Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Apple MacOS. Show all posts
North Korea cyberattack
Apple Apple MacOS Blockchain Blockchain Technology Crypto Attack crypto community cryptocurrency Cyber Attacks data security Data Theft Mac Mac Malware Malware Attack Malwares North Korea cyberattack

North Korean Malware Targets Mac Users in Crypto Sector via Calendly and Telegram

 

Cybersecurity researchers have identified a sophisticated malware campaign targeting Mac users involved in blockchain technologies. According to SentinelLabs, the attack has been linked to North Korean threat actors, based on an investigation conducted by Huntabil.IT. 

The attack method is designed to appear as a legitimate interaction. Victims are contacted via Telegram, where the attacker impersonates a known associate or business contact. They are then sent a meeting invite using Calendly, a widely-used scheduling platform. The Calendly message includes a link that falsely claims to be a “Zoom SDK update script.” Instead, this link downloads malware specifically designed to infiltrate macOS systems. 

The malware uses a combination of AppleScript, C++, and the Nim programming language to evade detection. This mix is relatively novel, especially the use of Nim in macOS attacks. Once installed, the malware gathers a broad range of data from the infected device. This includes system information, browser activity, and chat logs from Telegram. It also attempts to extract login credentials, macOS Keychain passwords, and data stored in browsers like Arc, Brave, Firefox, Chrome, and Microsoft Edge. Interestingly, Safari does not appear to be among the targeted applications. 

While the campaign focuses primarily on a niche audience—Mac users engaged in crypto-related work who use Calendly and Telegram—SentinelLabs warns that the tactics employed could signal broader threats on the horizon. The use of obscure programming combinations to bypass security measures is a red flag for potential future campaigns targeting a wider user base. 

To safeguard against such malware, users are advised to avoid downloading software from public code repositories or unofficial websites. While the Mac App Store is considered the safest source for macOS applications, software downloaded directly from reputable developers’ websites is generally secure. Users who rely on pirated or cracked applications remain at significantly higher risk of infection. 

Cyber hygiene remains essential. Never click on suspicious links received via email, text, or social platforms, especially from unknown or unverified sources. Always verify URLs by copying and pasting them into a text editor to see their true destination before visiting. It’s also crucial to install macOS security updates promptly, as these patches address known vulnerabilities.  

For additional protection, consider using trusted antivirus software. Guides from Macworld suggest that while macOS has built-in security, third-party tools like Intego can offer enhanced protection. As malware campaigns evolve in complexity and scope, staying vigilant is the best defense.
Read more »
Software
Apple MacOS Banshee Stealer MaaS malware Software

New Variant of Banshee Stealer Targets macOS with Enhanced Evasion Tactics

 




Cybersecurity researchers have identified a dangerous new version of Banshee Stealer, a sophisticated malware specifically targeting macOS users. This updated strain is designed to bypass antivirus defenses and steal sensitive data from millions of macOS devices.

Originally detected in August 2024, Banshee Stealer was offered as malware-as-a-service (MaaS) to cybercriminals for $3,000 per month. Its capabilities included:
  • Data Theft: Stealing browser data, cryptocurrency wallet credentials, and specific file types.
The malware's source code was leaked in late 2024, briefly halting its spread. However, security experts have now discovered ongoing campaigns distributing an updated and more powerful version.

The latest version of Banshee Stealer, uncovered in September 2024, is being spread through:
  • Phishing Websites: Fake websites impersonating legitimate services to trick users into downloading the malware.
  • Fake GitHub Repositories: Malicious repositories posing as popular software like Google Chrome, Telegram, and TradingView.
Additionally, cybercriminals are simultaneously deploying another malware called Lumma Stealer to target Windows systems, signaling a broader, cross-platform attack strategy.

Key Enhancements in the Updated Version

The new variant of Banshee Stealer features several dangerous improvements:
  1. Advanced Encryption: Incorporates sophisticated encryption methods inspired by Apple's XProtect to evade detection by security tools.
  2. Expanded Targeting: Previously restricted from targeting Russian-language systems, this limitation has been removed, broadening the malware's victim pool.
  3. Social Engineering Tactics: The malware disguises itself as software updates or legitimate applications, increasing its chances of tricking users into installing it.

Related Threats on Other Platforms

Beyond Banshee Stealer, other malware families like Nova Stealer and Hexon Stealer are exploiting social engineering techniques on platforms such as Discord. Attackers lure users with fake promises of the latest video game versions, aiming to steal Discord credentials and access linked accounts for further exploitation.

