy trojan malware through the distribution of popular copyrighted macOS software that can be found on warez websites, enabling them to exploit Mac users. When a computer is infected with this malware, it is transformed into an automatic traffic-forwarding terminal, which is used to facilitate malicious or illegal activities, such as phishing and hacking. 

Cybercriminals exploit the allure of being able to get premium applications without paying by exploiting the allure of obtaining premium applications. In the recent campaign, which was uncovered by Kaspersky, 35 popular software applications include image editors, video compressors and editors, data recovery programs, and network scanning tools that are known to contain the proxy trojan, which is a type of malware.

This trojanized version of the software is downloaded as a PKG file, which poses an even higher risk than the normal disk image file, which can be used to install the software on your computer. As part of the installation process, PKG files can run scripts, giving them the same rights as administrators. It opens up a whole new level of risk by granting them permission to perform dangerous actions like the modification of files, the execution of commands, and more. 

After the trojan has been installed, it activates embedded scripts which conceal it as a system process named “WindowServer,” so that it blends into normal system operation. Additionally, in an attempt to evade detection, the GoogleHelperUpdater.plist file used by the trojan can be found in the virus. 

There is no confirmation of a specific command or command sequence that the trojan can execute. Still, analysis indicates that it is capable of creating TCP or UDP connections on its own to facilitate proxying, to communicate with a command and control server using DNS-over-HTTPS. The same C2 hardware that hosts the macOS proxy trojan payloads, as well as similar payloads for Android and Windows systems, also indicates that these cybercriminals are targeting a wide range of devices with their payloads, indicating that they are targeting a variety of devices. 

By using the name "WindowServer", the trojan hides itself by resembling a legitimate system process used by macOS to manage user interfaces in the operating system. This trojan is triggered by a file called GoogleHelperUpdater.plist, another legitimate-sounding Chrome file that makes it harder for the trojan to be detected. 

Kaspersky’s study suggests that the trojan is affecting both macOS and Android devices. The study suggests that although Kaspersky’s researchers could not see what commands the malware is executing, the malware appears to be using TCP and UDP networking protocols to act as a proxy for other applications. Kaspersky researchers believe that the threat actor behind this particular campaign has specific reasons to believe that it is targeting other operating systems, just with a different installer, in addition to macOS users.

Mac Users Under Attack: Malvertising Campaign Distributing Atomic Stealer Malware

 


An updated version of macOS stealer malware called Atomic Stealer (or AMOS) is being distributed through a new malvertising campaign. The authors of the program appear to be actively maintaining and updating malware. 

When the creators of AMOS found a way to advertise this tool for $1,000 per month in the spring of 2023, they claimed that it would allow the theft of a wide range of data. It was not long after that that the wild was inundated with new variants of malware that were armed with a large number of new spying features, targeting gamers and cryptocurrency investors. 

According to the malware's authors, the malware can be used to steal keychain passwords, browser information, cryptocurrency wallets, and other files from a compromised device, among other things.  The company recently observed that although AMOS was originally distributed through cracked software downloads, it has now been discovered to have been delivered through a malvertising campaign, according to Malwarebytes. 

An unknown entity in Belarus appears to have hacked into a Google advertiser account and used it to advertise the TradingView financial market tracking app through a fake website for a real financial market tracking app. It has been reported that cybercriminals are increasingly deploying data-stealing malware against Apple computers in order to steal confidential information. 

Cybersecurity company SentinelOne reported Wednesday that it spotted a new version of one of the macOS infostealers, Atomic Stealer. The new version of Atomic Stealer is the third version of the malware that works on macOS in a variety of ways. 

According to SentinelOne, the latest version is really going after gaming and cryptocurrency users with a particular focus on the data that it's trying to obtain, which has not been described before in any detail. This infostealer, which is also known as the Atomic Stealer, or AMOS for short, was first described as macOS-based malware that focuses initially on cryptocurrencies, passwords, and important files that are encrypted. 

Throughout its evolution, it has become capable of grabbing more information and targeting a wider range of operating systems. As a result of such an advertisement, a user is directed to a site that offers a number of download options for NetSupport RAT for various operating systems, and while both the Windows and Linux download links direct users to download an MSIX installer that will install the NetSupport RAT on their computers. 

In a Malwarebytes report, clicking the macOS download link causes an Atomic Stealer to be downloaded and it attempts to exfiltrate data stored in iCloud Keychains, browsers, and user files. Several security experts have touted the new infostealer as having evasion capabilities to beat Gatekeeper protections, and this comes in the wake of increasing numbers of Mac OS X-targeted infostealer attacks. 

The criminals who purchase the toolkit are mainly distributing it via cracked software downloads, but they take the liberty to impersonate legitimate websites and to use advertising on search engines like Google to make their victims fall for their schemes. This attack attempts to bypass the Gatekeeper security mechanism in macOS in order to be able to exfiltrate the stolen data to a server under the attacker's control by bypassing Gatekeeper protections. 

As Mac OS continues to become a popular target for malware attacks, a number of new data-stealing apps targeting Mac OS have appeared for sale in crimeware forums over the past couple of months to take advantage of the wide availability of Apple systems in organizations as a target of malware attacks. When looking to download a new program, users are likely to turn to Google and run a search for the particular program that they require. 

As a result, threat actors are purchasing ads matching well-known brands and are tricking victims into visiting their site with the false impression that it is the official website of that brand. There are instructions in the downloaded file on how to open it so that it can bypass GateKeeper, Apple's built-in security system, to bypass the security lock. 

Further, according to the researchers, the malware is embedded in ad-hoc signed applications, which means that the revocation of the certificates used to sign the apps is not possible since they are not Apple certificates. The moment the victim runs the program, it immediately sends the stolen data to the attacker's C2 servers as soon as the data is stolen.

Passwords, information about users, wallets, cookies, keychains, and browser auto-fills are just some of the things that Atomic Stealer steals from users.  As a precautionary measure, Malwarebytes recommends that users check that any program they run on an endpoint is properly signed before running it. 

A further step that should be taken is to analyze the website from which the program was downloaded since it is possible that the address of the website has been typographical. In addition, it is possible that the content of the website reveals a scam.  

There has been increasing evidence that Google Ads are being used by spammers to spread rogue installers to victims looking for popular software, either legitimate or cracked, on search engines. The bogus Google Ads are shown to users searching for software on search engines that aren't securing legitimate software. 

An online campaign targeting the TradingView software was launched recently, featuring a fraudulent web page featuring a prominently displayed button for downloading the software for Windows, macOS, and Linux operating systems. 

The Stroz Friedberg Incident Response Services of Aon said last month that new versions of DarkGate have been used in attacks launched by threats employing tactics similar to Scattered Spider, which is a threat response technique used by cybercriminals.