Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/28/2017
11:00 AM
Thomas Reed
Thomas Reed
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Mac Malware Reaches New Highs

Two new malware threats in a week this past month, plus others in January, brings the 2017 Mac malware count up to 6 - and growing.

On Valentine's Day, Mac users got a special "treat" in the form of new malware. That same week, there were signs of yet another piece of malware looming. These threats were overshadowed a bit by the discovery last week of the second ransomware app to ever appear on the Mac, but they're still worthy of consideration.

The first malware, named XAgent, was analyzed by Palo Alto Networks. XAgent, it turns out, is related to the Komplex malware discovered by Palo Alto last year, as can be seen by comparing some of the strings to those found in Komplex.

Source: Malwarebyte Labs
Source: Malwarebyte Labs

At that time, Palo Alto tied Komplex to the Sofacy Group - aka Fancy Bear and APT28, among others – which is a Russian hacking organization that has since been linked to attacks including the hack of the Democratic National Convention.

XAgent is a backdoor that provides a number of powerful remote access features, including keylogging, screenshots, remote shell access, and file exfiltration. Of particular interest is a command that provides the hacker with information about iOS backups stored on the infected Mac. iPhones (and other iOS devices) are notoriously difficult to hack, but by targeting backups instead, this malware could access potentially sensitive iPhone data.

Interestingly, Patrick Wardle, director of research at Synack, had another interesting revelation about this malware. He shows quite convincingly in a blog post that the Sofacy Group used code copied from the Hacking Team. (Hacking Team is the creator of the Remote Control System backdoor, which it sells to governments and law enforcement, among other organizations.)

Hacking Team was itself the victim of a hack in 2015, and all their source code was made public. Wardle was able to demonstrate key similarities, such as identical bugs, in the decompiled XAgent code and the leaked Hacking Team code. It appears that Sofacy used Hacking Team code in their malware, most likely obtained from the Hacking Team breach.

According to a whitepaper released by Bitdefender, the malware installs itself into the following folder, where it is given one of a set of hard-coded names:

~/Library/Assistants/.local/

At the time of its discovery, the XAgent command & control servers were down, meaning that this variant of the malware is no longer a threat.

On the heels of the XAgent discovery came an intriguing glance at another piece of Mac malware, a sample of which has not yet been found. Three days after Palo Alto released its analysis of XAgent, Apple released an update to XProtect - the built-in anti-malware software in macOS - that added detection of XAgent.

However, that update also included a signature for something Apple called OSX.Proton.A, which ignited a storm of questions in the security community, which had never heard of any such malware for the Mac.

A little digging by Arnaud Abbati, a researcher at Ninja, Inc., turned up a page from the Sixgill website with a terse description of a remote access tool (RAT) called Proton. The page has been taken down, but can still be found in Google's cache here.

Apparently, the malware is being sold on a Russian cybercrime forum, among other places. Sixgill also provided a link to a YouTube video from December, apparently made to promote the malware by demonstrating its capabilities. Another YouTube video, posted on February 8, showed additional capabilities.

Unfortunately, thus far, no samples of the malware have been found. It does not appear to be in the VirusTotal database, and neither of the two sites that appear to be associated with Proton (ptn[dot]is or protonsolutions[dot]net) are responding. Even Sixgill's analysis seemed to be done entirely from online sources, and had no information to suggest that they had seen a copy of the malware. For now, this is a completely unknown threat with rather frightening apparent capabilities.

Two new malware threats in a week, added to the others previously seen this year (Quimitchin/Fruitfly, MacDownloader, a new class of Microsoft Office macro malware and the Findzip ransomware), brings the Mac malware count for 2017 up to 6, and February isn't even over yet.

If things continue at this rate, 2017 could see a spike in Mac malware that could rival or exceed the previous high point in 2012, when the infamous Flashback, and a number of other pieces of malware taking advantage of Java vulnerabilities, terrorized the Mac community.

Click to discover more breaking news at Malwarebytes Labs

Thomas Reed is a self-trained developer and Apple security expert, and is director of Mac offerings at Malwarebytes. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarjorJ597
50%
50%
MarjorJ597,
User Rank: Apprentice
2/28/2018 | 2:45:09 AM
Solved Malware Or Virus Issues:
Malware or viruses get on to your computer or another device in a handful of ways, as listed below-
  • Malicious software
  • list itemFake files
  • list itemMalware-loaded legitimate files
  • list itemFake updates or system tools

If your Mac is infected with malware or a virus? You can try these steps:
  • No more passwords
  • Activity Monitor
  • Shut down and restore               

 Apple TV Customer Service Number
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Malwarebytes protects businesses against malicious threats that escape detection by traditional antivirus solutions. Malwarebytes Anti-Malware, the companys flagship product, has a highly advanced heuristic detection engine that has removed more than five billion malicious threats from computers worldwide. SMBs and enterprise businesses worldwide trust Malwarebytes to protect their data. Founded in 2008, the company is headquartered in California with offices in Europe, and a global team of researchers and experts. For more information, please visit us at www.malwarebytes.com/business.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8030
PUBLISHED: 2018-06-20
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 a...
CVE-2018-1117
PUBLISHED: 2018-06-20
ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this cou...
CVE-2018-11701
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11702
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11703
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.