Mar 30, 2024NewsroomMalware / Cryptocurrency

Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users.

The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims’ Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.

One such attack chain targets users searching for Arc Browser on search engines like Google to serve bogus ads that redirect users to look-alike sites (“airci[.]net”) that serve the malware.

“Interestingly, the malicious website cannot be accessed directly, as it returns an error,” security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. “It can only be accessed through a generated sponsored link, presumably to evade detection.”

The disk image file downloaded from the counterfeit website (“ArcSetup.dmg”) delivers Atomic Stealer, which is known to request users to enter their system passwords via a fake prompt and ultimately facilitate information theft.

Jamf said it also discovered a phony website called meethub[.]gg that claims to offer a free group meeting scheduling software, but actually installs another stealer malware capable of harvesting users’ keychain data, stored credentials in web browsers, and information from cryptocurrency wallets.

Much like Atomic stealer, the malware – which is said to overlap with a Rust-based stealer family known as Realst – also prompts the user for their macOS login password using an AppleScript call to carry out its malicious actions.

Attacks leveraging this malware are said to have approached victims under the pretext of discussing job opportunities and interviewing them for a podcast, subsequently asking them to download an app from meethub[.]gg to join a video conference provided in the meeting invites.

“These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers,” the researchers said. “Those in the industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry.”

The development comes as MacPaw’s cybersecurity division Moonlock Lab disclosed that malicious DMG files (“App_v1.0.4.dmg”) are being used by threat actors to deploy a stealer malware designed to extract credentials and data from various applications.

This is accomplished by means of an obfuscated AppleScript and bash payload that’s retrieved from a Russian IP address, the former of which is used to launch a deceptive prompt (as mentioned above) to trick users into providing the system passwords.

“Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS’s Gatekeeper security feature,” security researcher Mykhailo Hrebeniuk said.

The development is an indication that macOS environments are increasingly under threat from stealer attacks, with some strains even boasting of sophisticated anti-virtualization techniques by activating a self-destructing kill switch to evade detection.

In recent weeks, malvertising campaigns have also been observed pushing the FakeBat loader (aka EugenLoader) and other information stealers like Rhadamanthys via a Go-based loader through decoy sites for popular software such as Notion and PuTTY.

Feb 16, 2024NewsroomEndpoint Security / Cryptocurrency

Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It’s distributed by masquerading itself as a Visual Studio update.

While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.

“Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.

The new component of the attack chain – i.e., the archive files (“Jobinfo.app.zip” or “Jobinfo.zip”) – contains a basic shell script that’s responsible for fetching the implant from a website named turkishfurniture[.]blog. It’s also engineered to preview a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.

Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain (“sarkerrentacars[.]com”), whose purpose is to “collect information about the victim’s machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.

In addition, the binaries are capable of extracting details about the disk via “diskutil list” as well as retrieving a wide list of kernel parameters and configuration values using the “sysctl -a” command.

A closer investigation of the command-and-control (C2) infrastructure has also revealed a leaky endpoint (“/client/bots”) that makes it possible to glean details about the currently infected victims, including the timestamps when the infected host was registered and the last activity was observed.

The development comes as South Korea’s National Intelligence Service (NIS) revealed that an IT organization affiliated with the Workers’ Party of North Korea’s Office No. 39 is generating illicit revenue by selling thousands of malware-laced gambling websites to other cybercriminals for stealing sensitive data from unsuspecting gamblers.

The company behind the malware-as-a-service (MaaS) scheme is Gyeongheung (also spelled Gyonghung), a 15-member entity based in Dandong that has allegedly received $5,000 from an unidentified South Korean criminal organization in exchange for creating a single website and $3,000 per month for maintaining the website, Yonhap News Agency reported.

Feb 10, 2024NewsroommacOS Malware / Cyber Threat

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.

The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.

The exact initial access pathway used to propagate the implant is currently not known, although it’s said to be distributed as FAT binaries that contain Mach-O files.

Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023.

It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint.

Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude.

The captured information is then exfiltrated to a command-and-control (C2) server.

The Romanian cybersecurity firm said the malware is likely linked to prominent ransomware families like Black Basta and BlackCat owing to overlaps in C2 infrastructure.

“ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model,” security researcher Andrei Lapusneau said.

In December 2023, the U.S. government announced that it took down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Feb 01, 2024NewsroomVulnerability / Software Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple said in an advisory, adding the issue “may have been exploited against versions of iOS released before iOS 15.7.1.”

The iPhone maker said the problem was addressed with improved checks. It’s currently not known how the vulnerability is being weaponized in real-world attacks.

Interestingly, patches for the flaw were released on December 13, 2022 with the release of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, although it was only publicly disclosed more than a year later on January 9, 2024.

It’s worth noting that Apple did resolve a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which was shipped on July 20, 2022.

“An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication,” the company said at the time. “A logic issue was addressed with improved state management.”

In light of the active exploitation of CVE-2022-48618, CISA is recommending that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by February 21, 2024.

The development also comes as Apple expanded patches for an actively exploited security flaw in the WebKit browser engine (CVE-2024-23222, CVSS score: 8.8) to include its Apple Vision Pro headset. The fix is available in visionOS 1.0.2.

