Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mac Malware. Show all posts

Rustbucket Malware Targeting MacOS Devices Silently

 

Rustbucket, a brand-new type of malware, has just lately surfaced and is now a serious threat to macOS devices. This sneaky spyware works stealthily to infect Mac systems without raising any red flags. Rustbucket has drawn the attention of security professionals due to its capacity to pass itself off as a secure PDF viewer. The goal of this paper is to educate readers on Rustbucket's secrecy, its possible origins, and the security measures that users should take to safeguard their macOS computers.

Rustbucket has been making waves in the cybersecurity community due to its covert infiltration tactics. It disguises itself as a seemingly innocent PDF viewer, tricking users into unknowingly granting it access to their Mac systems. Once inside, the malware remains dormant, evading detection by security software and Mac users alike. Experts have emphasized the sophistication of Rustbucket's techniques, enabling it to silently gather sensitive information and execute malicious activities undetected.

Researchers have linked Rustbucket to North Korean state-sponsored advanced persistent threat (APT) attacks. While further investigation is needed to confirm its origins definitively, the resemblance to previously observed North Korean APT malware is striking. This discovery raises concerns about potential state-sponsored cyber espionage and highlights the need for heightened vigilance in macOS security.

Users of macOS face serious threats because of the existence of Rustbucket. Once installed, it can enable the execution of more malicious actions, undermine user privacy, and provide unwanted access to sensitive data. Additionally, Rustbucket grows harder to locate and remove as it surreptitiously infiltrates the system, possibly causing long-term harm.

Protective Measures:
  • Keep software up to date: Regularly updating the operating system and applications help protect against known vulnerabilities that malware exploits.
  • Exercise caution with email attachments: Be cautious when opening email attachments, particularly those from unknown or suspicious sources. Verify the legitimacy of the attachment and sender before proceeding.
  • Employ robust security software: Install reputable antivirus software specifically designed for macOS systems. Regularly update and scan your device to detect and remove potential threats.
  • Practice safe browsing habits: Exercise caution when visiting unfamiliar websites or downloading files. Stick to trusted sources and use caution when prompted to install third-party plugins or applications.
For macOS users, Rustbucket poses a serious security risk because it surreptitiously infiltrates their systems while pretending to be a helpful PDF viewer. With possible ties to North Korean APT strikes, its covert operation raises questions about data privacy and cybersecurity. Users may defend their macOS devices against Rustbucket and related threats by remaining watchful, updating their applications, and using strong security measures.




Mac Coinminer Employs a Novel Approach to Mask Its Traffic

 

A Mac coinminer has been discovered exploiting customizable open-source software to enhance its malicious activity. This sample incorporates a variety of altered open-source elements which the malicious actor customized to fulfill the agenda. The sample was indeed discovered concealing its network traffic with i2pd (called I2P Daemon). The Invisible Internet Protocol, or I2P client, is constructed in C++ by I2pd. I2P is a worldwide anonymous network layer which enables anonymous end-to-end encrypted communication without revealing the participants' real IP addresses. 

Coinminer is the major malware sample which has been found. MacOS. MALXMR.H is a Mach-O file which was also identified by numerous vendors because it includes XMRig-related strings as sourcing tools like Yara. Its accessibility makes, XMRig to be often utilized by other viruses to execute crypto mining. 

The primary Mach-O sample was discovered to be ad hoc-signed. This indicates the Mach-O binary is difficult to run on Mac systems, and Gatekeeper, a built-in security mechanism for macOS which enforces code signing, may prohibit it. 

The Mach-O sample is suspected to have arrived in a DMG (an Apple image format for compressing installations) of Adobe Photoshop CC 2019 v20.0.6. Apparently, the parent file could not be located. The piece of code was identified in one of its discarded files, which led to the conclusion. The sample attempts to create a non-existent file in the /Volumes path in this code. It's worth noting when double-tapping DMG files on macOS, they get automatically mounted in the /Volumes directory. 

