MacInTouch Amazon link...

malware and security

Channels
Security

Ric Ford

MacInTouch
A heads-up from Thomas Reed:
Malwarebytes said:
Mac malware targets cryptomining users
Last week, a security researcher named Remco Verhoef announced the discovery of a new piece of Mac malware being distributed on cryptomining chat groups. This malware was later further analyzed by Patrick Wardle, who gave it the rather appropriate moniker OSX.Dummy.

The malware was being distributed by chat users posing as admins, who posted the following shell script for users to run...
 


Ric Ford

MacInTouch
Some new Mac malware was analyzed by Thomas Reed:
Malwarebytes Labs said:
Mac malware combines EmPyre backdoor and XMRig miner
... The malware was being distributed through an application named Adobe Zii. Adobe Zii is software that is designed to aid in the piracy of a variety of Adobe applications. In this case, however, the app was called Adobe Zii, but it was definitely not the real thing.

... This script opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the infected Mac.

...Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.

... If you’re infected, it’s impossible to say what else the malware may have done besides cryptomining. It’s entirely possible it could have exfiltrated files or captured passwords.
 


Another new Mac malware technically analyzed by Patrick Wardle:
Objective-See said:
Word to Your Mac
In this blog post, we’ll detail how analyze a Word document that we suspect contains malicious logic.

Specifically we’ll detail:
  • How to extract & analyze the malicious macros embedded in the document.
  • How to decode & analyze the embedded 1-st payload (downloader).
  • Retrieve & identify the 2nd-stage downloader
I don't recommend downloading the sample!
 


Ric Ford

MacInTouch
More from Thomas Reed:
Malwarebytes Labs said:
Flurry of new Mac malware drops in December
...
The similarities between all these pieces of malware, as well as the close coincidence in timing (all were first submitted to VirusTotal within about a one month period), may mean that they were all be made by the same malware developer.

However, there is no concrete evidence for that supposition at this time. The IP addresses these pieces of malware communicate with are scattered around the globe in the US, Luxembourg, Germany, and the Netherlands, and there are no obvious connections between them. The code is similar, but not identical.

At this time, we are calling each of these by a different name, but will keep investigating.

In the meantime, the best things you can do to stay safe are:
  • Don’t allow macros to run in Microsoft Office documents
  • Don’t download software from anywhere other than the developer’s official site, and especially not piracy sites
  • Don’t open anything sent to you via email unless you know the sender and were expecting it
  • If you open a newly-downloaded application and something doesn’t work as expected, check with the developer
 


Ric Ford

MacInTouch
There's news today about clever Mac malware that combines web advertising (malvertising) with steganography and the familiar "Flash Updater" trojan:
Dan Goodin/Ars Technica said:
Malvertisers target Mac users with steganographic code stashed in images
Researchers have uncovered a recent malicious advertisement campaign that’s notable for its size, scope, and resourcefulness: a two-day blitz triggered as many as 5 million times per day that used highly camouflaged JavaScript stashed in images to install a trojan on visitors' Macs.

The ads were served by a group security firm Confiant has dubbed VeryMal, a name that comes from veryield-malyst.com, one of the ad-serving domains the group uses. A run that was active from January 11 to January 13 on about 25 of the top 100 publisher sites triggered the image as many as 5 million times a day. In an attempt to bypass increasingly effective measures available to detect malicious ads, the images used steganography—the ancient practice of hiding code, messages, or other data inside images or text—to deliver its malicious payload to Mac-using visitors.
Eliya Stein/Confiant said:
Confiant & Malwarebytes Uncover Steganography Based Ad Payload That Drops Shlayer Trojan On Mac Users
Recent months have seen an uptick in reports of JavaScript malware that hides in image files. This is often referred to as “image based malware” or “steganography malware” in more technical contexts.
This post will examine a steganography based payload utilized by a malvertiser that Confiant have dubbed VeryMal after one of their ad serving domains, veryield-malyst.com. Malwarebytes provided an analysis of the malicious binary that was dropped. It’s estimated based on the scope of our coverage that as many as 5MM visitors maybe have been subject to this recent malware campaign.

The result of the fully executed payload is this familiar browser hijack...
 



Ric Ford

MacInTouch
FYI:
Bleeping Computer LLC said:
New SpeakUp Backdoor Infects Linux and macOS with Miners
A malware campaign distributing a new Backdoor Trojan named SpeakUp is currently targeting servers running six different Linux distributions and macOS by exploiting a number of known security vulnerabilities, while also managing to evade all anti-malware solutions in the process.

