![]() ![]() It’s actually fascinating seeing threat actors adopt principles of good technical communication, albeit for the wrong reasons! It just shows how professional these operations are. It’s also interesting how recent malware has started using shell scripts instead of Apple application bundles, and now just brazenly encourages users to override Gatekeeper with simple, effective infographics. Apple do revoke these signatures when they catch them, and to their credit they’ve got much more proactive about this over the last 12 months or so, but they still have to find them first. Then they avoid further checks on second and third stage payloads by sidestepping both Gatekeeper and XProtect (Apple’s built-in AV scanner) by downloading payloads using CURL, which doesn’t trigger either the new Notarization checks or Gatekeeper scrutiny. Malware authors will always adapt to the challenges of their environment, so when Apple introduced things like Gatekeeper to control third-party applications, actors simply signed up for Apple developer accounts and signed their installers. What’s particularly interesting is how easily threats get around the built-in security controls that Apple have included. This new breed of bad actors is finding ways to bypass the native protections in macOS - and Apple is struggling to stop them. ![]() But also worrying are the ways in which malicious actors seem able to adapt to and overcome Apple’s own security initiatives. With increasingly capable actors entering the picture, evasion and persistence techniques are growing more advanced. APT groups building tools to infect macOS users is something we never really saw just a few years back. Cryptominers have also been targeting macOS users recently, and these also use stealth techniques such as going to sleep when the user opens the Activity Monitor and hiding payloads in locations most users don’t even know exist.Īs for more serious malware and threat actors, there are a number of RAT trojans around that can be used against macOS, like EvilEgg and Empyre, and we’ve also seen increased attention from so-called “nation-state actors” like the North Korean Lazarus Group and WindTail. On top of that, we’ve seen many of these same actors increasingly adopt malware-like behaviour in the sense of using multiple persistence methods, more obfuscation and anti-analysis techniques, and dropping malware like Shlayer. These days, the landscape has changed in the sense that we’ve seen a consolidation and in some ways a cooperation between many of those actors, so that we now have “bundle installers” dropping adware on unsuspecting users on the one hand, and on the other the same adware redirecting users to download more bundle installers it’s a vicious circle such that if a user gets infected by one, they’ll very quickly end up with multiple infections. If a user gets infected by one, they’ll very quickly end up with multiple infections. Of course, there were occasional cases of more serious stuff, FruitFly, KeRanger and Flashback stand out … but relatively speaking, Mac users were rarely troubled by security issues. ![]() When I first started looking at threats on macOS it was almost entirely a mixture of simple adware and browser hijackers on the one hand and “Potentially Unwanted Software” and scareware like MacKeeper and MacBooster on the other. It’s also becoming more diverse - and more sophisticated. ![]() New research suggests that Mac malware is increasing exponentially - and even beginning to outpace Windows malware in terms of total threats per endpoint.īut while these findings were reported as shocking developments by the media, they come as less of a surprise to the Mac security professionals who have been watching the threat landscape evolve over the past several years.Īs security researcher Phil Stokes sees it, Mac malware isn’t just increasing in prevalence. We spoke with Phil about the state of Mac malware today - and why Apple is going to need all the help it can get. In March, he will present his research at the Objective by the Sea 3.0 macOS security conference. He is also an independent app developer who has created several macOS troubleshooting tools. Phil Stokes is a malware researcher and technical writer for SentinelOne, an emerging powerhouse in the world of enterprise cybersecurity. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |