Saturday, April 29th 2023

Bad Week for MacOS Security: Two New Malware Threats Identified

As market share of Apple's ARM based Mac computers has increased, so too have efforts to compromise them by previously uninterested hacker groups. A recent string of malware created specifically for macOS has shown that these groups are turning their gaze toward the generally well protected Mac ecosystem. One of these new malware threats, discovered by Jamf Threat Labs and dubbed 'RustBucket,' acts as a simple third-party PDF viewer. The application itself does nothing malicious until a specific PDF is opened which includes an encoded key that triggers a connection to be made between the attacker's server and the victim's Mac, and a small malicious payload to be downloaded. The initial payload begins running system recon commands to determine the machine information, and then downloads a third stage payload which gives the attackers further access to the underlying operating system. All stages after the user opens the PDF are run silently in the background. The PDF viewer used as the catalyst for this hack does require manually overriding Apple's Gatekeeper as it carries no signature, so the obvious step to mitigate this attack is to not use third-party apps or services aside from those curated on Apple's App Store.

The second macOS malware of the week was discovered by Cyble Research and Intelligence Labs (CRIL) being offered for a paltry $1,000 USD per month on a Telegram channel, with the malware going by the name "Atomic macOS Stealer" or "AMOS." This malware has capabilities to scrape keychain passwords, system information, files from the desktop and documents folders, the macOS user password, browser auto-fills, passwords, cookies, wallets, and stored credit card info. The malware is especially adapted to go after cryptowallets with Cyble citing examples such as Electrum, Binance, Exodus, Atomic, and Coinomi. Cyble notes that they've seen the malware receiving active development to improve its capabilities and the threat actors even offering management software and web panels for keeping track of victimized machines, all with a logging system that dumps to Telegram. The current attack vector is a simple Golang.dmg file which installs the malware, so this does appear to require direct machine access. However once installed, "AMOS" does its handiwork without detection and sends a compressed file off to the attacker's server with all the information it collected.
Sources: jamf, Cyble
Add your own comment

18 Comments on Bad Week for MacOS Security: Two New Malware Threats Identified

#1
Solaris17
Super Dainty Moderator
I can’t wait for the hardware stuff
Posted on Reply
#2
Scrizz
Solaris17I can’t wait for the hardware stuff
:toast:
Posted on Reply
#3
bonehead123
hack it, jack it, crack it.... this was bound to happen sooner or later....although macs may currently still be slightly more secure overall than windgrows machines, obviously that's not gonna be the case for much longer ..:fear:
Posted on Reply
#4
johnspack
Here For Good!
The most hacked linux based os on earth. Keep your os in a closed environment, with no input from the linux or bsd community, and it gets stale, and vulnerable.
First linux based os to report virii... and now this. Apple, just make your own os without stealing from public domain and then ruining it.
Posted on Reply
#5
Darmok N Jalad
So attack one requires you to install a shady simple PDF viewer (which macOS Preview already does natively) and then open a certain PDF to activate it, and attack two requires someone having direct access to your unlocked machine to install a program (which should require your user password). Neither are “somehow I got hacked” situations, but are rather “I’m really careless and got hacked.”