Backdoor Trojans are malware capable of providing attackers with access to compromised machines and to help them control those infected computers using commands sent via command-and-control (C&C) servers.
 


I repair quite a few Macs - mostly hardware, but software as well. I've noticed recently, and I don't know if it started in Mojave or before, the difficulty and sometimes the seeming impossibility of changing the homepage in Safari. I currently have a client's iMac (2012) where the homepage has been hijacked by "chumsearch.com".

I've googled and tried the various remedies, short of using terminal commands, and been unable to reset the password. This isn't the first time.

In some instances I'm pretty sure there has not been any "untoward" malware that has led to this situation. In this case it seems the malware has "implanted" something.

Does anyone know the foolproof way to allow resetting of the homepage or are there too many variables and it is really situation/condition specific?
 


Ric Ford

MacInTouch
I've noticed recently, and I don't know if it started in Mojave or before, the difficulty and sometimes the seeming impossibility of changing the homepage in Safari. I currently have a client's iMac (2012) where the homepage has been hijacked by "chumsearch.com".
That sounds like classic web browser malware, and Malwarebytes for Mac should clean it up. Let us (and the Malwarebytes folks) know if it doesn't. (Here's some discussion at the Malwarebytes website: Chumsearch Problem.)
 


I've noticed recently, and I don't know if it started in Mojave or before, the difficulty and sometimes the seeming impossibility of changing the homepage in Safari. I currently have a client's iMac (2012) where the homepage has been hijacked by "chumsearch.com".
It's not unique to Mojave, but adware developers have recently been very inventive in finding new ways to making such restorations more and more difficult. Although Malwarebytes will normally clean up what caused the infection, much of the needed resetting has to be done manually and often requires a restart.

There seems to be something new almost every day. One example is the installation of a profile to lock settings. Anti-malware has not come up with an acceptable way of uninstalling them. Chrome is even worse, requiring a nuclear uninstall of all components.
 



So here is the solution that finally worked:

The computer was at macOS 10.14.0. I updated it to macOS 10.14.3. That gave me an "empty" homepage. After some "massaging", I was able to get www.google.com as the homepage.
 



One of my clients saw a dialog that said his Mac was locked and to call a number. I wasn’t available, so they brought in an expert who just called the number, let them take control and install things after registering for Official Apple Support at an xyz domain, charged him $1,600, and the expert abandoned him with a mess.

I didn’t see the dialog, so I don’t know if the computer was really locked or if it was just a window displayed from his Facebook feed in Safari.

When I was able to examine it, Malwarebytes and ClamXAV found nothing, but with a day of digging and fixing throughout the OS folders, I found applications and parts from: 360 Total Security, LogMeIn, GoTo Opener, and AdGuard for Safari.

I also found a Flash dmg in his downloads. I suspected that Flash, or maybe his use of Chrome with built-in Flash support, may have led to the warning dialog.

The Mac is on the latest macOS 10.13, all the caches were cleared, new Startup Items and LaunchAgents removed, passwords changed, and the last security update applied, among other things.

After several days of working fine, he was on Facebook, then his screen showed nothing else besides asking for his username and password. I assume it was asking for his Mac credentials, and it's interesting that Facebook was the initiator again.

I don’t know if I missed something, or if a Facebook extension may have tried to install something that prompted the dialog.

I’ve considered reapplying the combo update and security update, instead of a full erase, because his offline Time Machine backup is a few months old. Since USB itself is vulnerable, I’m considering throwing away my flash drives used for fixing, in case they installed something else. I’m going to look at his Mac again and would appreciate any suggestions.
 


Ric Ford

MacInTouch
... I don’t know if I missed something, or if a Facebook extension may have tried to install something that prompted the dialog. ... I’m going to look at his Mac again and would appreciate any suggestions.
I don't know what's happening exactly, but it's nasty, and it hit a friend of our family, too - on Windows, also involving Facebook. Here's my earlier post about it.
 


One of my clients saw a dialog that said his Mac was locked and to call a number. I wasn’t available, so they brought in an expert who just called the number, let them take control and install things after registering for Official Apple Support at an xyz domain, charged him $1,600, and the expert abandoned him with a mess.

I didn’t see the dialog, so I don’t know if the computer was really locked or if it was just a window displayed from his Facebook feed in Safari.

When I was able to examine it, Malwarebytes and ClamXAV found nothing, but with a day of digging and fixing throughout the OS folders, I found applications and parts from: 360 Total Security, LogMeIn, GoTo Opener, and AdGuard for Safari.
What “expert” did your client call? It doesn’t seem out of the question that the expert was benefiting from the scam beyond whatever ridiculous fee the “expert” charged. I hope your client is in a position to dispute at least some of these charges.
 



I found applications and parts from: 360 Total Security, LogMeIn, GoTo Opener . . .
Criminals have had access to and control of your client's computer. They may still have access if they tricked your client into installing and activating the LogMeIn (or another) remote access client. "GoTo Opener" is part of the LogMeIn "Go To Meeting" remote system. "360 Total Security" is, if genuine, a China-origin anti-virus. Given criminals had control of the client's system, I wouldn't trust 360, and I'd be dubious of it even if genuine.

I would consider the Mac toxic and remove it from the network and Internet. My next step would be to secure my email accounts, since they're often used by financial institutions and brokers to verify account changes. I would check the server-side email setup to be sure the criminals didn't set up an email forward that would enable them to intercept verifications, and more.

Two-factor authentication helps, but if criminals had access to the system, a keylogger or man-in-the-middle scenario may enable interception of two-factor codes as they're entered, giving persistent control of the accessed site to the criminals.

If by offline you mean your client's Time Machine wasn't connected to the Mac while the criminals controlled it, that's an advantage, even if the backup is old. Don't reconnect it to the compromised Mac until the Mac is wiped and rebuilt.

(Personal experience: I've found hidden files from old installs. The most intriguing was a "phone home" from a tiny and hidden component of the Intego Security Suite I had cancelled and removed. The component was migrated forward into several Macs by Migration Assistant. It became noticeable when it started slowing down my system and showed up in Activity Monitor. Had it lain dormant for years, or had it been phoning home for years and become noticeable when its connection to Intego broke?)
Trojan horses disguised as Flash installers are very common (if you didn't already know).
Chrome has long sandboxed its custom "Pepper" Flash. Beginning in version 56, Chrome blocks Flash and requires user approval to let it run. Beginning in 69, Chrome stopped letting non-Enterprise users (easily) grant persistent permission for Flash to run on whitelisted sites. Because "Flash" is built into Chrome, there's no separate install. If [real Adobe] Flash is installed on that Mac, it would be for a different browser.

Flash has a long and melancholy history. Yet most of Flash exploits I've read about aren't Flash itself, but, as Ric wrote, fakes users are tricked into installing, often by popups. Flash's "safer" HTML5 replacement can pop up scareware notices, just like Flash did.
ArsTecnica said:
Malvertisers target Mac users with steganographic code stashed in images
Clever HTML5 coding helps a blitz of malicious ads slip past scanners.

Researchers have uncovered a recent malicious advertisement campaign that’s notable for its size, scope, and resourcefulness: a two-day blitz triggered as many as 5 million times per day that used highly camouflaged JavaScript stashed in images to install a trojan on visitors' Macs.
Facebook has long been a distribution vehicle for this kind of attack:
CSO said:
If the Mac were mine, I'd do a nuke and pave from an external boot. PIA it may be, but I'd change every log in ID and password that was stored or accessed from that system presuming the criminals could have copied everything out of my password wallet and Keychain. I'd probably go further, and ask banks/brokers/credit cards to issue new account numbers.
 


Kathryn, good idea about the so-called expert being complicit, but not in this case. My client is quite old, easily confused, and doesn’t have a great memory. He just trusted a friend who had a friend who meant well. Not strangers.

Besides giving the criminals his now cancelled credit card, he also gave them his bank account number. It took much explaining to convince him that it needs to be changed too.

Ric, good to remind everyone about trojans disguised as Flash installers. That may or may not have been the case here. Malwarebytes didn’t detect anything, DetectX noticed the FlashPlayerInstaller in the downloads folder but didn’t comment on it. He also had Pepper Flash Player installed. EtreCheck and Simpleum Check were useful for verifying other settings and Onyx for clearing caches. I temporarily installed Little Snitch and saw no unidentified connections for many hours.

George, I agree that criminals controlled the client’s computer. All of the programs I mentioned have been completely removed, and more. Both the expert and the client were tricked through social engineering to install those programs as part of their security service. All passwords were changed, but he did not want me to set up 2-factor authentication or a password manager, as he gets easily confused. Good tip about verifying no email forwarding exists.

This Mac running macOS 10.13 is quite old and quite slow, and having only an outdated and disconnected Time Machine backup, he did not want me to take the time for a full erase and reinstall. I’m confident in what I did, but if it were my machine, I would certainly not trust it without an erase and reinstall.

