430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs.  Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools. The malware is distributed through Adobe Zii, an application supposedly helps in the piracy […]

mac malware

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]