Tag Archive for: undetectable

Critical macOS Bug Could Allow Threat Actors Install Undetectable Malware In Apple Devices

/in


KEY POINTS

  • A new flaw was discovered within macOS SIP
  • Microsoft security experts reported it to Apple
  • Apple rolled out a patch to fix the vulnerability

Apple devices that run on macOS have a vulnerability, which, if not fixed, could be exploited by hackers to install a malicious kernel driver, also known as a rootkit.

The bug, which was uncovered by tech juggernaut Microsoft, was found within macOS System Integrity Protection (SIP).  Had Apple failed to patch it, hackers can use it to install a hardware interface that they could utilize to overwrite system files, as well as install hard to detect malicious software.

“We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process,” the Microsoft researchers said in a blog post.

Apple unveils a new MacBook Air, Mac Mini and iPad Pro Apple unveils a new MacBook Air during an Apple launch event at the Brooklyn Academy of Music on October 30, 2018 in New York City. Apple also debuted a new Mac Mini and iPad Pro. Photo: Getty Images/Stephanie Keith

“Security technology like SIP in macOS devices serves both as the device’s built-in baseline protection and the last line of defense against malware and other cybersecurity threats. Unfortunately, malicious actors continue to find innovative ways of breaching these barriers for these very same reasons. They can take complete control of the device and run any files or processes they wish without getting detected by traditional security solutions,” explained Jonathan Bar-Or, of the Microsoft 365 Defender Research team.

“This OS-level vulnerability and others that will inevitably be uncovered add to the growing number of possible attack vectors for attackers to exploit,” Bar-Or noted. “As networks become increasingly heterogeneous, the number of threats that attempt to compromise non-Windows devices also increases.”

Apple already patched the flaw, which is labeled as CVE-2021-30892, in macOS Monterey and in the updates for Big Sur and Catalina. The Cupertino-based tech titan has patched several more critical bugs in its most recent updates for macOS Monterey.

The Microsoft 365 Defender Research team also…

Source…

DirtyMoe Botnet Returns With Undetectable Threat Profile

/in


The malware botnet known as DirtyMoe has been around since at least 2016, but its newest version makes some major changes that put it back in the spotlight. Take a look at how the new version works, what is different about it and how to defend against it.

Back in 2016, NuggetPhantom appeared as its first iteration. NuggetPhantom and several of the threat’s other early samples didn’t work well, however. They tended to be unstable and they yielded symptoms expected of a compromise.

Fast forward five years, and DirtyMoe is a different malware. Avast analyzed its most recent variants and found that they match other threats in terms of their anti-forensic, anti-debugging and anti-tracking capabilities. On top of this, the DirtyMoe botnet balances a modular structure with a threat profile that can’t be detected or tracked.

How the DirtyMoe Botnet Works

DirtyMoe’s attack chain begins with the attackers attempting to gain admin privileges on a target’s Windows machine.

One of their preferred techniques is relying on the PurpleFox exploit kit to misuse EternalBlue, an opening in Windows. In spring 2019, researchers discovered a campaign in which digital attackers leveraged the flaw to distribute cryptomining malware.

DirtyMoe’s authors also used infected files and phishing emails. These contained URLs to exploit Internet Explorer flaws as a means of gaining higher privileges. Once they gain admin rights, the attackers can use the Windows MSI installer to deploy DirtyMoe. They used Windows Session Manager to overwrite ‘sens.dll,’ the system file which pertains to the Windows System Event Notification. The compromise enabled the main DirtyMoe botnet service to run at the system level.

Loading that service started up a rootkit driver concealing DirtyMoe’s services, files and registry entries. At the time when it was discovered, the malware authors used their creation mostly to engage in cryptojacking. Other researchers found the threat could conduct distributed denial-of-service (DDoS) attacks, as well.

All the while, attackers used VMProtect and the malware’s own encryption algorithm to hide what they were doing. They also employed…

Source…

74% of Q1 Malware Was Undetectable Via …

/in


Attackers have improved on tweaking old malware to continue sneaking it past traditional threat detection controls, researchers report.

Organizations relying on traditional signature-based tools to detect security threats would likely have missed roughly three-quarters of malware samples that hit their networks and systems last quarter, a new analysis shows.

WatchGuard Technologies recently analyzed threat data collected from customer networks during the first quarter of 2021 and found 74% of threats detected were zero-day malware for which no anti-virus signatures were available at time of malware release. As a result, the malware was capable of bypassing signature-based threat detection tools and breaching enterprise systems.

The level of zero-day malware detections in the first quarter was the highest WatchGuard has ever observed in a single quarter and completely eclipsed the volume of traditional threats, the security vendor said in a report this week.

“The main takeaway is enterprises — and organizations of all sizes really — need to get serious about proactive malware detection,” says Corey Nachreiner, chief security officer at WatchGuard. Attackers have consistently gotten better at repackaging old malware in ways that its binary profile doesn’t match previous fingerprints and patterns used to detect it. In the past, such “packing and crypting” required smart criminals. These days, tools are readily available in underground markets that make it easy for attackers to keep digitally altering the same malware so it can bypass signature-based systems, he says.

A few years ago, such zero-day malware represented about 30% of all detected malware samples. More recently, that number has hovered around the 50% range and occasionally hit 60%. Seeing that number reach 74% in the first quarter was a bit surprising, Nachreiner says. “Pattern-based malware detection is no longer sufficient with the volumes of new malware that we see today,” he says. “Traditional antivirus products alone will miss many threats.”

Exacerbating the issue is the continued use of fileless or living-off-the-land (LotL) techniques that are explicitly designed to evade traditional detection tools,…

Source…

New Linux Malware Mines Crypto While Remaining Undetectable – Cointelegraph

/in

New Linux Malware Mines Crypto While Remaining Undetectable  Cointelegraph

Two threat analysts recently stumbled upon new Linux malware that keeps its cryptocurrency mining operations hidden. On Sept. 16, Augusto Remillano II and …

“malware news” – read more