THE DROPPER (DabushcavicGames) Mac OS
OSX.Keydnap is a MacOS X based Trojan horse that steals passwords from the iCloud Keychain of the infected machine. It uses a dropper to establish a permanent backdoor while exploiting MacOS vulnerabilities and security features like Gatekeeper, iCloud Keychain and the file naming system.It was first detected in early July 2016 by ESET researchers, who also found it being distributed through a. Dropover is a utility that makes Drag & Drop easier. Use it to stash, gather or move any draggable content without having to open side-by-side windows. It provides an easy-to-access storage shelf for your Mac that allows you stash any draggable content. This malware was built on a Mac running OSX 10.8 Mountain Lion back in 2013. Somewhat surprisingly, the embedded URL for the InstallGenieo.dmg inside this 7-year old adware sample is alive and well, and still delivering two variants of the Genieo malware (one sneakily embedded in the Genieo uninstaller), OSX.Genieo.A, OSX.Genieo.E. When an item is placed into a hopper by a dropper, the hopper does not change the state of any comparator attached to it. Place a dropper anywhere. Place a hopper facing the output side of the dropper. Place a comparator for redstone output of the hopper. Put any item of any amount in the dropper. Power the dropper.
Computer users, especially Mac users, should be on the lookout for a dangerous Mac OS X Trojan going disguised as a PDF file that trick users into installing malware, which in return makes their system vulnerable to a remote attack.
Even though it is rare, Mac malware continues to be a burden among unfortunate Mac OS X users who run their systems without any type of anti-malware or anti-virus protection. In recent onslaughts of malware attacks on Macs, it has resulted in the installation of fake security applications much like what on a day-to-day basis for PCs. The latest threat against Macs utilizes a social engineering technique, one of the first we have seen affect a Mac system. This technique basically takes advantage of a trusted and recognizable file, a PDF file in this case, and launches a backdoor attack on the Mac computer.
The generic trojans Trojan-Dropper:OSX/Revir.A and Backdoor:OSX/Imuler.A, known for installing malware on an infected computer, are the culprit of the recent Mac PDF document exploitation. These are Trojan droppers that aide in the exploitation and redirection on Mac computers affected by the malicious PDF file. Basically, after the Trojan dropper-infection is installed from the loading of the malicious PDF file, it launches a backdoor infection possibly by connecting to a malicious source over the Internet. Backdoors carry a heavy payload in the sense that it could allow communication with a remote command-and-control server to be initiated. With such a remote connection, a hacker could infiltrate a system and have unadulterated access to files, personal data or stored passwords. In other words, this exploit could turn into a bad case of 'you no longer exist' or what we refer to as, Identity Theft.
Security researchers have made a discovery that the particular malware laden PDF file contains Chinese language. Commonly, we have seen cases where malware files are written in a language other than English, which sometimes is a concurrence of its creator's origin. It has yet to be revealed where the malicious PDF comes from.
The Mac OS X Trojan PDF file is currently a low risk threat because it does not exactly take advantage of a vulnerability nor does it actually contain a Trojan but rather installs one. Moreover, some security researchers believe that a properly configured Mac computer would be able to mitigate the backdoor installer that is initiated by the malicious PDF file. Clearly, the crosshairs are still sharply focused on Windows systems and Mac computers are just bonus points for relentless hackers that conjure up new malware every day.
Do you ever think or fear that Mac computers will one day face the wrath that PCs have faced with when it comes to malware? If so, what would be the factors to contribute to targeting Mac systems other than a growing population of them?
The Dropper (dabushcavicgames) Mac Os X
The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission
The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission of MRT: remove Flashback.
A lot of researchers and security companies have been interested in OSX/Flashback. Many have published observations and partial results, generating a lot of buzz. ESET has been actively investigating the OSX/Flashback botnet. ESET was one of the first companies to implement a sinkhole to monitor the botnet. We can confirm the magnitude of the infection spread reported by other companies: we have seen more than 491,793 unique IDs coming from over 749,113 unique IP addresses connecting to our sinkhole. We are actively collaborating with the security community, sharing the results of our reverse engineering efforts and sinkhole data.
The OSX/Flashback malware can infect computers by multiple means. In the last couple of months, we have seen it spread as a fake Adobe Flash player (hence its name) and through exploits. The bulk of the infections happened recently when a group of websites started distributing the malware through drive-by download, exploiting the CVE-2012-0507 vulnerability in Java.
The first stage component of OSX/Flashback is a dropper, its only functionality is to contact a command and control server, download additional components and run them. Some of the variants of the dropper we have seen would also load a library. When installed, the library will load with any application on the system. It hooks the system functions responsible for communication and is in a position to alter web pages and spy on users’ internet activity and behaviour. It is still unclear to us if this spying is used to display unsolicited advertisements in the browser of infected computers or to steal information.
When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this.
When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it.
Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size.
Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID.
The Dropper (dabushcavicgames) Mac Os Catalina
The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter.
To protect your Mac OS X computers we highly recommend applying the latest update from Apple. In addition, users can also download a (free) trial version of ESET Cybersecurity for Mac to scan their computer for infection and clean any threat that might be found on the system.
Thanks to Marc-Etienne Léveillé and Alexis Dorais-Joncas for their contribution to this research.
Pierre-Marc Bureau
Security Intelligence Program Manager