What is "Community Finds"




We are a voice for the community and want to feature your research.


Whether it's a small finding or a major breakthrough, we want to hear from you. Submit your discoveries and let us help amplify your work!


finds@ozsecurity.org

MacOs Infostealer

Credit: Alex Karkins - https://www.linkedin.com/in/alex-karkins-8208b710/

MacOS: Not Invincible to Info Stealers

Many users believe macOS to be unbreachable, but recent discoveries paint a different picture. Malicious actors are targeting macOS with information-stealing malware (infostealers).

The Threat Landscape

Infostealers can infiltrate your system through deceptive means, like:

  • Malicious Ads: Clicking on a harmful ad can unknowingly download malware.
  • Pirated Software: Downloading software from untrusted sources is a high-risk practice.

These vulnerabilities mirror common Windows infection vectors.

A Case Study: The Amos/Atomic Stealer

This specific info stealer is a prime example:

  • Leverages osascript: Similar to how Windows malware might abuse Powershell or wscript, the Amos/Atomic stealer misuses osascript for malicious purposes.

Here's a breakdown of the stealer's steps (technical details omitted for brevity):

  1. Hides its activity: The malware operates in stealth mode by hiding its application window.
  2. Gathers system information: It collects details about your macOS version, hardware, and displays.
  3. Attempts to steal credentials: It displays a fake "System Preferences" prompt, tricking you into entering your password.
  4. Scans for installed applications: It creates a list of all the programs on your device.
  5. Grabs specific files: It targets files like browser cookies, notes, and documents of specific formats (text files, Word documents, etc.) under a certain size limit.
  6. Compresses and removes evidence: The malware creates an archive of the stolen data and then deletes the temporary folder and archive itself to avoid detection.

New Tactics: Signed Installers

While the Amos/Atomic stealer relied on deceptive methods, newer threats are emerging:

  • Signed Installers: Some malware can appear as legitimate, signed installers, making them even more deceptive.

Identifying Mac Malware

Here's how you can be vigilant against these threats:

  • Be cautious with online interactions: Avoid clicking on suspicious ads and downloading software from untrusted sources.
  • Look for red flags: Be wary of unexpected prompts asking for your password, especially those disguised as system settings.
  • Consider security software: Security software with real-time monitoring can help detect suspicious activity.

Conclusion

While macOS offers a robust security foundation, it's not foolproof. Staying informed about evolving threats and practicing safe online habits are crucial for protecting your Mac.

Happy and Secure Hunting!

References

https://x.com/moonlock_lab/status/1793701808633970835
https://www.virustotal.com/gui/file/15a08333c19753fae1e8f3cb870351dba695266cfd0151c8f21ba48d99d53751/details
https://www.virustotal.com/gui/file/22f4150660e7e012059a9d6a6a5fcf755a8006fbd4c4702df32518ca56fde94d/content
https://www.intego.com/mac-security-blog/atomic-stealer-amos-mac-malware-spreads-via-malicious-google-ads/
https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html#:~:text=Pirated%20applications%20targeting%20Apple%20macOS,Saljooki%20and%20Jaron%20Bradley%20said
https://thewalden.medium.com/a-macos-stealer-story-c8fb1ea16969


Evil Empire

Credit: Alex Karkins - https://www.linkedin.com/in/alex-karkins-8208b710/

Why hide it if you know you are evil?


  • 185[.]172[.]128[.]0
  • inetnum: 185.172.128.0 - 185.172.128.255
  • org: ORG-TL874-RIPE
  • netname: EVILEMPIRE-MNT