To mitigate the risk of infection, users should adopt the following cybersecurity practices:
  • Download from Trusted Sources: Always install software from official and reputable platforms.
  • Exercise Caution with Links: Avoid clicking on suspicious links or accepting unsolicited invitations, particularly on social platforms like Discord.
  • Keep Security Software Updated: Regularly update antivirus and security tools to guard against the latest threats.
The resurgence of Banshee Stealer underscores the need for continuous vigilance in cybersecurity. Cybercriminals are constantly evolving their methods, blending technical exploits with social engineering to target both human and system vulnerabilities. Staying informed and cautious remains the most effective defense against such sophisticated attacks.
Read more »
Software
Apple Apple MacOS cryptocurrency malware Software

New MacOS Malware Steals Browser Data and Cryptocurrency

 



While malware attacks on Windows and Android systems are more frequent, macOS is not immune to such dangers. Cybersecurity experts at Moonlock Lab have identified a new type of macOS malware that adeptly avoids detection and poses a serious threat to user data and cryptocurrency.


How the Malware Spreads

The infection starts when users visit websites that offer pirated software. On these sites, they might download a file called CleanMyMacCrack.dmg, thinking it’s a cracked version of the CleanMyMac utility. However, launching this DMG file triggers a Mach-O executable, which then downloads an AppleScript. This script is specifically designed to steal sensitive information from the infected Mac.


Malware Capabilities

Once the malware infiltrates a macOS system, it can carry out a range of malicious activities:

  • It captures and stores the Mac user's username.
  •  The malware sets up temporary directories to store stolen information temporarily.
  •  It retrieves browsing history, cookies, saved passwords, and other data from different web browsers.
  •  The malware identifies and accesses directories containing cryptocurrency wallets.
  •  It copies data from the macOS keychain, Apple Notes, and Safari cookies.
  •  It gathers general user information, system specifications, and metadata.
  •  All the collected data is eventually exfiltrated to the attackers.


Link to a Known Hacker

Moonlock Lab has traced this macOS malware back to a notorious Russian-speaking hacker known as Rodrigo4. This individual has been seen on the XSS underground forum, where he is actively seeking collaborators to help spread his malware through search engine optimization (SEO) manipulation and online advertisements.

Rodrigo4's method involves manipulating search engine results and placing ads to lure unsuspecting users into downloading the malicious software. By making the malware appear as a popular utility, he increases the chances of users downloading and installing it, unknowingly compromising their systems.


How to Protect Yourself

To prevent this malware from infecting your Mac, Moonlock Lab recommends several precautions:

1. Only download software from reputable and trusted sources.

2. Regularly update your operating system and all installed applications.

3. Use reliable security software to detect and block malware.

The crucial point is users should be cautious about downloading software from unverified websites and avoid using pirated software, as these are common vectors for malware distribution. Staying informed about the latest cybersecurity threats and adopting good digital hygiene practices can also drastically reduce the risk of infection.




Read more »
User Data
Apple MacOS Apple Security Cyber Security Data Privacy data security Gatekeeper Malware Threat Personal Data Russian User Data

New macOS Malware Threat: What Apple Users Need to Know

 

Recently, the Moonlock Lab cybersecurity team discovered a macOS malware strain that can easily evade detection, posing a significant threat to users' data privacy and security. The infection chain for this malware begins when a Mac user visits a website in search of pirated software. 

On such sites, users might encounter a file titled CleanMyMacCrack.dmg, believing it to be a cracked version of the popular Mac cleaning software, CleanMyMac. When this DMG file is launched on the computer, it executes a Mach-O file, which subsequently downloads an AppleScript designed to steal sensitive information from the infected Mac. Once the malware infects a macOS computer, it can perform a variety of malicious actions. It collects and stores the Mac owner's username and sets up temporary directories to hold stolen data before exfiltration. The malware extracts browsing history, cookies, saved passwords, and other sensitive data from web browsers. It also identifies and accesses directories that commonly contain cryptocurrency wallets. 

Additionally, it copies macOS keychain data, Apple Notes data, and cookies from Safari, gathers general user information, system details, and metadata, and then exfiltrates all this stolen data to threat actors. Moonlock Lab has linked this macOS malware to a well-known Russian-speaking threat actor, Rodrigo4. This hacker has been active on the XSS underground forum, where he has been seen recruiting other hackers to help distribute his malware using SEO manipulation and online ads. This discovery underscores the growing threat of sophisticated malware targeting macOS users, a group often perceived as being less vulnerable to such attacks. 

