متخصصان امنیت اطلاعات یک جعبه ابزار طراحی شده برای حمله به MacOS را کشف کردند

جعبه ابزار برای حملات به macOS
نوشته شده توسط کارینا ویلسون

Bitdefender discovered a set of malicious artifacts that they say are part of a complex cross-platform toolkit, including one that is targeting macOS devices.

یادآوری کنم که ما هم همین را نوشتیم Pirated Software for MacOS Comes with Malware, و همچنین آن Vulnerability in iOS and macOS Allowed Eavesdropping on Siri Conversations.

Also the media reported that the 0-day vulnerability in macOS was exploited to attack visitors of Hong Kong news sites.

The analysis of Bitdefender researchers is based on the study of several samples of malware that were uploaded to VirusTotal by an unnamed victim. The earliest example is dated April 18, 2023. It is noted that at the moment these samples are still poorly detected by security solutions andvery little information is available about any of them.

Two of the detected malware are simple backdoors written in Python and designed to attack Windows, Linux and macOS. These payloads have been collectively referred to as JokerSpy in a Bitdefender report.

The first malware is the shared.dat file, which, after being launched, checks the operating system (0 برای ویندوز, 1 for macOS, و 2 for Linux) and contacts the attackersserver for additional instructions. Among them may be: collecting information about the system, executing commands, downloading and executing files on the victim’s machine, and shutting down.

On macOS devices, base64 encoded content received from the server is written to the /Users/Shared/AppleAccount.tgz file, which is subsequently unpacked and launched as the /Users/Shared/TempUser/AppleAccountAssistant.app application.

On Linux hosts, the process is almost the same: the malware checks the distribution by accessing the /etc/os-release file, and then writes C code to a temporary tmp.c file, which is compiled into the /tmp/.ICE-unix/git file using cc commands on Fedora and gcc on Debian.

Experts write that among the samples, a “more powerful backdoor” was also foundthe sh.py file, which has an extensive set of capabilities for collecting system metadata, searching and deleting files, executing commands and files received from operators, and stealing data.

Another malware is a FAT binary calledxccwritten in Swift and intended for macOS Monterey (version 12) and newer. The file contains two Mach-O files for two x86 Intel and ARM M1 architectures.

Its main purpose is obviously to check permissions before using a potentially spyware component (probably for screen capture), but the spyware component itself is not included. This led us to believe that these files are part of a more complex attack, and that a number of files are missing from the system we are investigating.<span class="su-quote-cite">the researchers write.</span>

Experts believe that xcc is related to some sort of spyware based on the /Users/joker/Downloads/Spy/XProtectCheck/ path that was seen in the contents of the file, and because it checks permissions such as Disk Access, Screen Recording and accessibility.

It is still unclear who exactly is behind the detected malware, since even the vector of the initial infection is unknown. It is assumed that social engineering or spear phishing was most likely used here.

درباره نویسنده

کارینا ویلسون

با بیش از 10 سالها تجربه نوشتن برای رسانه های آنلاین و چاپی, من در ارائه کپی واضح و قانع کننده متخصص هستم.

من برای یک آژانس پیشرو کپی‌نویسی سئو و همچنین برای برخی از بهترین مارک‌های معروف بریتانیا نوشته‌ام., مجلات و روزنامه ها.

پیام بگذارید