Saturday, June 29, 2019

In-the-wild Mac malware kept busy in June—here’s a rundown

Newly disclosed OSX/CrescentCore is 1 of 6 Mac threats to come to light this month.

June was a busy month for Mac malware with the active circulation of at least six threats, several of which were able to bypass security protections Apple has built into modern versions of its macOS.

The latest discovery was published Friday by Mac antivirus provider Intego, which disclosed malware dubbed OSX/CrescentCore that's available through Google search results and other mainstream channels. It masquerades as an updater or installer for Adobe’s Flash media player, but it's in fact just a persistent means for its operators to install malicious Safari extensions, rogue disk cleaners, and potentially other unwanted software.

“The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites,” Intego’s Joshua Long wrote of two separate versions of the malware his company has found. “Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.”
Security evasions

Long said that the CrescentCore versions he observed were signed with certificates belonging to an Apple-trusted developer. That would allow the malware to bypass Gatekeeper, a macOS protection that’s designed to thwart malware by allowing only digitally signed applications to be installed. Both recovered versions of CrescentCore are signed by certificates assigned to a developer using the name Sanela Lovic using certificate fingerprints 5UA7HW48Y7 and D4AYX8GHJS.

Long said he reported the certificate abuse to Apple, but as early Friday afternoon, a tool called WhatsYourSign, developed by Mac security expert Patrick Wardle, showed both signing certificates remained valid. On Friday evening, the tool showed one certificate had been revoked and another remained valid.

CrescentCore uses other techniques to avoid detection and analysis. After targets click on the fake Flash installer/updater, it first checks to see if it’s about to be installed inside a virtual machine or on a Mac that’s running AV software. If either of those possibilities turns out to be true, the trojan will simply exit and not do anything more. Security researchers almost always test suspected malware inside VMs to prevent accidentally infecting trusted work computers.

Mac users who want to check for infections should look for files with the name Player.dmg (or Player #.dmg or Player (#).dmg where # is a numeral such as 1 or 2) downloaded to the Downloads folder. Infected Macs may also contain folders or files with the following names:

  • /Library/
  • /Library/Application Support/
  • /Library/LaunchAgents/
  • com.player.lights.extensions.appex
Friday’s Intego post lists one of at least six macOS threats that have come to light this month. Others include:

  • OSX/Linker, a Mac malware family that exploits a zero-day vulnerability in Gatekeeper so that it can install unsigned malware. The exploit technique, which was disclosed by researcher Filippo Cavallarin last month, works by loading installers from a network-shared disk, which is off limits to Gatekeeper.
  • A cryptocurrency miner dubbed LoudMiner by ESET and Bird Miner by Malwarebytes, the two firms that independently discovered it. The miners, found in a cracked installer for the high-end music production software Ableton Live, work by emulating Linux.
  • Malware dubbed OSX/Newtab, which tries to inject tabs into the Safari browser. Some of the file names disguise themselves as government forms or recipe apps. All samples have an identifier of com.NTAppStubInstaller and were digitally signed with the Apple Developer ID cosmina beteringhe (HYC4353YBE).
  • Backdoors dubbed NetWire and Mokes that were installed in in-the-wild attacks exploiting a pair of potent Firefox zerodays to target people involved with cryptocurrencies. Both backdoors were able to bypass Gatekeeper and were undetected by antivirus engines at the time the attacks went live.
The recent activity is an indication that more and more malware developers are finding it worth their time to create malicious wares for macOS, a platform they largely shunned a decade ago.

As is the case with Windows computers, the best way to protect Macs against malware is to ensure the OS, browsers, and browser extensions are updated as soon as possible after security patches are released. Another key safeguard is to never run a stand-alone version of Flash (the one built into Chrome is generally OK).

Friday, July 13, 2018

New iOS security feature can be defeated by a $39 adapter… sold by Apple


Yesterday Apple released a brace of updates for its software – fixing bugs and patching security holes in the likes of MacOS, watchOS, tvOS, Safari, iTunes for Windows, iCloud for Windows, and iOS for iPhones and iPads.

The update for iOS, bringing it to version 11.4.1, is particularly interesting as it includes a new feature – “USB Restricted Mode.”

USB Restricted Mode is designed to disable an iPhone or iPad’s Lightning port, preventing it from transferring data, one hour after the device was last locked.

You can still charge your device after its Lightning port has been disabled, but you need to enter a smartphone’s password if you wish to use the port to transfer data to and from device.

A support advisory from Apple shares more details:

“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked.”

“If you don’t first unlock your password-protected iOS device — or you haven’t unlocked and connected it to a USB accessory within the past hour — your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.”

Which sounds, of course, like bad news for law enforcement and intelligence agencies who may want to crack into a locked iPhone using tools like GrayKey. GrayKey, and similar tools, use the Lightning port to help anyone with physical access crack their way into a locked device – without having to manually guess the passcode.

Unfortunately for Apple, and customers who like to believe that their phone is private, a workaround has been discovered whereby police could prevent an iPhone or iPad entering USB Restricted Mode if they act quickly enough.