Several embedded Mach-O files were discovered in the core Mach-O sample (detected as Coinminer.MacOS.MALXMR.H). It uses the API to elevate rights by enabling the user for authentication when it is performed. The following files have been deposited into the system by the sample:
  •  /tmp/lauth /usr/local/bin/com.adobe.acc.localhost
  •  /usr/local/bin/com.adobe.acc.network
  •  /usr/local/bin/com.adobe.acc.installer.v1 

As per Trend Micro, the sample used the auth file for persistence. The Mach-O file is in charge of creating the persistence files for the malware:
LaunchDaemons/com.adobe.acc.installer.v1.plist. 

"The file is an XMRig command-line app which has been modified. When launching the app, enter help or version in the variables to see what it's about. The help argument displays a list and overview of the parameters which can be utilized, whereas the version parameter reveals the version of the XMRig binary," according to the experts.

It is suggested to update the products and keep up with the latest patterns. Users should avoid downloading apps from shady websites and exercise excellent digital hygiene.

New Mac Malware Samples Highlight The Growing Risk

 


Despite Apple's best attempts, Mac malware exists to keep in mind that Mac malware and viruses are quite rare in the wild. Apple has a number of safeguards in place to protect against such attacks. For example, according to the Security & Privacy settings in System Preferences > Security & Privacy > General, macOS should only allow the installation of third-party applications from the App Store or identified developers. If you were to install something from an unknown developer, Apple would prompt you to verify its legitimacy. 

Apple also has its own built-in anti-malware program and keeps all of the malware definitions in its XProtect file on your Mac, and whenever you download a new app, it checks to see whether any of them are there. This is a feature of Apple's Gatekeeper software, which prevents malware developers from creating apps and certifies that they haven't been changed. 

For the sixth year in a row, security researcher Patrick Wardle has compiled a list of all new Mac malware threats discovered during the previous year:
  1. ElectroRAT, a cross-platform remote access trojan that first appeared in January.
  2. Silver Sparrow, a malware tool designed specifically for Apple's M1 chip that was released last year.
  3. XLoader, a cross-platform password stealer. It was identified by XLoader to be a rebuilt version of a well-known information stealer named Formbook. 
  4. When analyzing sophisticated watering hole assaults targeting users to the Hong Kong websites of a media outlet and a pro-democracy organization, MacMa (OSX.CDDS) came up with a solution. To install the MacMa backdoor, the attackers used a zero-day privilege escalation vulnerability (CVE-2021-30869) in macOS Catalina. 
  5. XcodeSpy, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike agent on compromised systems.
  6. ElectrumStealer, a cryptocurrency mining tool that Apple inadvertently signed digitally; WildPressure, a cross-platform Python backdoor that Kaspersky discovered targeting industrial companies in the Middle East.
  7. ZuRu, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike.
Cryptominers like ElectroRAT and OSAMiner, adware loaders like Silver Sparrow, information stealers like Xloader and Macma, and cross-platform Trojans like WildPressure were among the most dangerous Mac malware threats last year, according to Willy Leichter, CMO of LogicHub.

New Mac Malware Trick Users By Posing as Legitimate macOS Tool

 

Chinese cybersecurity researcher has discovered a new strain of malware that spreads via "poisoned" search-engine results. The malware dubbed ‘OSX.ZuRu’ poses as the legitimate macOS tool called iTerm2. Currently, the attackers are only targeting the Chinese Baidu search engine but it would not be a surprise if they attempt to expand their operation in the near future. 

Attackers are distributing iTerm2 malware through sites that mimic the original iTerm2 website. Mac users who attempt to install iTerm from the fake website are directed to a 3rd-party hosting service, which fetches the file iTerm.dmg. So far, on the user's screen everything seems normal – the only noticeable red flag is the slightly different domain name. However, most people would not notice this.

Once a user implements and installs the suspicious iTerm.dmg app, they end up receiving a working copy of the app, which passed the Gatekeeper check and installed just fine because it was digitally "signed" by an Apple developer and wasn't flagged by any antivirus software as malicious. 

