What is RustBucket malware?

Researchers from Jamf Threat Lab discovered RustBucket in the spring of 2023. They described it as an AppleScript-based backdoor capable of extracting the second stage payload from a remote server. This malware is associated with North Korean hackers from the BlueNoroff group (REF9135 in the Elastic Security Labs classification). They are reportedly related to a larger threat cluster called Lazarus.

Malware of the second stage, compiled in Swift, arrives from the C2 server. Is is a binary file based on Rust and Objective-C. This malware has extensive data collection capabilities and is also capable of extracting and running additional Mach-O files or shell scripts on a compromised system. Interestingly, this was the first BlueNoroff malware specifically designed to attack macOS users, although a .NET version of RustBucket has since appeared with a similar feature set.

Typically, such attacks start with phishing emails, and hackers also use fictitious identities specially created for this purpose on social networks (for example, on LinkedIn). Their campaigns tend to target financial institutions in Asia, Europe and the United States, suggesting that the group’s activities are aimed at generating illegal income and evading sanctions. In general, the attacks are based on the macOS installation file, which installs a hidden but working PDF reader. An important aspect of these attacks is the fact that the malicious activity only starts after this PDF file startup in the malicious reader.

The version of RustBucket discovered by Elastic Security Labs is most notable for its unusual pinning mechanism, the use of dynamic DNS (docsend.linkpc[.]net), as well as a number of measures that are aimed at hiding the activity of hackers.

What then?

RustBucket malware appears to be just another malicious utility in hands of politically-motivated hackers. Lazarus as the most notorious North Korean hack group significantly expanded its activity in 2023, so it is not a hollow threat now. To be sure about your secureness against such dangers, I can advice you to follow these tips.

• Control all email messages you’re going to interact with. Email spam has become a prevalent malware spreading way back in the days. Specifically, Lazarus actors prefer it to other spreading ways. Strange topic, dubious attachments, unusual sender’s address – all such things should raise suspicion. By being vigilant, you can cut almost a half of possible malware injections.
• Use reliable anti-malware software. Well, vigilance is important, but you can never be sure you’re right. Hackers invent new methods of malware injection every day, and you can never predict them. For that reason, a proactive solution is simply essential. There are solutions for individuals, small companies and large organizations – so you will have wide range of possible options.

The post RustBucket Malware Attacks MacOS More Effectively appeared first on Gridinsoft Blog.

What is the LockBit gang?

LockBit group is a currently leading gang of threat actors that have spread eponymous ransomware since 2019. Through their entire lifetime, they are constantly updating their malware, making it more resistant to any countermeasures. The group is also significant for their media personality – they are never shy of giving interviews and discussing something on forums. After the Conti group dissolution in 2022, LockBit became a leader on the market, scoring a share of over 40% of all attacks at some point. This number fluctuates, but the nomination of the most successful cybercrime gang remains.

The key thing that gives LockBit its success is its ransomware and auxiliary software used in cyberattacks. In complex, these programs provide a safe, fast and reliable way to encrypt and exfiltrate the files. At the very beginning, their ransomware and data exfiltration software already were the fastest. But with time and updates, hackers made it even more rapid. In fact, no massively-used ransomware examples are even nearly compatible, and only one known sample – Rorschach ransomware – can boast of faster encryption. Updates bring not only faster encryption & exfiltration, but also updates to network infrastructure and bug bounty programs.

LockBit’s First-in-Kind macOS Ransomware

For a long time, macOS was considered a space safe from malware. Surely, there were minor things like adware or browser hijackers, that resided in browsers – but they do not rely on the operating system. “Serious” malware, like spyware, backdoors and ransomware were non-existent. Theoretically, some malware samples aimed at *NIX systems could run on macOS (as it is compatible), but they were not specifically designed to attack it. But on April 16, 2023, the news stating about macOS-targeted variant of LockBit appeared.

"locker_Apple_M1_64": 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
As much as I can tell, this is the first Apple's Mac devices targeting build of LockBit ransomware sample seen…
Also is this a first for the "big name" gangs?
@patrickwardle
cc @cyb3rops pic.twitter.com/SMuN3Rmodl

— MalwareHunterTeam (@malwrhunterteam) April 15, 2023

The fact that the previously invincible system descended from the pantheon and is now along with the mortals initiated a hurricane of discussions. On weekends when it happened people went mad in their expectancies, creating more and more versions of what it is capable of and how that works. LockBit themselves, however, only confirmed having a newly developed macOS variant of their ransomware.

What actually happens?

Behind the huge media backlash, a lot of interesting details slipped away. They generally get available during the analysis of the sample. The latter appears to be completely undetected by vendors listed on VirusTotal, and aims at ARM systems. In just a day they’ve corrected this fault – at least some of them, though. However, further analysis of the sample shows that LockBit managed to compile it for multiple other platforms – like PowerPC, ARMv5/v6/v7, Linux, FreeBSD and even SPARC. Actually, the entire lineup of Apple products is at risk now – from computers to tablets and cell phones. Even the legacy, PowerPC-based systems, are not safe.

The exact sample refuses to be run in a normal way, as it lacks a valid signature of Apple Developer ID. To make it run, hackers most probably use a specific console command, that allows them to circumnavigate the restrictions. Sample is XOR-encrypted and features a couple of anti-analysis tricks. In particular, it forces the debug environment to stop if malware detects one. Still, after a deep analysis analysts noticed a lot of flaws present in this LockBit version. Malware is prone to buffer overflow errors, and most of its anti-analysis measures may easily be blocked.

Is LockBit ransomware for macOS dangerous?

For sure, it is. Despite being less than ideal at its current iteration, it will become so in future – I have no doubts about that. LockBit gang never overestimates their malware capabilities and will do their best to fix all the things analysts have found by now. Moreover, other gangs may have this case as an example and release their own ports. It is a pretty small threat for macOS at the moment, but may end up in a completely new paradigm.

Having macOS-based malware is threatening not only because of the novelty of such threats, but also because of absence of any countermeasures. Actually, they’re not totally absent – there are several anti-malware software solutions for macOS. Yet they have low coverage that makes no obstacle for malware. Additionally, these solutions have low capability against advanced threats, like LockBit ransomware, making protection even less effective. The only advice now is to implement proactive measures of counteraction – ones that will not allow malware to get to the system at all.

How to protect yourself?

Fortunately, counteractions against LockBit ransomware are cross-platform. LockBit hackers commonly utilise network vulnerabilities to make their way to the network and infect it. You can practise with firewalls or other restrictive measures, but crooks found the way to circumvent them. Advanced solutions, like Network Detection and Response, will fit best for that case. They do not always require having the client part installed on each system, bearing on overall network traffic monitoring. Detection systems and extensive logging make it much easier to stop the threat and prepare for possible intrusions in future.

The post LockBit Releases World’s First macOS Ransomware appeared first on Gridinsoft Blog.

By the way, we said that the North Korean Group Lazarus Attacks Energy Companies.

Let me also remind you that Crypto.com is one of the world’s leading cryptocurrency exchange platforms. The company gained mainstream attention in 2021 when it acquired the Los Angeles Staples Center and renamed it the Crypto.com Arena, followed by a series of television commercials.

Sentinel One analysts write that the campaign, which targets people working in the cryptocurrency industry, has been carried out by hackers since 2020. Recently, it was noticed that the attackers exploit the brand of another well-known cryptocurrency exchange, Coinbase, in their attacks, and now they have switched to Crypto.com and are attacking macOS users.

Typically, Lazarus will reach out to their targets via LinkedIn, sending them direct messages informing them of an interesting and high-paying job that Crypto.com is allegedly offering them.

As with previous campaigns targeting macOS, the hackers send victims a binary file disguised as a PDF that contains a 26-page PDF file named Crypto.com_Job_Opportunities_2022_confidential.pdf and information about jobs on Crypto.com.

In the background, this Mach-O binary creates a folder (WifiPreference) in the Library directory and deploys the second and third stage files. The second stage is the WifiAnalyticsServ.app file, which is fixed in the system (wifanalyticsagent) and eventually connects to the control server at market.contradecapital[.]com, from where it receives the final WiFiCloudWidget payload.

Because the attackers’ binaries are signed, they can bypass Apple’s gatekeeper checks and run as trusted software.

Unfortunately, the researchers were unable to study the group’s final payload, as the hackers’ C&C server was already down at the time of the investigation. However, they note that there are some indications that this operation is short-lived, which is quite typical of Lazarus phishing campaigns.

The post Lazarus Hackers Attack MacOS Users by impersonating Crypto[.]com appeared first on Gridinsoft Blog.

The malware received its name due to the fact that it uses pCloud, Dropbox and Yandex.Disk cloud storages as control servers.

Let me remind you that we also wrote that Vulnerability in macOS Leads to Data Leakage, and also that Microsoft Releases PoC Exploit to Escape MacOS Sandbox.

The capabilities of CloudMensis indicate that the main goal of its operators is to collect confidential information from infected machines. For example, the malware is capable of taking screenshots, stealing documents, intercepting keystrokes, and compiling lists of emails, attachments, and files stored on removable media.

CloudMensis supports dozens of different commands, which allows its operators to perform a variety of actions on infected machines:

1. change in the malware configuration the cloud storage provider and authentication tokens, file extensions of interest, the frequency of polling cloud storage, and so on;
2. make a list of running processes;
3. to capture the screen;
4. make a list of letters and attachments;
5. make a list of files on removable media;
6. run shell commands and upload the result to the cloud storage;
7. download and execute arbitrary files.

According to ESET analysis, attackers infected the first Mac as early as February 4, 2022. Since then, they have only occasionally used the backdoor to compromise other machines, hinting at the targeted nature of this campaign.

Interestingly, once deployed, CloudMensis is able to bypass the Transparency Consent and Control (TCC) system, which asks the users if they need to grant the app permission to take screenshots or monitor keystrokes. The TCC mechanism is designed to block access to sensitive user data, allowing macOS users to customize privacy settings for various applications and devices (including microphones and cameras).

Rules created by the user are stored in a database protected by System Integrity Protection (SIP), which ensures that only the TCC daemon can modify them. Thus, if a user has disabled SIP on the system, CloudMensis will grant itself the necessary permissions by simply adding new rules to TCC.db.

However, even if SIP is enabled and any version of macOS Catalina prior to 10.15.6 is installed on the machine, CloudMensis can still gain the necessary rights by exploiting a vulnerability in CoreFoundation, which has the identifier CVE-2020-9934 and which Apple fixed two years ago. This bug will force the TCC daemon (tccd) to load a database that CloudMensis can write to.

The vector of infection, as well as the goals of the hackers, are still unknown, but the researchers write that, judging by the way the attackers handle Objective-C, they are practically unfamiliar with macOS. At the same time, experts admit that CloudMensis is still a powerful spy tool that can pose a serious threat to potential victims.

The post CloudMensis Malware Attacks MacOS Users appeared first on Gridinsoft Blog.

Prove to Machines That You Are Not a Machine Via Cryptographic Token

Privacy Pass is a browser extension initially designed for Chrome and Firefox, with its first version released back in 2018. This plugin verifies that you are not a bot automatically and awards you with a cryptographic token (Privacy Access Token – PAT) that serves as a pass on CAPTCHA-protected websites. The extension analyzes your behavior while you browse, so there is no need to stop to solve CAPTCHA puzzles. It turns out that there are plenty of ways to figure out that there is a human being behind the browser by analyzing what and how the client does.

Cloudflare CAPTCHA pages accept PATs, and it seems reasonable to believe that manual CAPTCHA will be driven out from use very soon. What is even more promising is that Apple gives Privacy Pass a huge recognition boost by including it in the upcoming operating systems, iOS 16 and macOS Ventura.

Standard CAPTCHAs for manual solving will probably linger for some time, though, to welcome users who either haven’t yet earned an access token during their browsing session or clients whose behavior seems suspicious.

What’s wrong with CAPTCHA?

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is fine; it’s just old. Its purpose is to make automatized attacks such as DDoS (and other bot-activity on websites) impossible. But it turns out that there are ways to provide smooth and seamless verification of users being humans without forcing them to solve puzzles. Checkpoints, where you have to stop and perform actions, are real trouble for marketing – users just hate them.

Moreover, back in 2013, a CAPTCHA-beating neural network showed up. It solved test jigsaws with 99.8% accuracy, which is a better-than-human result. After nine years, machine learning algorithms only improved.

Another phenomenon is connected to CAPTCHA bypassing. There are entire click farms – offices where specially trained people do nothing else but solve CAPTCHA puzzles to let bots enter protected websites. The bots deliver the tasks they face on websites to human clickers and then receive them back solved via a special API.

So, CAPTCHA is getting closer and closer to obsolete. It is beatable and annoying. Why not replace it with something high-end like Privacy Pass?

The post Privacy Access Tokens to Replace CAPTCHA Real Soon appeared first on Gridinsoft Blog.

Back in 2020, Ryan Pickren received a $75,000 bug bounty from Apple because he found several vulnerabilities in Safari at once that could be used to access someone else’s camera and microphone (on devices running iOS and macOS). To exploit those bugs, it was necessary to trick the user into visiting a malicious site.

After receiving the award, the expert continued his research in this area and last year identified another chain of exploits related to iCloud Sharing and Safari 15, the use of which could have even more nasty consequences. As Pickren now reveals on his blog, the new attack combines four vulnerabilities, two of which have been given CVE IDs: CVE-2021-30861 and CVE-2021-30975. Two more bugs were recognized as “design” flaws, and not full-fledged vulnerabilities.

To exploit the new chain of bugs, it was necessary to lure the victim to a malicious site and force them to click on the “Open” button there. If the exploit was successful, the attacker gained access not only to the victim’s webcam and microphone, but also to all accounts on all sites that the victim had ever visited using Safari (including, for example, Gmail, iCloud, Facebook and PayPal).

The exploit chain included a UXSS vulnerability in Safari, abuse of iCloud’s default sharing feature (ShareBear), and bypassing Gatekeeper.

The fact is that when ShareBear is used to share files, the user needs to click on the “Open” button only once. Such a file can then be run remotely at any time without re-permissions.

The researcher writes that the problems were found in the summer of 2021, but Apple managed to finally eliminate them only recently, in January 2022. As a result, Pikren “earned” $100,500 from these bugs, receiving a large reward as part of the bug bounty program.

Let me remind you that recently MI also wrote that Zerodium offers up to $400,000 for exploits for Microsoft Outlook.

The post Apple paid $100,000 for macOS camera and microphone hack appeared first on Gridinsoft Blog.

The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user has to open a special Office document received from the attacker via mail or messenger. Fortunately, it is reported that the Outlook Preview Pane cannot be used as an attack vector.

Alas, renowned cybersecurity expert and CERT/CC analyst Will Dormann adds that the bug can be exploited through the Windows Explorer preview pane. That is, exploitation of the problem is still possible without direct user interaction and opening a malicious Office file. Instead, it is enough to select such a file in the explorer window with the preview pane turned on.

The salt of this situation is that Microsoft has already prepared patches for Microsoft 365 for Enterprise applications and Windows versions of Microsoft Office, but is still working on fixes that eliminate the vulnerability in macOS. Thus, Mac users using Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac will have to wait – there are no fixes for them yet, and the exact release dates have not been reported.

Bleeping Computer notes that in November 2021, Microsoft was also unable to promptly provide Apple users with patches for the actively exploited 0-day vulnerability in Excel. That bug allowed unauthenticated attackers to bypass security mechanisms and launch an attack that did not require user interaction.

Let me remind you that recently we also wrote that Vulnerability in macOS Leads to Data Leakage, as well as that Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Critical vulnerability in Office fixed, but macOS update is delayed appeared first on Gridinsoft Blog.

Back in the summer of 2021, a research group informed Apple developers about a vulnerability dubbed powerdir (CVE-2021-30970). The bug is related to the TCC technology, which is designed to block applications from accessing sensitive user data. This allows macOS users to customize privacy settings for apps and devices connected to their Macs, including cameras and microphones.

While Apple has restricted access to TCC (only for apps with full disk access) and configured features to automatically block unauthorized code execution, Microsoft researchers have found that attackers could inject a second custom-built TCC database into the system, allowing them to gain access to a secure information.

The point is that TCC supports two types of databases – one for permissions that apply to a specific user profile, and the other for permissions that apply globally, system-wide, protected by System Integrity Protection (SIP), and are only available for applications with full disk access.