Researchers at Elcomsoft discovered that the one hour countdown timer can be reset simply by connecting the iPhone to an untrusted USB accessory:

“In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.”

And where might you find such a compatible USB accessory that can prevent USB Restricted Mode from kicking in?

Look no further than Apple’s own online store, where the company will happily sell you a Lightning to USB 3 Camera Adapter for a mere $39. Chances are that there are even cheaper accessories which will do the job just as well.

Apple has successfully made the window of opportunity smaller for anyone (whether they be a member of law enforcement or not) to crack into an iPhone, but this discovery means that they have not closed it completely.

Apple will need to continue to strengthen the security and privacy of its mobile devices if it wishes to maintain its edge over many Android smartphones. Nice try with iOS 11.4.1 Apple, but we need you to do more.

Sunday, January 14, 2018

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users


A security researcher has revealed details of a new piece of undetectable malware targeting Apple's Mac computers—reportedly first macOS malware of 2018.
Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.
DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.
First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to and addresses.
After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a 'DNS Hijacker,' which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.
"OSX/MaMi isn't particularly advanced - but does alter infected systems in rather nasty and persistent ways," Patrick said.
"By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)" or to insert cryptocurrency mining scripts into web pages.
Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:
  • Take screenshots
  • Generate simulated mouse events
  • Perhaps persist as a launch item
  • Download and upload files
  • Execute commands
The motive, author(s) behind the malware, and how it is spreading are currently unknown.
However, Patrick believes that the attackers could be using lame methods like malicious emails, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users.
To check if your Mac computer is infected with MaMi malware, go to the terminal via the System Preferences app and check for your DNS settings—particularly look for and
According to VirusTotal, a multi-engine antivirus scanner, none of 59 popular antivirus software is detecting this malware at this moment, so you are advised to use a 3rd-party tool such as a firewall that can detect and block outgoing traffic.
You can also install a free open-source firewall for macOS named 'LuLu,' created by Patrick and available at GitHub, which blocks suspicious traffic and prevents OSX/MaMi's from stealing your data.

Wednesday, December 27, 2017

First Lawsuits Filed Against Apple for Slowing iPhones

Over the years, iPhone owners have often wondered aloud if Apple was doing something to slow down older devices. Now, we know that yes, it does do that. Just a few days after admitting that it has been quietly throttling older iPhones with degraded batteries, a pair of lawsuits have been filed against Apple alleging fraud and deceptive practices.

It became clear during the last few iOS version updates that Apple had opted to apply performance throttling to older devices. It wasn’t until Geekbench ran comparisons with various iOS versions that iPhone owners had any proof. Apple was forced to issue a statement in which is admitted to slowing down iPhones. In some ways, its position makes sense, but the way it handled the situation is terrible.

The situation has to do with how lithium-ion batteries age. We’re all familiar with batteries losing capacity as they get old, but they also have less voltage. It turns out Apple didn’t include enough headroom for the battery, and its voltage can fall below what is needed to power the custom A-series system-on-a-chip. Without enough voltage, the phone can just shut down without warning. Apple’s solution to this was to add performance throttling to iOS based on battery voltage. So, if your battery is degrading, your phone gets slow.

The first class-action lawsuit filed in Illinois accuses Apple of violating the Illinois Consumer Fraud and Deceptive Business Practice Art. Specifically, the filers point to Apple’s decision not to notify users it was going to throttle their phones. As had been pointed out, very few would suspect a battery issue as the root cause of sluggish performance. That could lead consumers just to buy a new phone, which is to Apple’s advantage.

Another suit filed in Los Angeles claims Apple’s phone throttling plan “was never requested or agreed upon.” This suit also suggests Apple is hoping to get consumers to upgrade by slowing down their phones rather than simply reporting that the hardware might need service.

It looks like Apple’s decision to introduce this “feature” secretly is the main issue here. Even if Apple’s intentions were pure (which is certainly up for debate), making these performance changes in secret looks very suspicious. For a company that claims to care about the user experience, this whole fiasco makes Apple look quite disconnected from the concerns of its customers. Class actions like these are notoriously slow to litigate, so iPhone owners might end up with a small settlement in a couple years.

Monday, December 18, 2017

New MacOS malware steals bank log-in details and intellectual property

Security researchers have discovered a new, invasive OSX.Pirrit adware variant targeting Mac OS X that enables cyber-criminals to take full control of a user's Mac computer.
Security researchers have discovered a new, invasive OSX.Pirrit adware variant targeting Mac OS X that enables cyber-criminals to take full control of a user's Mac computer.
The malware has already infected thousands of Mac computers around the world. According to a blog post by Amit Serper, principal security researcher at Cybereason, while usual adware campaigns enable the attackers to flood a person's computer with ads, this malware not only bombards Macs with adware, it spies on users and runs with the highest user privileges, enabling hackers to leverage this adware to capture personal information on the users, including bank account logins and intellectual property of businesses.