The main purpose of this malware is to establish a connection with a remote web application and send some data regarding the victim. The primary piece of information it sends is the serial number of the device. After this, it tries to establish a second connection to a malicious Web server. The latter is the dangerous part – it can deliver a long list of payloads. These hidden downloads often bear the names of legitimate apps and services – e.g., Google Update. 

One of the payloads appears to be a script that exfiltrates certain data from the infected system – keychain, hosts file, bash history, folder names, etc. The other one appears to be a copy of the Cobalt Strike Beacon. This is a security penetration methodology that attackers sometimes use. 

How to eliminate malware infections?

Security experts always recommend downloading apps from official and verified sources. Additionally, all programs must be activated and updated with functions provided by legitimate developers. Suspicious emails must not be opened, especially any attachments or links found in them. 

It is paramount to have a reliable anti-virus installed and kept updated. The anti-virus should be used to perform regular system scans and mitigate threats. If you suspect your device is already infected with malware, then it’s necessary to run a scan with Combo Cleaner Antivirus for macOS to automatically eliminate it.

Apple isn't Happy About the Amount of Mac Malware

 

During testimony defending Apple in a lawsuit with Fortnite developer Epic Games, a top Apple executive said that Mac malware has now surpassed Apple's tolerance level and framed safety as the justification for keeping iPhones locked to the App Store. According to a top Apple executive, this is why Apple must keep iPhone, iPad, and other mobile products behind the App Store's walled garden. 

Craig Federighi, Apple's head of software engineering, told a California court that the existing levels of malware were "unacceptable." "Today, we have a level of malware on the Mac that we don't find acceptable," he stated in response to questions from Apple's lawyers, as ZDNet sister site CNET reports. 

Apple is defending its activities after Epic Games filed a lawsuit in the United States stating because Apple kicked its Fortnight game off the App Store after Epic implemented a direct payment scheme for in-game currency, bypassing Apple's 30% developer fee. Apple, according to Epic, is too restrictive. 

On May 03, the Apple-Epic case began. Phil Schiller, the CEO of the App Store, stated yesterday that the App Store has always prioritized protection and privacy. According to Federighi, 130 different forms of Mac malware have been discovered since May, with one version infecting 300,000 systems. iOS devices can only install applications from Apple's App Store, while Macs can install software from anywhere on the internet. 

Mac malware is already outpacing Windows malware, according to Malwarebytes, a US protection company that offers Mac antivirus. However, the company pointed out that the risks to Macs, which mainly consisted of adware, were not as harmful as malware for Windows. Federighi contrasted the Mac to a car, while iOS was created with children's protection in mind, according to 9to5Mac. 

"The Mac is a car. You can take it off-road if you want and you can drive wherever you want. That's what you wanted to buy. There's a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It's really a different product," he stated.

Federighi also said that things would change significantly if Apple allowed iOS users to sideload applications.

Apple pushes out silent update for Mac users to remove Zoom web server

Earlier this week, a US-based security researcher named Jonathan Leitschuh had publicly disclosed a major vulnerability in the Zoom video conferencing software for Apple’s Mac computers which could make any website start a video-enabled call by hacking the webcam of the system. Now, according to a report by TechCrunch, Apple has pushed out an update silently to the macOS which removes the Zoom web server.

As per the report, the US-based technology giant has confirmed the said update has been released and it is installed automatically and does not require any interaction with the user. The purpose of the update is only to remove the local web server installed by the Zoom app. The company said that it pushed the update to protect its users from the risks posed by the exposed web server.

According to Leitschuh’s claims earlier this week, even if Mac users uninstall the Zoom app from their system, the web server continues to persist and it can reinstall Zoom without the user’s permission.

In a statement to The Verge and ZDNet, Zoom had said that it developed the local web server to save Mac users from too many clicks, after Apple changed their Safari browser in a way that requires Zoom users to confirm that they want to launch Zoom every single time. Zoom also said that it will tweak the app such that it will save the user’s and administrator’s preferences for whether the video will be turned on, or not, when they first join a call.

