Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts found components of a complex toolkit employed in macOS attacks

Researchers uncovered a set of malicious files with backdoor capabilities that they believe is part of a toolkit targeting Apple macOS systems. Bitdefender researchers discovered a set of malicious files with backdoor capabilities that are suspected to be part of a sophisticated toolkit designed to target Apple macOS systems. The investigation is still ongoing, the […]

macOS toolkit

Researchers uncovered a set of malicious files with backdoor capabilities that they believe is part of a toolkit targeting Apple macOS systems.

Bitdefender researchers discovered a set of malicious files with backdoor capabilities that are suspected to be part of a sophisticated toolkit designed to target Apple macOS systems.

The investigation is still ongoing, the experts pointed out that the samples are still largely undetected.

macOS toolkit

The researchers analyzed a total of four samples that were uploaded to VirusTotal, with the earliest sample that was uploaded by an anonymous actor to the platform on April 18, 2023. The remaining ones have been uploaded by the victim.

Two of the three samples uploaded by a victim are generic Python backdoors that target Windows, Linux, and macOS systems.

The first file identified by the experts is “shared.dat”, once executed it generates a unique device identifier UID and uses a routine to check the OS running on the target machine.

The files connect to the C2 server to receive additional commands to execute.

The malware can be instructed to extract systems information, run specific commands

This includes gathering system information, running encoded as base64 commands, downloading and executing routines, and killing itself.

The DownExec routine works differently, based on the victim’s operating system.

“For MacOS devices, the function writes a file to /Users/Shared/AppleAccount.tgz. The content that is written to the archive is also encoded as base64 when received from server. It unpacks the archive to the /Users/Shared folder, then opens the /Users/Shared/TempUser/AppleAccountAssistant.app application.” reads the report published by Bitdefender. “On Linux systems, the malware calls a dist_name function that checks the /etc/os-release to validate whether the victim distro is Debian, Fedora or anything else. The function writes some C code received from the C2 to a temporary file named tmp.c, that is later compiled to a file named /tmp/.ICE-unix/git using the cc command on Fedora and gcc on Debian. After compilation, the file is executed in background with two parameters, also received from C2.”

Bitdefender also discovered a powerful backdoor, a file labeled “sh.py,” among the samples they analyzed. The malicious code supports multiple capabilities, such as gathering system data, files listing, deleting files, executing commands, and exfiltrate base64 encoded data in batches.

The researchers also analyzed another component called FAT binary, which is written in Swift, and targets macOS Monterey (version 12) and newer.

The FAT binary contains Mach-O files for 2 architectures (x86 Intel and ARM M1), the experts believe it is used to check permissions before using a potential spyware component (likely to capture the screen) but does not include the spyware component itself. For this reason, experts believe that the discovered files are part of a more sophisticated attack. At this time, several files belonging to the attack chain are yet to be analyzed.

The C2 is hardcoded in the share.dat file and the first reference to the C2 domain dates back to February 10 2023,

Bitdefender tracked the Python components as JokerSpy.

The report includes indicators of compromise (IoCs) for the analyzed artifacts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)