malware


'malware' Articles

Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari. In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats. The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem. Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application. This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are

Malware Discovered That Can Control a Mac's Webcam and Keyboard, But It's Old and Possibly Abandoned

Earlier this year, researchers from security firm Malwarebytes discovered a piece of Mac malware called Fruitfly that reportedly spied on computers in medical research centers for years before being detected. Apple has since updated macOS to automatically detect the malware, safeguarding users. However, a new variant of the Fruitfly malware has recently been discovered by Patrick Wardle, a researcher with security firm Synack. Wardle said the malware has been targeting Macs for at least five years, with the number of infected Macs totaling nearly 400 and possibly much higher, reports Ars Technica. The malware can supposedly capture screenshots, keystrokes, webcam images, and other info about each infected Mac. The Fruitfly variant also collects information about devices connected to the same network, according to the report. Wardle said the method of infection remains unknown, but he suspects it involves tricking users into clicking on malicious links, as opposed to exploiting vulnerabilities in apps or in macOS. He added that the primary command-and-control server used by the malware's creators has since been shut down. Many of the affected Macs have never been disinfected, however, allowing Wardle to create his own custom command-and-control server for the malware and witness the close to 400 infected machines connect to it.After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400

New Mac Malware Discovered on Dark Web as Security Experts Remind Mac Users Not to Be 'Overconfident'

Two new pieces of malicious software aimed at Mac computers have been discovered on the Dark Web, offered through Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) portals and estimated to have been up for around the past three weeks, beginning May 25. Originally spotted by Bleeping Computer, the two portals offer software called "MacSpy" and "MacRansom" as services for potential buyers, as well as any future support that may be needed for the malware (via Motherboard). Both portals are the work of the same malware developer, but security firms Fortinet and AlienVault described the person behind the scheme as an "inexperienced coder," pointing towards issues like the lack of digitally signed files, meaning the security measures on a standard installation of macOS would still be alerted to the malware. The researchers called MacSpy the "better-coded tool," but said MacRansom was more dangerous since it "has the potential to permanently wreck user files," if users of malicious intent ever wielded it. Dark Web portal peddling some sort of (new?) Mac malware pic.twitter.com/02obWvG4mg— Catalin Cimpanu (@campuscodi) May 25, 2017 Thankfully, the process by which crooks would have to go about getting either MacSpy or MacRansom will likely prevent either piece of malware from spreading. Both portals are described as "closed" offerings, meaning anyone wanting to actually purchase the services off the Dark Web would have to contact the author to receive demo packages, and then directly negotiate payment. As such, "none of these two appear to be part of any

Source Code for Several Panic Apps Stolen via HandBrake Malware Attack

In early May, a mirror download server hosting popular Mac transcoder app HandBrake was hacked, and the legitimate version of HandBrake was replaced with a version infected with OSX.PROTON, a remote access trojan giving hackers root-access privileges to a Mac. In a blog post shared today, Panic Inc. developer and co-founder Steven Frank said he downloaded the infected version of HandBrake, which led to the theft of much of the source code behind Panic's apps. Panic offers several apps, including web editor Coda, FTP app Transmit, SSH client Prompt, and Firewatch, an adventure game. Hackers accessed Frank's computer through the infected HandBrake software and were able to obtain his usernames and passwords, including git credentials. Several source code repositories were cloned by the attackers, who have demanded "a large bitcoin ransom" to stop the release of the source code, a ransom Panic does not intend to pay. While Panic's source code has been stolen, the company says that a careful review of its logs indicates that the theft was the extent of the damage - the hacker did not access customer information or Panic Sync Data.- There's no indication any customer information was obtained by the attacker. - Furthermore, there's no indication Panic Sync data was accessed. - Finally, our web server was not compromised. (As a reminder, we never store credit card numbers since we process them with Stripe, and all Panic Sync data is encrypted in such a way that even we can't see it.)According to Panic, the source code for the apps could potentially be used by

Handbrake Developers Issue Mac Security Warning After Mirror Download Server Hack

The developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked. The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file. The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert. To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands: launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist rm -rf ~/Library/RenderFiles/activity_agent.app if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores. The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update

