Search This Blog

Showing posts with label Mac Malware. Show all posts

Apple isn't Happy About the Amount of Mac Malware


During testimony defending Apple in a lawsuit with Fortnite developer Epic Games, a top Apple executive said that Mac malware has now surpassed Apple's tolerance level and framed safety as the justification for keeping iPhones locked to the App Store. According to a top Apple executive, this is why Apple must keep iPhone, iPad, and other mobile products behind the App Store's walled garden. 

Craig Federighi, Apple's head of software engineering, told a California court that the existing levels of malware were "unacceptable." "Today, we have a level of malware on the Mac that we don't find acceptable," he stated in response to questions from Apple's lawyers, as ZDNet sister site CNET reports. 

Apple is defending its activities after Epic Games filed a lawsuit in the United States stating because Apple kicked its Fortnight game off the App Store after Epic implemented a direct payment scheme for in-game currency, bypassing Apple's 30% developer fee. Apple, according to Epic, is too restrictive. 

On May 03, the Apple-Epic case began. Phil Schiller, the CEO of the App Store, stated yesterday that the App Store has always prioritized protection and privacy. According to Federighi, 130 different forms of Mac malware have been discovered since May, with one version infecting 300,000 systems. iOS devices can only install applications from Apple's App Store, while Macs can install software from anywhere on the internet. 

Mac malware is already outpacing Windows malware, according to Malwarebytes, a US protection company that offers Mac antivirus. However, the company pointed out that the risks to Macs, which mainly consisted of adware, were not as harmful as malware for Windows. Federighi contrasted the Mac to a car, while iOS was created with children's protection in mind, according to 9to5Mac. 

"The Mac is a car. You can take it off-road if you want and you can drive wherever you want. That's what you wanted to buy. There's a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It's really a different product," he stated.

Federighi also said that things would change significantly if Apple allowed iOS users to sideload applications.

Apple pushes out silent update for Mac users to remove Zoom web server

Earlier this week, a US-based security researcher named Jonathan Leitschuh had publicly disclosed a major vulnerability in the Zoom video conferencing software for Apple’s Mac computers which could make any website start a video-enabled call by hacking the webcam of the system. Now, according to a report by TechCrunch, Apple has pushed out an update silently to the macOS which removes the Zoom web server.

As per the report, the US-based technology giant has confirmed the said update has been released and it is installed automatically and does not require any interaction with the user. The purpose of the update is only to remove the local web server installed by the Zoom app. The company said that it pushed the update to protect its users from the risks posed by the exposed web server.

According to Leitschuh’s claims earlier this week, even if Mac users uninstall the Zoom app from their system, the web server continues to persist and it can reinstall Zoom without the user’s permission.

In a statement to The Verge and ZDNet, Zoom had said that it developed the local web server to save Mac users from too many clicks, after Apple changed their Safari browser in a way that requires Zoom users to confirm that they want to launch Zoom every single time. Zoom also said that it will tweak the app such that it will save the user’s and administrator’s preferences for whether the video will be turned on, or not, when they first join a call.

However, it seems Apple took it upon itself to rescue its users from the security vulnerability posed by Zoom app. The silent update was all the more needed because Zoom had installed a local web server that could reinstall the app even if the user had previously uninstalled it.

CookieMiner: Steals Passwords From Cookies, Chrome And iPhone Texts!

There’s a new malware CookieMiner, prevalent in the market which binges on saved passwords on Chrome, iPhone text messages and Mac-tethered iTunes backups.

A world-wide cyber-security organization not of very late uncovered a malicious malware which gorges on saved user credentials like passwords and usernames.

This activity has been majorly victimizing passwords saved onto Google Chrome, credit card credentials saved onto Chrome and iPhone text messages backed up to Mac.

Reportedly, what the malware does is that it gets hold of the browser cookies in relation with mainstream crypto-currency exchanges which also include wallet providing websites the user has gone through.

The surmised motive behind the past acts of the miner seems to be the excruciating need to bypass the multi-factor authentication for the sites in question.

Having dodged the main security procedure, the cyber-con behind the attack would be absolutely free to access the victim’s exchange account or the wallet so being used and to exploit the funds in them.

Web cookies are those pieces of information which get automatically stored onto the web server, the moment a user signs in.

Hence, exploitation of those cookies directly means exploiting the very user indirectly.

Cookie theft is the easiest way to dodge login anomaly detection, as if the username and passwords are used by an amateur, the alarms might set off and another authentication request may get sent.

Whereas if the username passwords are used along with the cookie the entire session would absolutely be considered legit and no alert would be issued after all.

Most of the fancy wallet and crypto-currency exchange websites have multi-factor authentication.

All that the CookieMiner does is that it tries to create combinations and try them in order to slide past the authentication process.

A cyber-con could treat such a vulnerable opportunity like a gold mine and could win a lot out of it.

In addition to Google’s Chrome, Apple’s Safari is also a web browser being openly targeted. As it turns out, the choice for the web browser target depends upon its recognition.

The malware seems to have additional malignancy to it as it also finds a way to download a “CoinMiner” onto the affected system/ device.

New Mac OS X Botnet uses Reddit's Search function to get CNC servers list

Security Researchers at Russian Antivirus company Dr.Web have published
details of a new botnet that targets Mac OS X.

What is very interesting is that this malware uses the search function of Reddit to acquire the Command and control(C&C) servers list from comments posted in a 'Mine Craft Server Lists' sub reddit.