Jan 23, 2024NewsroomMalware / Cryptocurrency

Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data.

Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware’s ability to infect Macs on both Intel and Apple silicon processor architectures.

The attack chains leverage booby-trapped disk image (DMG) files that include a program named “Activator” and a pirated version of legitimate software such as xScope.

Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app.

Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modified xScope executable.

“The trick was that the malicious actors had taken pre-cracked application versions and added a few bytes to the beginning of the executable, thus disabling it to make the user launch Activator,” security researcher Sergey Puzan said.

The next stage entails establishing contact with a command-and-control (C2) server to fetch an encrypted script. The C2 URL, for its part, is constructed by combining words from two hard-coded lists and adding a random sequence of five letters as a third-level domain name.

A DNS request for this domain is then sent to retrieve three DNS TXT records, each containing a Base64-encoded ciphertext fragment that is decrypted and assembled to construct a Python script, which, in turn, establishes persistence and functions as a downloader by reaching out to “apple-health[.]org” every 30 seconds to download and execute the main payload.

“This was a fairly interesting and unusual way of contacting a command-and-control server and hiding activity inside traffic, and it guaranteed downloading the payload, as the response message came from the DNS server,” Puzan explained, describing it as “seriously ingenious.”

The backdoor, actively maintained and updated by the threat actor, is designed to run received commands, gather system metadata, and check for the presence of Exodus and Bitcoin Core wallets on the infected host.

If found, the applications are replaced by trojanized versions downloaded from the domain “apple-analyser[.]com” that are equipped to exfiltrate the seed phrase, wallet unlock password, name, and balance to an actor-controlled server.

“The final payload was a backdoor that could run any scripts with administrator privileges, and replace Bitcoin Core and Exodus crypto wallet applications installed on the machine with infected versions that stole secret recovery phrases the moment the wallet was unlocked,” Puzan said.

The development comes as cracked software is increasingly becoming a conduit to compromise macOS users with a variety of malware, including Trojan-Proxy and ZuRu.

Jan 19, 2024NewsroomMalware / Endpoint Security

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.

“Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”

The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib” that’s executed every time the application is opened.

The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.

The backdoor – written to the path “/tmp/.test” – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means it will be deleted when the system shuts down.

That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.

On the other hand, the downloader is written to the hidden path “/Users/Shared/.fseventsd,” following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.

While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.

Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.

“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” the researchers said.

Jan 05, 2024NewsroomEndpoint Security / Malware

Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors.

“SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control] server,” security researcher Greg Lesnewich said.

The malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host.

It’s worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz.

In recent months, the threat actor has been observed combining disparate pieces of these two infection chains, leveraging RustBucket droppers to deliver KANDYKORN.

The latest findings are another sign that North Korean threat actors are increasingly setting their sights on macOS to infiltrate high-value targets, particularly those within the cryptocurrency and the blockchain industries.

“TA444 keeps running fast and furious with these new macOS malware families,” Lesnewich said.

Security researcher Patrick Wardle, who shared additional insights into the inner workings of SpectralBlur, said the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia.

The functional similarities between KANDYKORN and SpectralBlur have raised the possibility that they may have been built by different developers keeping the same requirements in mind.

What makes the malware stand out are its attempts to hinder analysis and evade detection while using grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server.

The disclosure comes as a total of 21 new malware families designed to target macOS systems, including ransomware, information stealers, remote access trojans, and nation-state-backed malware, were discovered in 2023, up from 13 identified in 2022.

“With the continued growth and popularity of macOS (especially in the enterprise!), 2024 will surely bring a bevy of new macOS malware,” Wardle noted.

Dec 20, 2023NewsroomCryptocurrency / Malware

A new Go-based information stealer malware called JaskaGO has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems.

AT&T Alien Labs, which made the discovery, said the malware is “equipped with an extensive array of commands from its command-and-control (C&C) server.”

Artifacts designed for macOS were first observed in July 2023, impersonating installers for legitimate software such as CapCut. Other variants of the malware have masqueraded as AnyConnect and security tools.

Upon installation, JaskaGO runs checks to determine if it is executing within a virtual machine (VM) environment, and if so, executes a harmless task like pinging Google or printing a random number in a likely effort to fly under the radar.

In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumerating running processes, and downloading additional payloads.

It’s also capable of modifying the clipboard to facilitate cryptocurrency theft by substituting wallet addresses and siphoning files and data from web browsers.

“On macOS, JaskaGO employs a multi-step process to establish persistence within the system,” security researcher Ofer Caspi said, outlining its capabilities to run itself with root permissions, disable Gatekeeper protections, and create a custom launch daemon (or launch agent) to ensure it’s automatically launched during system startup.

It’s currently not known how the malware is distributed and if it entails phishing or malvertising lures. The scale of the campaign remains unclear as yet.

“JaskaGO contributes to a growing trend in malware development leveraging the Go programming language,” Caspi said.

“Go, also known as Golang, is recognized for its simplicity, efficiency, and cross-platform capabilities. Its ease of use has made it an attractive choice for malware authors seeking to create versatile and sophisticated threats.”