However, it seems Apple took it upon itself to rescue its users from the security vulnerability posed by Zoom app. The silent update was all the more needed because Zoom had installed a local web server that could reinstall the app even if the user had previously uninstalled it.

CookieMiner: Steals Passwords From Cookies, Chrome And iPhone Texts!



There’s a new malware CookieMiner, prevalent in the market which binges on saved passwords on Chrome, iPhone text messages and Mac-tethered iTunes backups.

A world-wide cyber-security organization not of very late uncovered a malicious malware which gorges on saved user credentials like passwords and usernames.

This activity has been majorly victimizing passwords saved onto Google Chrome, credit card credentials saved onto Chrome and iPhone text messages backed up to Mac.

Reportedly, what the malware does is that it gets hold of the browser cookies in relation with mainstream crypto-currency exchanges which also include wallet providing websites the user has gone through.

The surmised motive behind the past acts of the miner seems to be the excruciating need to bypass the multi-factor authentication for the sites in question.

Having dodged the main security procedure, the cyber-con behind the attack would be absolutely free to access the victim’s exchange account or the wallet so being used and to exploit the funds in them.

Web cookies are those pieces of information which get automatically stored onto the web server, the moment a user signs in.

Hence, exploitation of those cookies directly means exploiting the very user indirectly.

Cookie theft is the easiest way to dodge login anomaly detection, as if the username and passwords are used by an amateur, the alarms might set off and another authentication request may get sent.

Whereas if the username passwords are used along with the cookie the entire session would absolutely be considered legit and no alert would be issued after all.

Most of the fancy wallet and crypto-currency exchange websites have multi-factor authentication.

All that the CookieMiner does is that it tries to create combinations and try them in order to slide past the authentication process.

A cyber-con could treat such a vulnerable opportunity like a gold mine and could win a lot out of it.

In addition to Google’s Chrome, Apple’s Safari is also a web browser being openly targeted. As it turns out, the choice for the web browser target depends upon its recognition.

The malware seems to have additional malignancy to it as it also finds a way to download a “CoinMiner” onto the affected system/ device.

New Mac OS X Botnet uses Reddit's Search function to get CNC servers list


Security Researchers at Russian Antivirus company Dr.Web have published
details of a new botnet that targets Mac OS X.

What is very interesting is that this malware uses the search function of Reddit to acquire the Command and control(C&C) servers list from comments posted in a 'Mine Craft Server Lists' sub reddit.

The malware calculates MD5 hash of the current date and uses the first 8 bytes of the hash to search in reddit.  The result contains the Server IPs with port numbers.

The malware dubbed as 'iWorm' has reportedly infected more than 17,000 Mac computers - 4,610 of which are in the US.

The reddit account used by the cyber criminals appears to be removed.  However, it is not going to stop the bad guys from controlling their botnet, they either create a new account or use any other online services.

StealthBit: New malware targeting Apple Mac OS X steals Bitcoins

A new Trojan Horse targeting Apple Mac OS X spies on web traffic of users and attempt to steal Bitcoins.  SecureMac says the malware referred as "OSX/CoinThief.A" is found in the wild.  Several users have reported that their Bitcoins have been stolen.

The malware hosted in Github with the name "StealthBit" disguising itself as an app to send and receive payments on Bitcoin Stealth Addresses.  A link to this project had also been posted in reddit  inciting users to download the app and have been voted by 100 people. 

The project had source code as well as a pre-compiled binary file.  Researchers say the binary file didn't match with the copy generated from source code. Those who installed the pre-compiled version of the app likely to be infected by this malware.

One user from reddit reported that his 20 Bitcoins(current value is around $10k) have been stolen by this malware app.

"I foolishly installed 'StealthBit' Anyone else find this to be a virus? The Post is still online.. I found 1 comment suggesting the possibility. https://pay.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/" The user posted in the reddit.

Upon running the app for the first time, it installs browser extensions for Safari and Google Chrome and runs continually a program in background that looking for Bitcoin Wallet login credentials. The malware then steals Bitcoin login credentials, username and Unique identifier of infected Mac.

At the time of writing, the malicious project have been removed from the GitHub. 

It appears this is not the first time Mac users being fooled such kind of malicious apps.  One user shared his experience that he was scammed by similar app called "Bitvanity" which was also hosted in Github, stole 20 BTC from his account.

The user also has pointed out interesting facts about these two projects- The "StealthBit" hosted by "Thomas Revor" and "Bitvanity" was hosted by "Trevorscool".

New Mac Malware 'Janicab' abuses RLO character to hide real extension

A New Mac Malware has been spotted by F-Secure researchers which is capable of continuously taking screenshots and recording audio and uploading them to a remote server.

What's interesting about this mac malware is it abuses the Right-to-Left Override(RLO) character to hide it is real extension.  However, the method is not new for Windows malware which is used by Bredolab and other trojans.

The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew.

The malware analyzed by F-Secure uses "Recent New.ppa.pdf" as file name for the malicious file. By just looking at the extension, we may think it is just a pdf file, but in reality you are opening an executable .APP file.

Because of the RLO character in the malicious file, the usual file quarantine notification from OS X will be backwards.

file quarantine notification -Image Credits: F-Secure

The actual notification is "RecentNews. Are you sure you want to open fdp " is an application downloaded it" from Internet."

Once it's launched, the malware displays a decoy document while it silently install malicious code in the victim's computer.

According to the F-Secure Malware report, the threat is written in Python and uses py2app for distribution and it is signed with apple Developer ID.

Python-based malware exploits Java vulnerability,targets Mac &Windows


Sophos security researchers have identified a new malware that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.

When a user visit a compromised webpage, it downloads the malicious software onto their computer by exploiting the Java vulnerability.

Depending on the operating system , it downloads different malicious files. Sophos detects the malicious file downloaded in windows as Mal/Cleaman-B and a malicious file downloaded in Mac OS X as OSX/FlsplyDp-A.

Once it infect the user system, it will download the further malicious code-downloading the Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python script called update.py (extracted from install_flash_player.py) on Mac OS X.

"This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge." Researcher said.


Security Tips:
  • Are you using still unpatched version of Java? It is time to update it.. Make it fast before you fall for this infection.
  • Not only Java, update all software.
  • Install Security solutions.

600,000+ Mac computers are infected with BackDoor.Flashback botnet


The research conducted by Dr.Web, Russian anti-virus firm , determined that more than 600,000 Mac computers are infected with BackDoor.Flashback botnet, most of infected systems are located in the U.S and Canada.

On April 2, F-Secure spotted a new Flashback variant exploiting CVE-2012-0507 (a Java vulnerability,Oracle released an update that patched this vulnerability back in February… for Windows.).  On April 3, Apple issued a patch for the six week old flaw with an update to Java 6 update 31.  Unfortunately, the malware spreads already in wild.

The exploit download an exe file in the victim site; The file is used to download malicious payload from a remote server and to launch it.

Security experts recommends Mac users to download and install a security update released by Apple from support.apple.com/kb/HT5228 to prevent infection of their systems by BackDoor.Flashback.39.

Flashback Mac Trojan exploits Java vulnerability or uses Social Engineering Attack

Security firm Intego is warning about a new version of Flashback Trojan that aims to steal victim's online banking details.

This new Trojan try to exploit one of two Java vulnerabilities in order to infect the Mac user's system.  If these vulnerabilities are patched and the system has updated version of Java, then it tries to trick users into accepting a fake digital certificate(Social Engineering Attack),

In order to avoid detection, Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac .  It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.

"Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. "Intego wrote on its security blog.

The goal of this malware appears to be to steal usernames and passwords for high-value sites such as Bank websties, Paypal and other sites. Intego said the malicious code injected into the running application causes them to become unstable and often will crash.

Security Tips:
  • Update your Java to the latest version
  • Intego says many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in the screenshot above. If you see this, don’t trust it, and cancel the process.
  • Install Intego VirusBarrier X6(detects all other variant of this Trojan)