I forced him to use Firefox and UBlock Origin, warning him about the fake messages that appear on Facebook and elsewhere. In Facebook, I found no apps listed, but I did turn off the preference to “interact with apps, websites and games.” Could that setting have played a part, when it was turned on?

My takeaway lesson is to start questioning every macOS and iOS app I have. What country are they made in? Do I really need this? What is their privacy policy? I avoid apps with ads and Chinese apps. I wonder how safe apps are from Ukraine, which includes Readdle. I don’t think we can blindly accept apps as safe, regardless of their notoriety. This would be a good conversation to have, if anyone has opinions.
 



My takeaway lesson is to start questioning every macOS and iOS app I have. What country are they made in? Do I really need this? What is their privacy policy? I avoid apps with ads and Chinese apps. I wonder how safe apps are from Ukraine, which includes Readdle. I don’t think we can blindly accept apps as safe, regardless of their notoriety. This would be a good conversation to have, if anyone has opinions.
That conversation also includes the latest versions of The Unarchiver, now owned by MacPaw in the Ukraine. Version 3.11.1 was the last version before they acquired it.
 


For iOS, my favorite equivalent of UBlock Origin is Weblock. It blocks ads, scripts, pop-ups, etc., using a VPN strategy, and works on most app ads as well as in Safari. Cheap at $1.99. I'm just a happy user. Only downside: I have to remember to re-enable VPN in Settings after every reboot, Apple's fault for a non-sticky setting.
 


Ric Ford

MacInTouch
For iOS, my favorite equivalent of UBlock Origin is Weblock...
Their privacy policy includes this bit:
Weblock said:
Privacy Policy
Our app use Flurry Analytics SDK to collect basic information about the app usage. The exact information collected by Flurry and privacy policy for this information can be found here: http://www.flurry.com/legal-privacy/privacy-policy. If you wish to disallow Flurry Analytics, please enable blocking of Flurry by going to "Weblock -> Filters -> User Tracking" and enabling "Block Flurry".
I went to http://www.flurry.com/legal-privacy/privacy-policy, and it seemed to be entirely devoid of any content at all. So I went to the Flurry home page and found a Privacy link that led here:
 


That conversation also includes the latest versions of The Unarchiver, now owned by MacPaw in the Ukraine. Version 3.11.1 was the last version before they acquired it.
Interesting. For what it's worth, it looks like the pre-acquisition distributions are still available on the original developer's website. I'm still wrestling with what exactly makes a Ukrainian company intrinsically less trustworthy than a Finnish one-man show (per his GitHub profile).
 


I would like to make a pitch here for using LaunchControl to deal with any computer belonging to a novice or ingenuous person.

It lets you go through and find all the automatic-launch stuff and shut it off. It is not the world's best interface, it has an annoying number of alerts and are-you-sures, but it will do the trick, and it's much easier than doing the same thing from Finder locations. EtreCheck will reveal other stuff you may have missed.

Malware removers are good at removing some malware, but I find that a lot of stuff is “semi-legit” enough to escape. If you use LaunchControl, you can deactivate and remove things that act like malware but technically might not be.

Also get familiar with Terminal, because you will need it... (not saying that to any one person, just in general).

Instead of TheUnarchiver, you can use Keka.
 



One of my clients saw a dialog that said his Mac was locked and to call a number. I wasn’t available, so they brought in an expert who just called the number, let them take control and install things after registering for Official Apple Support at an xyz domain, charged him $1,600, and the expert abandoned him with a mess.
I wonder if using Parental Controls to limit what apps run on your client's Mac would be helpful?
 


Trojan horses disguised as Flash installers are very common (if you didn't already know).
Coincidentally, just a couple days before Ric posted this reminder, I selected a (very) old bookmark. It went to a page that "flashed" a notice that my Flash was not up-to-date, and immediately proceeded to download a Flash installer. I isolated the Mac, ran ClamXAV. It found some "relatively" harmless adware in the Flash installer.

It also found adware in another archive I downloaded either from the developer or MacUpdate, but had never gotten around to opening. Finally, it found adware in an app from the App Store (another I really hadn't tried yet).

I ran the Avast demo just for redundancy. It found that the App Store app had in fact, installed its payload. I also ran the Sophos demo. Lots of sudo rm followed... :-}

Ironically, the take-away for me from all this was that anti-virus software remains difficult to distinguish from the threats they are supposed to protect us from. None of them would function without being given carte blanche to phone home. In spite of preferences seemingly to the contrary, none of them would simply run when asked. They all insisted on daemons in the background. Is it unreasonable to expect these folks to be sensitive to this?
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts