Sneaky Mac Malware Went Undetected By AV Providers For Four Month

Four months after a mysterious group was outed for a digital espionage operation that used novel techniques to target Mac users, its macOS malware samples continued to go undetected by most antivirus providers, a security researcher reported on Thursday. Ars Technica reports: Windshift is what researchers refer to as an APT -- short for "advanced persistent threat" -- that surveils individuals in the Middle East. The group operated in the shadows for two years until August, when Taha Karim, a researcher at security firm DarkMatter, profiled it at the Hack in the Box conference in Singapore. Slides, a brief description, and a report from Forbes are here, here and here, respectively.

On Thursday, Mac security expert Patrick Wardle published an analysis of Meeting_Agenda.zip, a file Karim had said installed the rare Mac malware. To Wardle's surprise, results from VirusTotal at the time showed that only two antivirus providers -- Kaspersky and ZoneAlarm -- detected the file as malicious. Wardle then used a feature that searched VirusTotal for related malicious files and found four more. Three of them weren't detected by any AV providers, while one was detected by only two providers. The reason the findings were so surprising is that Apple had already revoked the cryptographic certificate the developers used to digitally sign their malware. That meant Apple knew of the malware. In fairness, the control servers the malware contacts are no longer available on the Internet. That means any infected computers aren't in danger of being surveilled. Also in fairness, the number of detections has slowly risen in the day since Wardle published his analysis.

What does Four Month do?

Are they some Apple spin off?

Re: What does Four Month do?

Nobody knows or is telling.

What kind of malware

Does this use an exploit, or is it just a trojan.

You can't fix stupid. People will run shit.

AV works best with...sigs

[xxxJonBoyxxx]

Newsflash: AV is pretty useless beyond detecting signatures of KNOWN malware. I've yet to see one that catches, for example, custom PS scripts.

Re:AV works best with...sigs

I've caught a grand total of 3 with heuristics in 25 years. Sasser I believe was one of those, Nod32 IIRC. Back when that was a realistic thing, heuristics lol. Now? Heuristics would just uninstall Windows 10 and say "fuck you"

Re:AV works best with...sigs

[rtb61]

Which makes this story even weirder. It's like where are the staff that are meant to be monitoring competitors and running competitors software. What the hell happened, to "hey guys, our competitors software is blocking this malware and our's isn't", and then they fix that within the next hour. Just ignore the failure of your software for four months, kinds of makes you think they were forced to ignore it because of who it belong to or well, they are just shite companies, selling a shite product and they simply do not care how shite it is, as long as they get their money, much like gaming companies.

Re:AV works best with...sigs

[williamyf]

Most Mac AV software is an aftertought, after the moneymaking server AV/security suites for Windows Servers and Linux servers (redundancy intended) and the Windows Corporate Desktop AV. All management focus and resources are on the money makers, and the Mac AV gets the scraps. Is there just for "portfolio completness" sake.

So in the mac antivirus front is more crappy versus less crappy AV, not good versus bad.

Re:AV works best with...sigs

It's all virusturtle on down. Er virustotal.

Re:AV works best with...sigs

Newsflash: AV is pretty useless beyond detecting signatures of KNOWN malware. I've yet to see one that catches, for example, custom PS scripts.

The article even mentions revoked certificates, but with a code signing system in place and your OS getting revocation list updates, that should be your blacklist. Any modified executable should stand out like a sore thumb. It just make waaaaay more sense than a a signature based system.

Re: AV works best with...sigs

Blah blah blah. These are everywhere. This one just happens to be extra special malware - Apple is strict with certs. Just like mucking around in Jurassic park without a cert

Re:AV works best with...sigs

[AHuxley]

When unexpected software tries to copy itself deep into an OS X location that change can be detected in real time.
From the linked https://objective-see.com/blog...
""First, good news, Objective-See’s tools such as BlockBlock and KnockKnock are able to both detect and block this malware with no a priori knowledge" ...

Re:AV works best with...sigs

[AHuxley]

The other weird part was the
"the signing certificate(s) of all the samples are revoked"
"... this certificateand thus surely this malware as well."
From the linked https://objective-see.com/blog...

Re:AV works best with...sigs

Now why would one allow custom URL tailoring?
Silly me I thought a URL was just a string, but lots of OS's think it their mission to pass rubbish to random executables. Reading deeper, it sounds like a hole they are keeping
My thought is if Apple did it, Does MS have a similar feature?

Re:AV works best with...sigs

[auzy]

That's incorrect..

If you look at Watchguard and other advanced router vendors such these days, they send unknown samples of files to a fake windows computer in the cloud, run them and analyse them.

Whilst it won't detect everything, if everyone ran such sandbox based AV systems things would work much better.

The big issue with OSX, is that Apple DECEIVED people into believing OSX couldn't get viruses, so everyone let their guard down.

Don't be surprised if there is a lot more OSX malware out there than people know about

Re:AV works best with...sigs

[tlhIngan]

The big issue with OSX, is that Apple DECEIVED people into believing OSX couldn't get viruses, so everyone let their guard down.

Don't be surprised if there is a lot more OSX malware out there than people know about

There's a lot out there. Except that by default. OS X will not run unsigned applications (either signed with an Apple-provided certificate, or signed by the Mac App Store). And that's why the revoked certificate is important, because it means the malware will not run by default.

As a final check, OS X comes with a service called xProtect which is a built-in anti-malware and anti-virus scanner. It's updated daily. People who monitor the list of signatures that xProtect uses have noticed it increasing in size. While Gatekeeper apps can be bypassed, xProtect will deny execution of matching signatures, so it's a measure of last resort.

In the Apple ecosystem, the most valuable thing to steal is a developer certificate, because when Apple revokes them, it means ALL the developer's apps are disabled (usually in very short order). Apple believes developers are the general origin of malware, and not individual programs, so if you release a "bad app", well, Apple doesn't trust you and considers all your apps bad. Hence developer certificates being valuable items to steal, and developers wanting to protect them.

And in other news..

Grammatical error appears on slashdot's front page for more than four minutes.

How is this possible?

[pablo_max]

According to Mac zealots, only Windows machines can get malware or viruses.

Re:How is this possible?

[gtall]

Okay Sat-Nad, just because Windows is a virus magnet doesn't mean others need be as well.

You go home now

You been here four month!

Re: You go home now

[Cmdln+Daco]

You can check out any time you like, but you can never leave.

-Roach Motel California.

Yeah

You are a sorry victim of the Mainstream Media Lies.

Yes, Mr Soros

Thats your "civilization" of fags, highest incarceration rate and casual rape ?

Re:Yes, Mr Soros

She's just a butthurt CIA agents [sic] who hasn't gotten over SHE LOST.

Oh, trust me, the toboggan ride is just as bumpy any other way down the hill. Make sure you keep a spare gas can. The flowers of the cannabis plant are an important herb in the treatment of radiation sickness. I can tell you from experience that they also help protect the mind from... the way the world was after N-day, when summer never came.

unless

Indeed

Most likely all of the "malware" is just human engineering. Lots of talk, very little substance in these slides.

Result

Apple always tried to sell itself by saying that they were not having the virus problems that Windows was having. Many countered that Apple was not as popular as Windows and that was the only reason why. They also argued that Apple's days in virus hell were going to eventually arrive, and now they have.

Best AV = hosts (stalls this too)... apk

0.0.0.0 string2me.com
0.0.0.0 flux2key.com

* Those are either offline AWAITING to give orders (OR they are denying back ICMPEchoReply (easily settable in IP stack settings)).

You BLOCK those, this thing won't get orders for more havoc it is doubtless out to wreak (couldn't be worse than HAVOC I wreaked on the JACKASS I destroyed here https://it.slashdot.org/commen... & here https://it.slashdot.org/commen... that had to DOWNMOD HIDE those SELF-DEFEATS of his - WHICH WHIPSLASH IN A FIT DELETED, lol!)

SOURCE: https://objective-see.com/blog...

APK

P.S.=> Soon, I'll have a MacOS version of these (completing my multiplatform agenda I had all along):

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)