Mac ,Linux Malwares are like Sweet Pancakes

Threat actors continuously updating their code with new threat vectors and obfuscation techniques is nothing new. A surge in malware targeting particular device groups reveals much about the shifting paradigm.

TeamTNT reinforces Black-T

TeamTNT is known to exfiltrate AWS credential files on compromised cloud systems and mine for Monero (XMR). 

  • Unit 42 researchers came with a new variant of cryptojacking malware named Black-T, the brainchild of the TeamTNT cybercrime group, boosting its capabilities against Linux systems.
  • The added potential includes memory password scraping via mimipy (works on Windows/Linux/OSX) and mimipenguin (Linux desktop)—two open-source Mimikatz equivalents targeting *NIX desktops.

IPStorm prepares for thunders

The IPStorm botnet has been targeting Windows systems until now. Its size has quadrupled from around 3,000 systems in May 2019 to more than 13,500 devices by September end.

  • IPStorm now boasts of newer versions targeting Android, Linux, and Mac devices.
  • Linux and Mac devices are infected after the gang performs a brute-force technique against SSH services.
  • However, the Android systems are infected when the malware scans the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.

FinSpy’s malware spin

A new surveillance campaign was reported targeting Egyptian civil society organizations.

  • FinSpy, also known as FinFisher, used new variants that target macOS and Linux users. The spyware already had tools for Windows, iOS, and Android users.
  • Besides keylogging, call interception, and screen recording, the malware’s additional capabilities included stealing emails by installing a malicious add-on to Apple Main and Thunderbird and collecting Wi-Fi network information.

Concluding phrase

Cybercriminals unfurling tools targeting Linux and Mac devices put a dent in the broadly held opinion that those operating systems are more secure and not susceptible to malicious code, unlike others. Experts recommend checking network settings and avoiding using unnecessary online applications to ensure safety. Other useful tips include configuring the firewall, filtering traffic, and protecting locally stored SSH keys used for network services.

MacOS macros in to spotlight

Building successful macro attacks means getting past several layers of security, but a Black Hat speaker found a way through.
Microsoft Office is no stranger to vulnerabilities and exploits.

Most of those vulnerabilities led from Microsoft Office to Microsoft Windows, but it’s possible for an attacker to take an exploit path from Microsoft Office to macOS .

The Human Error

In most of the macro-based attacks, human intervention on the part of the victim is required at least once, and usually twice, Wardle said. First, the victim must click on an email attachment or malicious link in order to download and open the infected document. Next, in most cases macros will not run on a system by default — they must be given explicit permission to run by the user.

Most macro-based attacks have two stages, Wardle explained. In the first — the stage given explicit permission to run by the victim — code executes that checks the system status, checks for the presence of anti-malware software, and then downloads the second stage. It’s the second stage payload that contains the “working” code of the attack, whether it’s skimming credentials, creating a bot, or encrypting the system’s data as part of a ransomware scheme.

Out of the (Sand)box

Modern malware writers have an additional hurdle to overcome. Microsoft Office now executes all macros in a “sandbox,” a walled-off environment within the operating system that prevents code from gaining persistence or interacting with the system as a whole. The goal for malware writers is breaking out of the sandbox.

Researchers found ways to include SYLK files and XLM code that make macros execute whether or not they’re invoked or allowed. They still run within the sandbox. Wardle showed that it’s possible to create files through a macro — files that can be placed outside the macro and can be built to auto execute on system boot. That combination is the key to persistence, one of the golden tickets that attackers pursue in any campaign.

What kind of files can fit the twin bill?

A ZIP file, dropped into the proper subdirectory, will be invoked automatically. While the latest macOS endpoint security framework should detect such a file’s creation, Wardle said that there’s room for research here