Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MacOS Malware. Show all posts

Cryptocurrency Engineers Targeted by New macOS Malware 'KandyKorn'

 

A newly identified macOS malware called 'KandyKorn' has been discovered in a cyber campaign linked to the North Korean hacking group Lazarus. The targets of this attack are blockchain engineers associated with a cryptocurrency exchange platform.

The attackers are using Discord channels to pose as members of the cryptocurrency community and distribute Python-based modules. These modules initiate a complex KandyKorn infection process.

Elastic Security, the organization that uncovered the attack, has linked it to Lazarus based on similarities with their previous campaigns, including techniques used, network infrastructure, code-signing certificates, and custom detection methods for Lazarus activity. 

The attack starts with social engineering on Discord, where victims are tricked into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip.' This archive contains a Python script ('Main.py') that imports 13 modules, triggering the first payload, 'Watcher.py.' 

Watcher.py downloads and executes another Python script called 'testSpeed.py' and a file named 'FinderTools' from a Google Drive URL. FinderTools then fetches and runs an obfuscated binary named 'SugarLoader,' which appears as both .sld and .log Mach-O executables.

SugarLoader establishes a connection with a command and control server to load the final payload, KandyKorn, into memory.

In the final stage, a loader known as HLoader is used. It impersonates Discord and employs macOS binary code-signing techniques seen in previous Lazarus campaigns. HLoader ensures persistence for SugarLoader by manipulating the real Discord app on the compromised system.

KandyKorn serves as the advanced final-stage payload, allowing Lazarus to access and steal data from the infected computer. It operates discreetly in the background, awaiting commands from the command and control server, and takes steps to minimize its trace on the system.

KandyKorn supports a range of commands, including terminating processes, gathering system information, listing directory contents, uploading and exfiltrating files, securely deleting files, and executing system commands, among others.

The Lazarus group primarily targets the cryptocurrency sector for financial gain, rather than engaging in espionage. The presence of KandyKorn highlights that macOS systems are also vulnerable to Lazarus' attacks, showcasing the group's ability to create sophisticated and inconspicuous malware tailored for Apple computers.

XLoader macOS Malware Variant Disguised as 'OfficeNote' Productivity App

 

A fresh variant of the Apple macOS malware known as XLoader has emerged, disguising its malicious intent through an office productivity app named "OfficeNote," according to cybersecurity experts from SentinelOne. 

In an analysis released on Monday, researchers Dinesh Devadoss and Phil Stokes revealed that the new form of XLoader is packaged within a regular Apple disk image, named OfficeNote.dmg. The application it contains bears the developer signature "MAIT JAKHU (54YDV8NU9C)."

XLoader, initially spotted in 2020, is categorized as an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. 

It follows in the footsteps of Formbook. While a macOS variant of XLoader emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file, its execution was limited by the absence of the Java Runtime Environment in modern macOS installs.

To circumvent this constraint, the latest version of XLoader employs programming languages like C and Objective C. The disk image file carrying the malware was signed on July 17, 2023, a signature that has since been revoked by Apple.

SentinelOne reported discovering multiple instances of the malicious artifact on VirusTotal throughout July 2023, indicating a wide-reaching campaign. The researchers noted that the malware is advertised for rent on criminal forums, with the macOS version priced at $199 per month or $299 for three months.

Interestingly, this pricing is steeper than that of the Windows versions of XLoader, which are available for $59 per month or $129 for three months.

Once initiated, the seemingly harmless OfficeNote app displays an error message claiming it cannot be opened due to a missing original item. In reality, it surreptitiously installs a Launch Agent in the background to ensure its persistence.

XLoader's functionality centers around the collection of clipboard data and information stored within directories associated with web browsers like Google Chrome and Mozilla Firefox. However, Safari appears to be exempt from its targeting. 

Additionally, the malware is engineered to introduce sleep commands, delaying its execution and evading detection by both manual and automated security measures.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."

Russian Antivirus Company Dr.Web Found New Malware Targeting MacOS


Specialists of the Russian company Dr Web found malicious software that threatens the MacOS operating system, which allows attackers to download and execute any Python code on the user's device. In addition, sites distributing this malware also infected Windows users with a dangerous spyware Trojan.

According to the employees of the company Dr Web, a new threat was discovered by their experts on April 29. This malware is called Mac.BackDoor.Siggen.20 and it's BackDoor that allows you to download malicious code from a remote server and execute it.

According to experts, the attackers will be able to gain unauthorized remote access to the computer system. They explained that it runs in the background and is hidden from the user. It is said that it is difficult to detect this malware.

Mac.BackDoor.Siggen.20 gets to devices through sites owned by its developers. One such resource is designed as a business card site with a portfolio of a non-existent person, and the second is disguised as a page with the WhatsApp application.

The Press Service of the company said that BackDoor or Trojan is loaded on the device depending on the operating system. If a visitor uses Mac OS, his device is infected with Mac.BackDoor.Siggen.20, and BackDoor.Wirenet.517 (NetWire) is loaded on Windows devices. NetWire is a long-known RAT Trojan by which hackers can remotely control the victim's computer, including the use of a camera and microphone on the device. In addition, the distributed RAT Trojan has a valid digital signature.

According to web specialists, about 300 visitors with unique IP addresses opened the site distributing Mac.BackDoor.Siggen.20 under the guise of Whatsapp application. The dangerous resource works since April 29 and has not yet been used by hackers in large-scale campaigns. Nevertheless, programmers recommend updating the antivirus in time, not to open suspicious business cards and distributing.