Despite Apple's strong security measures, this incident highlights that no system is entirely immune to threats, especially when users are lured into downloading malicious software from untrustworthy sources. To protect yourself from such threats, it is essential to take several precautions. First and foremost, avoid downloading pirated software and ensure that you only use trusted and official sources for your applications. Pirated software often hides malware that can compromise your system's security. Installing reputable antivirus software and keeping it updated can help detect and block malware on macOS. Regularly updating your macOS and all installed applications is crucial to patch any security vulnerabilities that may be exploited by attackers. 

Additionally, exercise caution with downloads from unfamiliar websites or sources. Always verify the legitimacy of the website and the software before downloading and installing it. Enabling macOS’s built-in security features, such as Gatekeeper and XProtect, can also provide an additional layer of protection against malicious software. Gatekeeper helps ensure that only trusted software runs on your Mac, while XProtect provides continuous background monitoring for known malware. The Moonlock Lab's findings highlight the need for greater awareness and proactive measures to safeguard personal data and privacy. Users should remain vigilant and informed about the latest security threats and best practices for protecting their devices. 

By staying informed and cautious, Apple users can better protect their devices from malware and other cybersecurity threats. Awareness of the potential risks and implementing the recommended security practices can significantly reduce the likelihood of falling victim to such malicious activities. As cyber threats continue to evolve, maintaining robust security measures and staying updated on the latest threats will be crucial in ensuring the safety and integrity of personal data on macOS devices.
Read more »
User Security
Apple MacOS Data Privacy Info Stealer malware Spyware User Security

New Cuckoo Malware Targeting macOS Users to Steal Sensitive Data

 

Cybersecurity experts have identified a new information stealer targeting Apple macOS computers that is intended to establish persistence on compromised hosts and function as spyware.

Kandji's malware, dubbed Cuckoo, is a universal Mach-O binary that can execute on both Intel and Arm Macs. The exact distribution vector is currently unknown, but there are indications that the binary is hosted on sites such as dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which claim to provide free and paid versions of applications for ripping music from streaming services and converting it to MP3 format. 

The disk image file downloaded from the websites is responsible for spawning a bash shell to collect host data and ensuring that infected machines are not located in Armenia, Belarus, Kazakhstan, Russia, Ukraine.

The malicious binary is executed only if the locale check is successful. It also achieves persistence through the use of a LaunchAgent, a strategy previously employed by other malware families such as RustBucket, XLoader, JaskaGO, and a macOS backdoor that bears similarities with ZuRu.

Cuckoo, like the MacStealer macOS stealer malware, uses osascript to create a fake password prompt, luring users into entering their system passwords for privilege escalation. "This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system," researchers Adam Kohler and Christopher Lopez stated. 

It can execute a sequence of commands to gather hardware data, capture currently running processes, search for installed apps, take screenshots, and collect data from iCloud Keychain, Apple Notes, web browsers, cryptocurrency wallets, and apps such as Discord, FileZilla, Steam, and Telegram. 

"Each malicious application contains another application bundle within the resource directory," the researchers added. "All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP).” 

The news comes nearly a month after Apple's device management company revealed another stealer spyware called CloudChat, which masquerades as a privacy-oriented messaging programme and can compromise macOS users whose IP addresses do not geolocate to China. The spyware harvests cryptocurrency private keys transferred to the clipboard as well as data linked with wallet extensions installed in Google Chrome.
Read more »
Keysteal
Apple MacOS Atomic Stealer Cyber Security Cyberattacks CyberCrime Cyberhackers Keysteal

Apple Faces New Security Dilemma as Infostealers Execute Stealthy Attacks

 


There is an increase in the sophistication of info thieves targeting macOS, allowing them to evade Apple's malware protection built into the operating system as these attackers have become better at cracking static signature-detection engines like the platform's proprietary XProtect, which makes it harder to detect malicious programs. 

Currently, there are three active stealers, KeySteal, Atomic Infostealer, and CherryPie that can evade detection engines and have been able to get around multiple detection engines. XProtect's XProtect is currently evading a variant of the first two stealers, SentinelOne researchers revealed in a blog post earlier this week. 

