Sneaky Mac Malware Went Undetected By AV Providers For Four Month

Four months after a mysterious group was outed for a digital espionage operation that used novel techniques to target Mac users, its macOS malware samples continued to go undetected by most antivirus providers, a security researcher reported on Thursday. Ars Technica reports: Windshift is what researchers refer to as an APT -- short for "advanced persistent threat" -- that surveils individuals in the Middle East. The group operated in the shadows for two years until August, when Taha Karim, a researcher at security firm DarkMatter, profiled it at the Hack in the Box conference in Singapore. Slides, a brief description, and a report from Forbes are here, here and here, respectively.

On Thursday, Mac security expert Patrick Wardle published an analysis of Meeting_Agenda.zip, a file Karim had said installed the rare Mac malware. To Wardle's surprise, results from VirusTotal at the time showed that only two antivirus providers -- Kaspersky and ZoneAlarm -- detected the file as malicious. Wardle then used a feature that searched VirusTotal for related malicious files and found four more. Three of them weren't detected by any AV providers, while one was detected by only two providers. The reason the findings were so surprising is that Apple had already revoked the cryptographic certificate the developers used to digitally sign their malware. That meant Apple knew of the malware. In fairness, the control servers the malware contacts are no longer available on the Internet. That means any infected computers aren't in danger of being surveilled. Also in fairness, the number of detections has slowly risen in the day since Wardle published his analysis.

AV works best with...sigs

[xxxJonBoyxxx]

Newsflash: AV is pretty useless beyond detecting signatures of KNOWN malware. I've yet to see one that catches, for example, custom PS scripts.

Re:AV works best with...sigs

I've caught a grand total of 3 with heuristics in 25 years. Sasser I believe was one of those, Nod32 IIRC. Back when that was a realistic thing, heuristics lol. Now? Heuristics would just uninstall Windows 10 and say "fuck you"

Re:AV works best with...sigs

[rtb61]

Which makes this story even weirder. It's like where are the staff that are meant to be monitoring competitors and running competitors software. What the hell happened, to "hey guys, our competitors software is blocking this malware and our's isn't", and then they fix that within the next hour. Just ignore the failure of your software for four months, kinds of makes you think they were forced to ignore it because of who it belong to or well, they are just shite companies, selling a shite product and they simply do not care how shite it is, as long as they get their money, much like gaming companies.

Re:AV works best with...sigs

[williamyf]

Most Mac AV software is an aftertought, after the moneymaking server AV/security suites for Windows Servers and Linux servers (redundancy intended) and the Windows Corporate Desktop AV. All management focus and resources are on the money makers, and the Mac AV gets the scraps. Is there just for "portfolio completness" sake.

So in the mac antivirus front is more crappy versus less crappy AV, not good versus bad.

Re:AV works best with...sigs

[AHuxley]

When unexpected software tries to copy itself deep into an OS X location that change can be detected in real time.
From the linked https://objective-see.com/blog...
""First, good news, Objective-See’s tools such as BlockBlock and KnockKnock are able to both detect and block this malware with no a priori knowledge" ...

Re:AV works best with...sigs

[AHuxley]

The other weird part was the
"the signing certificate(s) of all the samples are revoked"
"... this certificateand thus surely this malware as well."
From the linked https://objective-see.com/blog...

Re:AV works best with...sigs

[auzy]

That's incorrect..

If you look at Watchguard and other advanced router vendors such these days, they send unknown samples of files to a fake windows computer in the cloud, run them and analyse them.

Whilst it won't detect everything, if everyone ran such sandbox based AV systems things would work much better.

The big issue with OSX, is that Apple DECEIVED people into believing OSX couldn't get viruses, so everyone let their guard down.

Don't be surprised if there is a lot more OSX malware out there than people know about

Re:AV works best with...sigs

[tlhIngan]

The big issue with OSX, is that Apple DECEIVED people into believing OSX couldn't get viruses, so everyone let their guard down.

Don't be surprised if there is a lot more OSX malware out there than people know about

There's a lot out there. Except that by default. OS X will not run unsigned applications (either signed with an Apple-provided certificate, or signed by the Mac App Store). And that's why the revoked certificate is important, because it means the malware will not run by default.

As a final check, OS X comes with a service called xProtect which is a built-in anti-malware and anti-virus scanner. It's updated daily. People who monitor the list of signatures that xProtect uses have noticed it increasing in size. While Gatekeeper apps can be bypassed, xProtect will deny execution of matching signatures, so it's a measure of last resort.

In the Apple ecosystem, the most valuable thing to steal is a developer certificate, because when Apple revokes them, it means ALL the developer's apps are disabled (usually in very short order). Apple believes developers are the general origin of malware, and not individual programs, so if you release a "bad app", well, Apple doesn't trust you and considers all your apps bad. Hence developer certificates being valuable items to steal, and developers wanting to protect them.

Re: You go home now

[Cmdln+Daco]

You can check out any time you like, but you can never leave.

-Roach Motel California.

Re:How is this possible?

[gtall]

Okay Sat-Nad, just because Windows is a virus magnet doesn't mean others need be as well.