“To my surprise, it's very active. Not only is it still infecting people's Macs, OSX.Pirrit's authors learned from one of their mistakes (They obviously read at least one of our earlier reports),” said Serper.

He added that unlike old versions of OSX.Pirrit that used rogue browser plug-ins or even installed a proxy server on the victim's machine to hijack the browser, this incarnation uses AppleScript, Apple's scripting/automation language.

“And, like its predecessors, this variant is nasty. In addition to bombarding people with ads, it spies on them and runs under root privileges,” he said.

Serper said that the malware uses AppleScript to injects JavaScript code directly into the browser. He added that the code is “a great example of how an adtech company is borrowing nefarious tactics found in malware to make it hard for antivirus software and other security products to detect them.”

“There is no difference between traditional malware that steals data from its victims and adware that spies on people's Web browsing and target them with ads, especially when those ads are for either fake antivirus programs or Apple support scams,” he said.

“As for OSX.Pirrit malware, it runs under root privileges, creates autoruns and generates random names for itself on each install. Plus, there are no removal instructions and some of its components mask themselves to appear like they're legitimate and from Apple.”

He said that a company called TargetingEdge created OSX.Pirrit and his research hasn't gone unnoticed by it.
“Cybereason has received a few cease and desist letters from a firm claiming to be TargetingEdge's legal counsel. The letters demand that we stop referring to TargetingEdge's software as malware and refrain from publishing this report,” he said.

Serper said around 28 other antivirus engines on Virus Total also classify it as such. “The authors of this software went through great lengths to mask themselves and distance themselves from it,” he added. TargetingEdge claimed that it develops and operates a “legitimate and legal installer product for MAC users,” and is not malware and doesn't include any features of malware.

Kelvin Murray, threat research analyst at Webroot, told SC Media UK that users need to report any changes to the search or browser settings of their device to the admin. Users need to be aware that these changes can just be one visible part of a much bigger problem. He adds, “In addition, admins need to take the usual security measures including software updates, AV, and user education. Both the admin and users need to see this as yet another sign that Macs are not “virus proof” as is so commonly assumed and often ignored. There is a need of a stronger focus put onto OSX as security vulnerabilities are becoming more apparent, especially taking into account the event of the MacOS High Sierra.”

Sunday, December 17, 2017

Apple refunds Chinese woman after colleague unlocks her iPhone X using Face ID


Chinese Woman Gets Refund From Apple After Colleague Unlocks iPhone X With Face ID

The USP of Apple’s 10th anniversary premium smartphone, iPhone X is the Face ID technology used in the device that provides high security and cannot be tricked, according to the tech giant.

However, this Face ID technology failed when a colleague of a Chinese woman from Nanjing could unlock not one but two of her iPhone X handsets, reported the South China Morning Post.

The woman identified only by her surname Yan, from Nanjing, China told the Jiangsu Broadcasting Corporation that her co-worker was able to unlock both her iPhone X – original as well as the new one Apple gave her as a replacement – on every single attempt.

The first time it happened, Yan called the Apple hotline but the support team apparently refused to believe her. In order to demonstrate the facial recognition problem, Yan went to the nearest Apple Store along with her colleague to show the staff what happened.

Apple staff at the store said the camera might be faulty and gave Yan a refund, which she used to buy a new iPhone X, reported the South China Morning Post. However, she faced the same problem with the replaced iPhone X prompting the store to offer a second refund, said the report.

It’s still not clear whether Yan has bought a third iPhone X with the refund money. Apple has yet to comment on the issue.

Sunday, December 3, 2017

Number of malware attacks on Macs increased by more than 70%


70% more malware against Macs
In the first three quarters of 2017, the number of malware attacks on Macs increased by more than 70% and PUA (potentially unwanted applications such as adware) by 50% over the previous year (source: F-Secure Labs). The number of threats is growing rapidly as attackers are clearly shifting their efforts towards the often-unprotected Macs.

On October 17, Reuters  reported a security  breach of the Microsoft Vulnerability Tracking System. A violation that occurred  more than four years ago in 2013  . And what was the attack vector related to this security breach? Macs.  That these were Macs, our security adviser Sean Sullivan suspected right from the start.

Back in February 2013, he had correctly deduced that Apple Macs were involved in  a related hack on Twitter  . Given the serious potential damage such hacks could have caused,  Sean wrote :

"People who use their Mac for work should not have the same sense of security as home users. It's obvious that work-based Macs are more of a goal, and security expectations should be scaled according to the threat level. "

Nothing about the current Mac threat landscape has led Sean to question his earlier assessment. If you're using a Mac for business, Sean says, "You need to take the time to rethink your security profile."

The latest analysis from F-Secure Labs  shows that the new malware is predominantly in the spyware category and over a third of the attacks are targeted attacks. That may not surprise anyone:  Macs need protection. However, there are huge differences in how companies have handled the safety of their various endpoints. A quick way to solve this is  to opt for cyber security all-round protection, such as  Protection Service for Business . The new version includes the advanced  XFENCE technology, which provides the next level of Mac security.