As 2018 starts to wind down, we take a look at how the macOS security situation has unfolded throughout the year.Clean, protect and speed up your Mac with the new CleanMyMac X. We test the top contenders to identify those offering the best Mac. Despite what you may have heard, your Apple computer is not immune to malware. The Best Mac Antivirus Protection for 2021. Alertus Technologies offers a customizable array of emergency notification products, including the wall-mounted Alert Beacon, computer desktop alerting, USB panic button, LED marquee display, text-to-speech interface for public address and giant outdoor speaker systems, fire alarm interface, VoIP phone alerting, digital signage and cable television override, and mobile.
![]() Although first believed to have targetted macOS as early as January last year, WindShift appears to have picked up its activity during 2018, as this figure (courtesty of DarkMatter) shows:WindTail.A targets files on the victim’s machine having the following extensions. WindShift APTAlthough created at the end of April, the AppleJeus campaign was not discovered until August, and that month also brought news of yet another APT group targetting the Mac platform, WindShift APT. In either case, the application had a valid developer signature and so easily bypassed Apple’s built-in security technologies. A trojan downloader inserted as an updater in the CelasTradePro.app, a LaunchDaemon with the label “com.celastradepro.plist” and the payload, initially dropped at /var/zdiffsec.It’s unclear whether this malware, dubbed OSX.AppleJeus, was a supply chain attack or whether the CelasTradePro.app was specifically created to infect cryptocurrency exchanges. Attributed to North Korean-linked APT group Lazarus, the malware consists of three parts. Lazarus APTAfter two important discoveries coming right at the beginning of the year, things remained relatively quiet on the malware front until April, which saw the release of a cryptocurrency trading application named CelasTradePro. Safari users are, as a matter of general safety, always wise to uncheck the following setting in the General tab of Safari’s preferences:In July, OSX.Dummy made an appearance on a number of cryptomining chat groups. This feature means that macOS will automatically register custom URLs defined in the malicous software, which then contribute to further infection. Zip files to automatically unarchive when downloaded. It repeats this procedure every 5 seconds.Essential to the infection of this particular malware is that Safari preferences by default allow. The backdoor WindTape takes a screenshot of the current Desktop, sends it to a C2 server and deletes the local copy. The offenders included Adware Doctor, Open Any Files, Dr AntiVirus, and Dr Cleaner. Software downloaded from the Mac App Store is trusted implicitly by Apple’s Gatekeeper, so it was no surprise that users without additional defences were left completely unprotected by a spate of approved apps exfiltrating personal data without permission. September saw what many considered the most unlikely source of threat: Apple’s own App Store. In that respect, at least, it is the polar opposite of the next malware to break in 2018. The tool installs a bash script which leverages python to open a reverse shell:OSX.Dummy was so named because it took an extraordinary amount of compliance from the victim to successfully compromise a target. The scammers didn’t have to try to hard, either, as they offered the malware as an answer to a problem the victims had themselves sought help for. ![]() OSX.LamePyre, a fake version of the Discord voice and text chat app for gamers, also used a similar Automator workflow and Empyre backdoor. First came a fake cracking app for Adobe CC, OSX.DarthMiner, that leverages an Automator workflow to install a cryptominer via an Empyre backend. In addition, the program is able to capture social networking activities and website visits.The year was rounded out by a busy December, with a (relative) rash of three malware discoveries within a week of each other. It’s reasonable to assume the aim was to steal the contents of bitcoin wallets, but this macOS spyware can also steal other personal data through screenshots and keylogging. Although there’s no suggestion the developers of RealTimeSpy were involved, there is no doubt that those behind the email campaign hoped to install a version of RealTimeSpy on victims’ computers. Dr.Cleaner Notification Code And InfectLike similar Word-based attacks on Windows, this leverages a VBA macro to execute code and infect the user. The attackers appear to have weaponized a proof-of-concept first detailed back in August. Either way, we won’t be surprised to see these Automator-based trojans turning up again either before or after New Year 2019.Finally, OSX.BadWord offered up a different kind of threat by exploiting a Microsoft Word for Mac sandbox escape and delivering a Meterpreter payload. We note that the fake Discord app appears to have been localized in Russian and contains some Russian text.Of course, there’s equally no way of telling whether those clues were left deliberately as misdirection or were a result of carelessness. We expect these trends to continue as we reach into 2019, and as ever, here at SentinelOne we’ll keep you posted, and protected.Have a peaceful and secure festive season!Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post. Open-source exploitation kits like Empyre have been the tool of choice for macOS malware over the last 12 months. SummaryOverall, 2018 has seen increased targeting of the macOS platform by APT groups as well as criminals intent on either exploiting cryptomining or targeting those involved in cryptocurrency, both staff and those trading in the currency.
0 Comments
Leave a Reply. |
Details
AuthorMelvin ArchivesCategories |