With such careless end user behavior, that is going to make security a tough act without severely hampering usability. As it is now, macOS will deny an install attempt of software from an unverified developer. Curious how both of these get around that. You can override that, but it requires multiple steps.
Posted on Reply
#6
Easo
johnspackThe most hacked linux based os on earth. Keep your os in a closed environment, with no input from the linux or bsd community, and it gets stale, and vulnerable.
First linux based os to report virii... and now this. Apple, just make your own os without stealing from public domain and then ruining it.
Pretty sure it cannot be called Linux based, as it's roots are in Unix. There is relation, but they are "siblings", as opposed to descendants.
Posted on Reply
#7
Denver
Many years have passed and regardless of the operating system the main vulnerability that a computer can have is the part that sits in front of the monitor. :p
Posted on Reply
#8
Minus Infinity
EasoPretty sure it cannot be called Linux based, as it's roots are in Unix. There is relation, but they are "siblings", as opposed to descendants
Shares a lot of code in common with Free BSD and is based on the BSD kernel called Darwin. This occured in the early 2000's before that MacOS wasn't Unix based. Linux was a personal project by Torvalds in the early 90's and was a clone of the Unix kernel.
Posted on Reply
#9
Easo
Minus InfinityShares a lot of code in common with Free BSD and is based on the BSD kernel called Darwin. This occured in the early 2000's before that MacOS wasn't Unix based. Linux was a personal project by Torvalds in the early 90's and was a clone of the Unix kernel.
So... it is not Linux. :)
Posted on Reply
#10
sephiroth117
Solaris17I can’t wait for the hardware stuff
hardware stuff or not, in the end it’s a game of cats and mice, security is relative and relative to other OS and CPUs, Apple is in the upper bracket when it comes to security but no one is invincible especially consumer-grade computers
Posted on Reply
#11
Mussels
Freshwater Moderator
The biggest problem of having your entire ecosystem based on one single SoC is that any hardware flaws will wipe out entire product stacks


Look what happened to intel with spectre and meltdown - that affected everything from the core 2 duo to 8th gen hardware, and they had plenty of variants and changes over the years. If you rely on just one primary design for everything, a flaw of vulnerability can bite you really hard.


This reminded me about Inspectre, tested on my 6700 system just now
ouch (4.4% single threaded / 11.3% multithreaded)
Posted on Reply
#12
mb194dc
DenverMany years have passed and regardless of the operating system the main vulnerability that a computer can have is the part that sits in front of the monitor. :p
The human element is always the biggest weakness.

That and people like the NSA having tools like eternalblue which are inevitably going to leak eventually...
Posted on Reply
#13
eidairaman1
The Exiled Airman
Mac secure? Lmao they are the worst
Posted on Reply
#14
TheinsanegamerN
johnspackThe most hacked linux based os on earth. Keep your os in a closed environment, with no input from the linux or bsd community, and it gets stale, and vulnerable.
First linux based os to report virii... and now this. Apple, just make your own os without stealing from public domain and then ruining it.
"Guys, lets make an open source OS that people can use for free with no licensing!"

Apple: uses open source OS

"NO NOT LIKE THAT :mad:"
Posted on Reply
#15
unwind-protect
TheinsanegamerN"Guys, lets make an open source OS that people can use for free with no licensing!"

Apple: uses open source OS

"NO NOT LIKE THAT :mad:"
There is very little open source software that has no license.

OS software falls into two categories:
- GPLed such as Linux
- BSD/MIT license such as the BSDs and macOS

The latter is more permissive, but you still have a license.
Posted on Reply
#16
Mussels
Freshwater Moderator
TheinsanegamerN"Guys, lets make an open source OS that people can use for free with no licensing!"

Apple: uses open source OS

"NO NOT LIKE THAT :mad:"
open source has licences, to use them you must meet their requirements.

Mac isn't really breaking any laws with what they do, but they sure love their propaganda "If we just deny the botnets exist, users will never know!"
Posted on Reply
#17
R-T-B
johnspackThe most hacked linux based os on earth. Keep your os in a closed environment, with no input from the linux or bsd community, and it gets stale, and vulnerable.
First linux based os to report virii... and now this. Apple, just make your own os without stealing from public domain and then ruining it.
It's not linux based, more commercial unix herritage.
Posted on Reply
#18
Mussels
Freshwater Moderator
R-T-BIt's not linux based, more commercial unix herritage.
people do tend to slip up and think unix and linux are the same - i've done it a few times

Unix is basically the closed source version of linux, is how i explain it - but they're often overlapping with compatibility due to the shared heritage (When they're not in a walled garden cough cough)
Posted on Reply
Add your own comment
Dec 26th, 2024 11:24 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts