- #Macos malware runonly avoid detection for software#
- #Macos malware runonly avoid detection for code#
- #Macos malware runonly avoid detection for mac#
When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncryptovip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. Given the theme of cryptocurrency in the file and domain names-and North Korean hackers’ preoccupation with stealing digital coin-it’s a decent bet the follow-on infection is used to access wallets or similar assets. Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).” “As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image.
#Macos malware runonly avoid detection for mac#
The infected Mac begins contacting a server at hxxps://unioncryptovip/update to check for a second-stage payload.
It is around this point in the infection chain that the fileless execution starts.
As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars' worth of cryptocurrencies from exchanges in an attempt to fund the country's nuclear weapons development programs. Another piece of Mac malware, dubbed AppleJeus, did the same thing.Īnother trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly. execute this binary ( /Library/UnionCrypto/unioncryptoupdater).unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/ create a /Library/UnionCrypto directory.) from the application’s Resources directory into /Library/LaunchDaemons
#Macos malware runonly avoid detection for software#
Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following: On Friday, according to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it. When it first came to light earlier this week, only two out of 57 antivirus products detected it as suspicious. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. It has become increasingly common since then. By 2017, more advanced financially motivated hackers had adopted the technique. In-memory infections were once the sole province of state-sponsored attackers. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.
#Macos malware runonly avoid detection for code#
Instead, it loads malicious code directly into memory and executes it from there.
In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.
0 kommentar(er)