The malware calculates MD5 hash of the current date and uses the first 8 bytes of the hash to search in reddit.  The result contains the Server IPs with port numbers.

The malware dubbed as 'iWorm' has reportedly infected more than 17,000 Mac computers - 4,610 of which are in the US.

The reddit account used by the cyber criminals appears to be removed.  However, it is not going to stop the bad guys from controlling their botnet, they either create a new account or use any other online services.

StealthBit: New malware targeting Apple Mac OS X steals Bitcoins

A new Trojan Horse targeting Apple Mac OS X spies on web traffic of users and attempt to steal Bitcoins.  SecureMac says the malware referred as "OSX/CoinThief.A" is found in the wild.  Several users have reported that their Bitcoins have been stolen.

The malware hosted in Github with the name "StealthBit" disguising itself as an app to send and receive payments on Bitcoin Stealth Addresses.  A link to this project had also been posted in reddit  inciting users to download the app and have been voted by 100 people. 

The project had source code as well as a pre-compiled binary file.  Researchers say the binary file didn't match with the copy generated from source code. Those who installed the pre-compiled version of the app likely to be infected by this malware.

One user from reddit reported that his 20 Bitcoins(current value is around $10k) have been stolen by this malware app.

"I foolishly installed 'StealthBit' Anyone else find this to be a virus? The Post is still online.. I found 1 comment suggesting the possibility." The user posted in the reddit.

Upon running the app for the first time, it installs browser extensions for Safari and Google Chrome and runs continually a program in background that looking for Bitcoin Wallet login credentials. The malware then steals Bitcoin login credentials, username and Unique identifier of infected Mac.

At the time of writing, the malicious project have been removed from the GitHub. 

It appears this is not the first time Mac users being fooled such kind of malicious apps.  One user shared his experience that he was scammed by similar app called "Bitvanity" which was also hosted in Github, stole 20 BTC from his account.

The user also has pointed out interesting facts about these two projects- The "StealthBit" hosted by "Thomas Revor" and "Bitvanity" was hosted by "Trevorscool".

New Mac Malware 'Janicab' abuses RLO character to hide real extension

A New Mac Malware has been spotted by F-Secure researchers which is capable of continuously taking screenshots and recording audio and uploading them to a remote server.

What's interesting about this mac malware is it abuses the Right-to-Left Override(RLO) character to hide it is real extension.  However, the method is not new for Windows malware which is used by Bredolab and other trojans.

The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew.

The malware analyzed by F-Secure uses "Recent New.ppa.pdf" as file name for the malicious file. By just looking at the extension, we may think it is just a pdf file, but in reality you are opening an executable .APP file.

Because of the RLO character in the malicious file, the usual file quarantine notification from OS X will be backwards.

file quarantine notification -Image Credits: F-Secure

The actual notification is "RecentNews. Are you sure you want to open fdp " is an application downloaded it" from Internet."

Once it's launched, the malware displays a decoy document while it silently install malicious code in the victim's computer.

According to the F-Secure Malware report, the threat is written in Python and uses py2app for distribution and it is signed with apple Developer ID.

Python-based malware exploits Java vulnerability,targets Mac &Windows

Sophos security researchers have identified a new malware that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.

When a user visit a compromised webpage, it downloads the malicious software onto their computer by exploiting the Java vulnerability.

Depending on the operating system , it downloads different malicious files. Sophos detects the malicious file downloaded in windows as Mal/Cleaman-B and a malicious file downloaded in Mac OS X as OSX/FlsplyDp-A.

Once it infect the user system, it will download the further malicious code-downloading the Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python script called (extracted from on Mac OS X.

"This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge." Researcher said.

Security Tips:
  • Are you using still unpatched version of Java? It is time to update it.. Make it fast before you fall for this infection.
  • Not only Java, update all software.
  • Install Security solutions.

600,000+ Mac computers are infected with BackDoor.Flashback botnet

The research conducted by Dr.Web, Russian anti-virus firm , determined that more than 600,000 Mac computers are infected with BackDoor.Flashback botnet, most of infected systems are located in the U.S and Canada.

On April 2, F-Secure spotted a new Flashback variant exploiting CVE-2012-0507 (a Java vulnerability,Oracle released an update that patched this vulnerability back in February… for Windows.).  On April 3, Apple issued a patch for the six week old flaw with an update to Java 6 update 31.  Unfortunately, the malware spreads already in wild.

The exploit download an exe file in the victim site; The file is used to download malicious payload from a remote server and to launch it.

Security experts recommends Mac users to download and install a security update released by Apple from to prevent infection of their systems by BackDoor.Flashback.39.

Flashback Mac Trojan exploits Java vulnerability or uses Social Engineering Attack

Security firm Intego is warning about a new version of Flashback Trojan that aims to steal victim's online banking details.

This new Trojan try to exploit one of two Java vulnerabilities in order to infect the Mac user's system.  If these vulnerabilities are patched and the system has updated version of Java, then it tries to trick users into accepting a fake digital certificate(Social Engineering Attack),

In order to avoid detection, Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac .  It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.

"Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. "Intego wrote on its security blog.

The goal of this malware appears to be to steal usernames and passwords for high-value sites such as Bank websties, Paypal and other sites. Intego said the malicious code injected into the running application causes them to become unstable and often will crash.

Security Tips:
  • Update your Java to the latest version
  • Intego says many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in the screenshot above. If you see this, don’t trust it, and cancel the process.
  • Install Intego VirusBarrier X6(detects all other variant of this Trojan)