Saturday, April 29th 2023
Bad Week for MacOS Security: Two New Malware Threats Identified
As market share of Apple's ARM based Mac computers has increased, so too have efforts to compromise them by previously uninterested hacker groups. A recent string of malware created specifically for macOS has shown that these groups are turning their gaze toward the generally well protected Mac ecosystem. One of these new malware threats, discovered by Jamf Threat Labs and dubbed 'RustBucket,' acts as a simple third-party PDF viewer. The application itself does nothing malicious until a specific PDF is opened which includes an encoded key that triggers a connection to be made between the attacker's server and the victim's Mac, and a small malicious payload to be downloaded. The initial payload begins running system recon commands to determine the machine information, and then downloads a third stage payload which gives the attackers further access to the underlying operating system. All stages after the user opens the PDF are run silently in the background. The PDF viewer used as the catalyst for this hack does require manually overriding Apple's Gatekeeper as it carries no signature, so the obvious step to mitigate this attack is to not use third-party apps or services aside from those curated on Apple's App Store.
The second macOS malware of the week was discovered by Cyble Research and Intelligence Labs (CRIL) being offered for a paltry $1,000 USD per month on a Telegram channel, with the malware going by the name "Atomic macOS Stealer" or "AMOS." This malware has capabilities to scrape keychain passwords, system information, files from the desktop and documents folders, the macOS user password, browser auto-fills, passwords, cookies, wallets, and stored credit card info. The malware is especially adapted to go after cryptowallets with Cyble citing examples such as Electrum, Binance, Exodus, Atomic, and Coinomi. Cyble notes that they've seen the malware receiving active development to improve its capabilities and the threat actors even offering management software and web panels for keeping track of victimized machines, all with a logging system that dumps to Telegram. The current attack vector is a simple Golang.dmg file which installs the malware, so this does appear to require direct machine access. However once installed, "AMOS" does its handiwork without detection and sends a compressed file off to the attacker's server with all the information it collected.
Sources:
jamf, Cyble
The second macOS malware of the week was discovered by Cyble Research and Intelligence Labs (CRIL) being offered for a paltry $1,000 USD per month on a Telegram channel, with the malware going by the name "Atomic macOS Stealer" or "AMOS." This malware has capabilities to scrape keychain passwords, system information, files from the desktop and documents folders, the macOS user password, browser auto-fills, passwords, cookies, wallets, and stored credit card info. The malware is especially adapted to go after cryptowallets with Cyble citing examples such as Electrum, Binance, Exodus, Atomic, and Coinomi. Cyble notes that they've seen the malware receiving active development to improve its capabilities and the threat actors even offering management software and web panels for keeping track of victimized machines, all with a logging system that dumps to Telegram. The current attack vector is a simple Golang.dmg file which installs the malware, so this does appear to require direct machine access. However once installed, "AMOS" does its handiwork without detection and sends a compressed file off to the attacker's server with all the information it collected.
18 Comments on Bad Week for MacOS Security: Two New Malware Threats Identified
First linux based os to report virii... and now this. Apple, just make your own os without stealing from public domain and then ruining it.
With such careless end user behavior, that is going to make security a tough act without severely hampering usability. As it is now, macOS will deny an install attempt of software from an unverified developer. Curious how both of these get around that. You can override that, but it requires multiple steps.
Look what happened to intel with spectre and meltdown - that affected everything from the core 2 duo to 8th gen hardware, and they had plenty of variants and changes over the years. If you rely on just one primary design for everything, a flaw of vulnerability can bite you really hard.
This reminded me about Inspectre, tested on my 6700 system just now
ouch (4.4% single threaded / 11.3% multithreaded)
That and people like the NSA having tools like eternalblue which are inevitably going to leak eventually...
Apple: uses open source OS
"NO NOT LIKE THAT :mad:"
OS software falls into two categories:
- GPLed such as Linux
- BSD/MIT license such as the BSDs and macOS
The latter is more permissive, but you still have a license.
Mac isn't really breaking any laws with what they do, but they sure love their propaganda "If we just deny the botnets exist, users will never know!"
Unix is basically the closed source version of linux, is how i explain it - but they're often overlapping with compatibility due to the shared heritage (When they're not in a walled garden cough cough)