Slashdot Mirror
Sneaky Mac Malware Went Undetected By AV Providers For Four Month (arstechnica.com)
Four months after a mysterious group was outed for a digital espionage operation that used novel techniques to target Mac users, its macOS malware samples continued to go undetected by most antivirus providers, a security researcher reported on Thursday. Ars Technica reports: Windshift is what researchers refer to as an APT -- short for "advanced persistent threat" -- that surveils individuals in the Middle East. The group operated in the shadows for two years until August, when Taha Karim, a researcher at security firm DarkMatter, profiled it at the Hack in the Box conference in Singapore. Slides, a brief description, and a report from Forbes are here, here and here, respectively.
On Thursday, Mac security expert Patrick Wardle published an analysis of Meeting_Agenda.zip, a file Karim had said installed the rare Mac malware. To Wardle's surprise, results from VirusTotal at the time showed that only two antivirus providers -- Kaspersky and ZoneAlarm -- detected the file as malicious. Wardle then used a feature that searched VirusTotal for related malicious files and found four more. Three of them weren't detected by any AV providers, while one was detected by only two providers. The reason the findings were so surprising is that Apple had already revoked the cryptographic certificate the developers used to digitally sign their malware. That meant Apple knew of the malware. In fairness, the control servers the malware contacts are no longer available on the Internet. That means any infected computers aren't in danger of being surveilled. Also in fairness, the number of detections has slowly risen in the day since Wardle published his analysis.
On Thursday, Mac security expert Patrick Wardle published an analysis of Meeting_Agenda.zip, a file Karim had said installed the rare Mac malware. To Wardle's surprise, results from VirusTotal at the time showed that only two antivirus providers -- Kaspersky and ZoneAlarm -- detected the file as malicious. Wardle then used a feature that searched VirusTotal for related malicious files and found four more. Three of them weren't detected by any AV providers, while one was detected by only two providers. The reason the findings were so surprising is that Apple had already revoked the cryptographic certificate the developers used to digitally sign their malware. That meant Apple knew of the malware. In fairness, the control servers the malware contacts are no longer available on the Internet. That means any infected computers aren't in danger of being surveilled. Also in fairness, the number of detections has slowly risen in the day since Wardle published his analysis.
Newsflash: AV is pretty useless beyond detecting signatures of KNOWN malware. I've yet to see one that catches, for example, custom PS scripts.