In fact, a user with full disk access can find the TCC.db file, which is a SQLITE database, view it, and even edit it. Thus, an attacker with full access to the TCC databases can grant arbitrary permissions to his malicious applications, which the user will not even know about.

Apple fixed this issue in December 2021 with the release of macOS 11.6 and 12.1.

CVE-2021-30970 is the third TCC bypass issue. Earlier in 2021, Apple fixed bugs CVE-2020-9934 and CVE-2020-27937, as well as the zero-day vulnerability CVE-2021-30713, which also allowed an attacker to gain full access to the disk, record data from the screen, and perform other actions without explicit user consent.

Let me remind you that we wrote that Vulnerability in WebKit engine could redirect iOS and macOS users to scam sites, and also that Spy method NoReboot allows simulating iPhone shutdown and prying through the camera.

The post Vulnerability in macOS Leads to Data Leakage appeared first on Gridinsoft Blog.

Apple introduced the “notarization process” security mechanism in February of this year: any Mac software distributed outside the App Store must undergo a notarization procedure so that it can run on macOS Catalina and above.

Unfortunately, just like Bouncer (an automated security system that scans Android apps before uploading them to the Google Play Store), Apple’s app notarization process isn’t perfect either. Thus, in total, more than 40 notarized applications infected with the Shlayer Trojan and BundleCore adware have been detected.

Now, researcher Joshua Long of Intego says that he has identified six more malicious applications that have successfully passed the notarization process.

All six found “products” pretended to be Flash installers, but in fact downloaded OSX/MacOffers adware onto victims’ machines, which, in particular, interferes with the operation of the search engine in the user’s browser.

The expert writes that Apple revoked the developer’s certificate for these malwares before Intego specialists had time to finish their investigation. It is unclear how Apple discovered these applications: perhaps the company received a warning from another cybersecurity researcher, or someone from their affected Mac users notified the company of what was happening.

As Adobe, along with other companies, plans to permanently phase out Flash support in late 2020, Long has once again urged users to stop downloading Flash installers, which are usually malicious.

The post Attackers again deceived Apple’s notarization process appeared first on Gridinsoft Blog.

In February of this year, Apple introduced a new security mechanism: any Mac software distributed outside the App Store must go through a notarization process in order to run on macOS Catalina and above.

“Basically, any software for the Mac now has to go through an automated scan at Apple for malware and code signing issues. If the checks are passed, the Gatekeeper allows the application to run on the system”, – explained Apple experts.

On Twitter, Peter Dantini writes that Apple’s automated checks do not seem to be very reliable. The researcher discovered that Shlayer malware installers were distributed through the malicious site Homebrew, which had passed the notarization (as usual, under the mask of updates for the Adobe Flash Player). Therefore, they could be run even on the latest macOS 11.0 Big Sur.

Dantini’s find was confirmed by another well-known expert, Patrick Wardle, who writes in a blog that he immediately notified Apple of the notarized malware, and the company revoked Shlayer’s certificates on the same day, August 28, 2020. This means that the Gatekeeper will now automatically block them.

However, over the last August weekend, a researcher found that the Shlayer campaign was still picking up steam, with offering users new notarized payloads the same day Apple revoked the original certificates. World writes that the old and new payloads are almost identical – they contain OSX.Shlayer, also Bundlore adware.

“It is obvious that in the endless game of cat and mouse between malefactors and Apple, malefactors are still winning”, — concludes the expert.

According to Kaspersky Lab, Shlayer has been the most widespread threat for macOS for two years now: in 2019, every tenth user of the company’s security solutions encountered this malware at least once, and its share in relation to all detections on this OS is almost 30%.

The first copies of the Shlayer family fell into the hands of researchers back in February 2018. At the beginning of 2020, almost 32,000 different malicious Trojan samples were collected, and were identified 143 C&C domains.

Most often, Trojans of the Shlayer family download and install various adware applications on the user’s device. In addition, their functionality theoretically allows downloading programs that not only flood users with advertisements, but also spontaneously open advertising pages in browsers and replace search results in order to download even more advertising messages.

Let me also remind you that recently Google experts talked about vulnerabilities in Apple operating systems.

The post Shlayer malware bypassed Apple security checks appeared first on Gridinsoft Blog.