Tag Archive for: MacOS

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

/in


Feb 16, 2024NewsroomEndpoint Security / Cryptocurrency

Cryptocurrency Firms

Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It’s distributed by masquerading itself as a Visual Studio update.

While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.

Cybersecurity

“Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.

The new component of the attack chain – i.e., the archive files (“Jobinfo.app.zip” or “Jobinfo.zip”) – contains a basic shell script that’s responsible for fetching the implant from a website named turkishfurniture[.]blog. It’s also engineered to preview a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.

Fake Job Offers

Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain (“sarkerrentacars[.]com”), whose purpose is to “collect information about the victim’s machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.

In addition, the binaries are capable of extracting details about the disk via “diskutil list” as well…

Source…

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

/in


macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

Pierluigi Paganini
February 10, 2024

Bitdefender Researchers linked a new macOS backdoor, named RustDoor, to the Black Basta and Alphv/BlackCat ransomware operations.

Researchers from Bitdefender discovered a new macOS backdoor, dubbed RustDoor, which appears to be linked to ransomware operations Black Basta and Alphv/BlackCat.

RustDoor is written in Rust language and supports multiple features. The malware impersonates a Visual Studio update and was designed to support Intel and Arm architectures.

The malware has been active since at least November 2023, but it was fist spotted on February 2nd 2024.

Researchers identified multiple RustDoor variants, and most of the samples share the same core functionalities with minor variations. The experts grouped these variants into Variant 1, 2 and Zero.

All the variants support commands that allow operators to gather and upload files, and gather information about the machine.

The first variant of the backdoor that was detected in November 2023 was likely a test version that did not support a persistence mechanism. The researchers noticed that the backdoor contained a plist file named ‘test’.

The second variant was spotted at the end of November, it contained a complex JSON configuration as well as an embedded Apple script used for exfiltration.

“We identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration.” reads the report published by Bitdefender. “The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as the notes of the user, stored in SQLITE format”

RustDoor
RustDoor

The configuration files included a list of applications for impersonation, the backdoor used this trick to spoof the administrator password presenting dialog.

“Some configurations also include specific instructions about what data to collect, such as the maximum size and maximum number of files, as well as lists of targeted extensions and directories, or directories to  exclude” Bitdefender continues.

The “Variant Zero,” first spotted on 02.11.2023, is less…

Source…

Latest Edition of Mitre Cybersecurity Evaluation Program to Tackle Ransomware, Threats to macOS

/in


Common behaviors associated with ransomware campaigns will be tackled in the sixth round of MITRE Engenuity‘s ATT&CK Evaluations, a program that seeks to assess the capabilities and performance of enterprise cybersecurity solutions.

MITRE said Tuesday that applications are already being accepted for the latest round of ATT&CK Evals, whose focus on ransomware stems from the malware type’s persistence as “one of the most significant cybercriminal threats across industry verticals,” according to Amy Robertson, the program’s principal cyber threat intelligence analyst.

Due to the Democratic People’s Republic of Korea targeting macOS, the latest Evals round will also tackle Apple‘s laptop and desktop operating system.

“The DPRK has emerged as a formidable cyber threat, and they have progressively been expanding their focus to macOS as they work to evade international sanctions,” Robertson noted.

For his part, ATT&CK Evals General Manager William Booth said he and his organization were thrilled to expand the scope of the program to include macOS, a move that underscores a “commitment to comprehensive, platform-diverse assessments.”

Results of the evaluations will be released in the fourth quarter of 2024. Those interested in undergoing assessment have until April 30 to apply.

Source…

This new macOS backdoor lets hackers take over your Mac remotely — how to stay safe

/in


Hackers are beefing up their efforts to go after the best MacBooks as security researchers have discovered a brand new macOS backdoor which appears to have ties to another recently identified Mac malware strain.

As reported by SecurityWeek, this new Mac malware has been dubbed SpectralBlur and although it was uploaded to VirusTotal back in August of last year, it remained undetected by the best antivirus software until it recently caught the attention of Proofpoint’s Greg Lesnewich.

In a blog post, Lesnewich explained that SpectralBlur has similar capabilities to other backdoors as it can upload and download files, delete files and hibernate or sleep when given commands from a hacker-controlled command-and-control (C2) server. What is surprising about this new Mac malware strain though is that it shares similarities to the KandyKorn macOS backdoor which was created by the infamous North Korean hacking group Lazarus.

Just like SpectralBlur, KandyKorn is designed to evade detection while providing the hackers behind it with the ability to monitor and control infected Macs. Although different, these two Mac malware strains appear to be built based on the same requirements.

Once installed on a vulnerable Mac, SpectralBlur executes a function that allows it to decrypt and encrypt network traffic to help it avoid being detected. However, it can also erase files after opening them and then overwrite the data they contain with zeros.

Mac malware is on the rise

If you thought your Mac was safe from hackers and malware, I’ve got bad news for you. Cybercriminals may have preferred Windows machines in the past but now that Apple’s computers have seen a surge in popularity over the past few years, they’ve become a much more valuable target.

According to a blog post from the non-profit Objective-See (via The Hacker News), 21 new malware strains designed to target macOS were discovered in 2023 alone. This is a significant increase compared to the previous year when only 13 Mac malware strains were identified.

As such, expect to see even more Mac malware this year as hackers and other cybercriminals have seen firsthand just how valuable it can be targeting Apple’s computers over the best…

Source…