Windows 'Snake' Malware Ported to Mac, Imitates Adobe Flash Player Installer

Well-known Windows backdoor malware "Snake" has been ported to the Mac for the first time, according to MalwareBytes. Described as "highly-sophisticated," Snake (also called Turla and Uroburos) has been infecting Windows systems since 2008 and was ported to Linux systems in 2014 before making its way to the Mac. The Snake malware was found earlier this week in an installer masquerading as Adobe Flash Player, buried inside a file named "Install Adobe Flash Player.app.zip." It is designed to look like a legitimate Adobe Flash installer, but is signed by an illegitimate certificate. It does, actually, install Adobe Flash Player, but it is accompanied by additional software that is malicious and designed to provide a backdoor into the Mac. The malicious files are well hidden in the /Library/Scripts/ folder and disguised as an Adobe launch process.In all, this is one of the sneakier bits of Mac malware lately. Although it's still "just a Trojan," it's a quite convincing one if distributed properly. Although Mac users tend to scoff at Trojans, believing them to be easy to avoid, this is not always the case.Apple already revoked the certificate that the Snake malware was using to infect Mac machines, but another iteration could pop up, so Mac users should be aware of the possibility. Those infected by Snake are vulnerable to having data stolen, including login information, passwords, and unencrypted files. To avoid malicious software, Apple recommends downloading content only from the Mac App Store or from trusted

Malware Attacks on Macs Up 744% in 2016, Mostly Due to Adware

Malware attacks on Macs were up 744 percent in 2016, according to the latest Threat Report shared by McAfee Labs [PDF]. Mac users don't need to be overly alarmed, though, because much of that huge jump can be attributed to adware bundling. macOS malware samples jumped up 245 percent in the fourth quarter of 2016 alone just from adware. Adware, while irritating, is less alarming than true malware attacks that can hijack a machine or render it unusable. McAfee says it discovered 460,000 malware samples on Mac machines, a huge increase over 2015 numbers, but still just a small portion of overall malware out in the wild. According to McAfee, there were more than 630 million total instances of malware last year. While most of the surge in Mac malware was adware, we've still heard about some alarming Mac-based attacks over the course of the last year, including ransomware distributed via trusted BitTorrent client Transmission, Backdoor.MAC.Eleanor, Xagent, which could steal passwords and iPhone backups, and more. Mac users who want to avoid malware and adware should only download software from trusted developers and directly from the Mac App Store, which should keep Mac machines relatively

BitTorrent Client Transmission Again Victimized by OS X Malware

Just five months after Transmission was infected with the first "ransomware" ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X. The researchers said they notified the Transmission team about the malware, and within minutes they removed the malicious file from their web server and launched an investigation. The researchers believe the infected Transmission app was signed on August 28 and distributed only on August 29, and thus recommend anyone who downloaded version 2.92 of the app between those dates to verify if their system is compromised by checking for the presence of any of the following files or directories: /Applications/Transmission.app/Contents/Resources/License.rtf /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd $HOME/Library/Application

What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

Internet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers. What is Backdoor.MAC.Eleanor? Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter. What is EasyDoc Converter? "EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store. The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts. How is Backdoor.MAC.Eleanor distributed? Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious

'AceDeceiver' iOS Trojan Spotted in China, Bypasses Apple's DRM Mechanism

A new iOS trojan has been found in the wild that's able to infect non-jailbroken iOS devices through PCs without the need to exploit an enterprise certificate. Named "AceDeceiver," the malware was discovered by Palo Alto Networks and is currently affecting iOS users in China. AceDeceiver infects an iOS device by taking advantage of flaws in FairPlay, Apple's digital rights management (DRM) system. According to Palo Alto Networks, it uses a technique called "FairPlay Man-in-the-Middle," which has been used to spread pirated iOS apps in the past by using fake iTunes software and spoofed authorization codes to get the apps on iOS devices. The same technique is now being used to spread the AceDeceiver malware. Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user's knowledge.From July of 2015 to February of 2016, three AceDeceiver iOS apps were uploaded to the official iOS App Store, posing as wallpaper apps

Apple Responds to YiSpecter Malware, Says Fix Was Implemented in iOS 8.4

Over the weekend, security site Palo Alto Networks detailed a new iOS malware that's able to infect non-jailbroken Apple devices using enterprise certificates and private APIs. It originated in Taiwan and China and was installed through several methods, including hijacking traffic from ISPs, an SNS worm on Windows, and offline app installation. Called YiSpecter, the malware is able to download, install, and launch apps, doing things like replacing existing apps, displaying advertisements in legitimate apps, changing Safari's default engine, and uploading user information to remote servers. A popup ad that was able to install YiSpecter on iOS devices In response to the detailing of YiSpecter, Apple has released an official statement to The Loop explaining that YiSpecter is only able to target iOS users who are running an older version of iOS that have also downloaded content from untrusted sources."This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps."Apple implemented fixes for YiSpecter in iOS 8.4, so iOS 8.4.1 and iOS 9 are immune to the malware. Users who want to avoid being targeted by YiSpecter should make sure to upgrade to the latest version of iOS