In macOS, XProtect is a built-in antivirus program that searches downloaded files and apps for malware signatures and then removes any that contain malware. Information stealers targeting the macOS operating system have increased since the beginning of 2023, with many threat actors actively targeting Apple devices. 

There have been a great deal of versions of Atomic Stealer, macOS meta-stealer, RealStealer, and many others that have been discovered in the past year. In macOS, Apple updated its built-in antivirus signature database called XProtect, which indicates that Apple has taken the necessary steps to prevent these info thieves from getting their hands dirty. 

The threat actors, on the other hand, have been continuously evolving and evading known signatures of malware. Although Apple continuously updates the tool's malware database, SentinelOne says it passes through it almost instantly due to the fast response of the malware authors over Apple's constant updates. 

Many info thieves bypass it in a matter of seconds and can identify endpoints that are hidden in downloaded files and apps. It is important to note that SentinelOne's report cites KeySteal as the first malware example, which has evolved significantly since the malware was first reported in 2021. 

The software is currently available via an Xcode-built Mach-O binary, named either 'UnixProject' or 'ChatGPT,' and it attempts to establish persistence and steal keychain data, as well as stealing credentials and private keys, which are stored securely in Keychain. 

Using Keychain, users can securely store credentials, private keys, certificates, and notes securely. A SentinelOne report states that KeySteal has been improved to ensure persistence and Keychain data theft since its emergence in 2021, even though Apple updated its signature last February in an attempt to prevent it from being detected by XProtect and other antivirus engines. 

A researcher claims that KeySteal operators could also use a rotation mechanism to circumvent problems related to the application's hard-coded command-and-control addresses, as a way of subverting those issues. There is some good news in all this, as Apple updated its XProtect signatures for CherryPie in early December 2023, which is a good sign that it has worked well for new versions of the OS as well. 

However, malware detection has not always worked as well on Virus Total as it does on other security products. As is evident from the above, there is an ongoing development of malware programs intended to evade detection and so, on the one hand, this game of whack-a-mole is becoming a much more complex and dangerous one for both users and operating system vendors.

Having only static detection as a means of securing your systems would be inadequate, and potentially dangerous. Antivirus software equipped with heuristic or dynamic analysis capabilities should be incorporated into a comprehensive approach to achieve a more robust result. As part of a comprehensive cybersecurity strategy, it is also essential to monitor network activity vigilantly, implement firewalls, and consistently keep up with the latest security updates, which are fundamental to ensuring security.
Read more »
User Privacy
Android Apple Apple MacOS Communication Encryption Cross App Tracking Cyber Security iMessage iPhone User Privacy

Apple Adopts Universal Texting Standard

Apple has made a significant move away from the iMessage exclusivity that has dominated its environment for more than ten years and toward the adoption of a universal texting standard. This action is anticipated to close the messaging gap between Android and iPhone users, representing a big step toward seamless cross-platform communication.

For years, iPhone users have enjoyed the benefits of iMessage, an exclusive messaging platform that offers enhanced features, including read receipts, high-quality media sharing, and end-to-end encryption. However, the downside was the notorious "green bubble" dilemma, where Android users received messages in a different format, devoid of the enhanced functionalities available on iMessage. This created a sense of division in the messaging experience.

Apple's decision to embrace a universal texting standard is a welcome change, as it signals a departure from the walled-garden approach that has defined the company's messaging strategy. The move is expected to eliminate the disparities between iPhone and Android users, creating a more inclusive and integrated messaging environment.

Adopting a universal texting standard is not only a boon for users but also a strategic move by Apple to stay relevant in a rapidly evolving tech landscape. With increasing users relying on cross-platform communication, the demand for interoperability has never been higher. Apple's decision to collaborate with Android in this endeavour is a testament to the company's commitment to user-centric innovation.

While the specifics of the universal texting standard are yet to be fully revealed, the potential benefits are already generating excitement among tech enthusiasts. Interoperability between iOS and Android devices will enhance the overall user experience and foster a sense of unity in the digital communication space.

The IT community is excited about the beneficial effects of Apple's revolutionary decision to remove the boundaries that have long divided iPhone and Android users in the area of texting. In terms of encouraging open communication, the development of a global texting standard is a big step forward, paving the way for a more connected and cooperative digital future.
Read more »
Unibot
Apple MacOS Cryptocurrency exchange KandyKorn KandyKorn malware lazarus Lazarus Group malware North Korean Hackers Unibot

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Read more »
Subscribe to: Posts (Atom)