A Data Driven Look at the Mac Threat Landscape
What, we're gonna be talking about today is, a data-driven. Look, at the Mac threat landscape. So. For. Those of you who don't know my. Name is Thomas Reid I worked for malwarebytes, and a. Lot of what we're gonna be talking about today is. Has. To do with the data that, we've been collecting, for. The past six, months. On. The Mac platform so. We are, collecting, anonymized, threat. Data so. We can start. To see some interesting. Patterns in, the, kinds of things that we're detecting. What. We're seeing a lot of what we're not seeing a lot of what we're seeing none of it all, so. There are some really interesting things to learn from that data and that's, gonna be a big topic of. Discussion. For today. We. Aren't just gonna, talk about data though we will also go and look at some malware from this year, and. I'll. Give, you guys some things to look for so that you know what kinds. Of warning, signs to look for in your fleet. So. Let's start out just looking at the top Mac, malware. And, you'll notice here, the, other slides are out there okay you'll. Notice up there there, there's one that's, really, at the top of the list, you. Know an order, of magnitude higher than anything, else and that is fake. File opener. And, then everything, else below that is. You. Know as. You can see the numbers fall off kind, of fast. This, does show you that as far as actual malware, is concerned, there's. Not a huge. Amount. Being. Distributed, right now and, really. The vast majority of it is that fake file opener, so. What. Is that let's take a look. So. Fake, file opener, is actually, a detection it. Detects a number, of different, apps that we've seen, and. What. These apps do. Is they sort of try to hijack, legit. System, functionality. -, for their you, know the, purpose, is to scam the user, so. What they do is, an. Any. Application. Can in, it inside, of its info dot plist file inside the application, bundle it can register to, handle. Any number. Of file types so, a particular application, can say hey I can. Handle the, txt. Extension I, can handle any file with that extension and then that, becomes one of your options for opening a text file, so. What these apps will do is they'll. Actually have, hundreds. Of. File. Types that they register. As being. Capable of opening literally. Just about every, common, file type you find on the Mac. And. So. What happens, is. When. You try to open a file that you don't have on your system. That. App will trigger it'll, open up and it will do something, to try, to scam you now normally, if you open a file like that you see, this. Normal. System, dialog, here lets you, choose. An application to, open it with or, go. Search the app store. What, some of these apps will actually do is instead. They'll. Show you this, and as, you can see it's mimicking, the, legitimate, system, functionality. There. Are some issues there, you know as you. Guys are all mad guys so you'll spot these you know the choose.
Application, Button. Is it's, a little wonky and, it's grayed out which, it shouldn't be and. Instead. Of searching the App Store's has searched the web and what. That button will do is take you to a scam website that will tell you hey, you might be infected, and that's why you can't, open this document go, download this. So. These. Kinds, of apps they, they all sort of do this general, same thing and we detect these as malware and, this is this is the name we've given them and those are that's by, far the most prevalent, malware. We see. Next. In line is flexi, spy which. Is a. Legit. A. Piece of spyware. It's. It's marketed. For things like you know monitoring. Your children, or your employees, or something like that, but. Interestingly. We, have never, once received. Any, complaints. From somebody saying hey you detected, flexi spy by mistake. And. Yet this is our number-two malware, detection so. You. Yeah I think that speaks, for how this is actually being used if nobody's, complaining about it when, we detect it then. They're happy it's gone so. And. Then next, in line was something called PP, minor we'll, actually talk about this one a little bit more. In. A little while because this is new, this, year so, we'll talk about that when we get to 2018. Malware. But. This one is a crypto, minor and. Crypto, miners are getting to be a lot more common these days on, all platforms as, I'm. Sure you guys know. So. Next. Slide actually, we're gonna talk about the. Top detection. Of adware. And pup's or, potentially, unwanted programs, all right let me hear, what do you guys think is the top detection. All. Right for. Those watching this recording later mackeeper. Was. The answer, and, you, are correct. By. A longshot, we. Since. January. We. Are coming. Up on nearly. 4, million. Detections. Of, mackeeper, and, that, is a definite. Order of magnitude, above everything. Else we detect and, in. Fact this is actually the, largest, detection. Of everything. We detect some. Days. About. Half, of our detection czar Matt keeper. So. This, thing is really, really prevalent, so. Let's take, a look at the top three here. Top, obviously is mat keeper, the app that, all Mac, admins, love, to hate I'm, sure, you guys if. Those, of you who don't are in the room don't know what it is you, know I'm, sure someone, around you can fill you in. But, we see this a lot. We. See this involved. In a lot of these fake, virus. Pop-ups. That you see online you. Know you're visiting some web site and something, comes up and says hey you're infected, or you may be infected. And. For. Mackeeper it, often, is accompanied. By their, their little catchphrase clean. Your mac from, junk. Which. I've, always found they you. Know the, grammar they're not quite right so. So. We, see these kinds of things a lot and. Most, people who get, my keeper installed don't, really want it there we, do get some complaints though, from people who. They're. Like why are you removing this software is the are you just, removing any antivirus, software. That's, not yours and. Generally. When we point them to our blog post on mackeeper that pretty, well ends the conversation right, there they're like oh. So. Next. One in little in the line was advanced. Mac cleaner. This. Is very similar to mackeeper, it's, it pretends, to be an anti-virus, and, a cleaning tool does, a lot of the same things. This. One is kind of interesting because although mackeeper is, still the most aggressively, marketed. And nobody's. Done anything at all about it. You. Know Apple still hasn't done anything about advanced mat cleaner either but, Google has caught on and, so. If you try to go to their website today, and. Any. Browser, that uses Google Safe Browsing it. Will not let you go there, unless. You work hard to get past this. So. That's that's a very good thing and it's probably the reason that this is only number two and not, a little closer to Mac you in terms, of detections we. See this a lot in the same kinds. Of cases you know we see a lot, of these fake virus, pop-ups, that are promoting, advanced, mat cleaner instead, of mackeeper, so. A lot of the similar ways. Of transmission, and. Then. The, next, one which was you know further. Down on the list but it's still number three it's. Pop JDI. And. That's sort of a general. Grouping. Of a, number, of different programs by. A company, called JDI. And. Their, programs are in two different categories. They. Have a whole bunch of clones. Of. Backup. Software they're all basically the same. But. They're all marketed, differently, they all have different names so they're pretending, they're different pieces, of software and they don't really say this. Is from JDI it's sort of almost like they're different competing, products, but they're not. And. Zip. Cloud in particular, at one, point, about. 50%. Of the, adware, installers, we came across were, installing, zip cloud, so.
This. Stuff's bad news and if you're using if, any of your users are using these for, backups, they really shouldn't, be I would not trust any data to this company. The. Other side of their their software is fake antivirus, all. Of their antivirus. Products, so. Far they only have two of them. They. Require, you to purchase before, they will do anything. At all so there's no way to evaluate, them and then, if you actually do purchase them they really don't do a very good job, so. We. Detect all these programs as pop JDI. So. Let's look at another category, now. We. Talked about advanced, Mac cleaner. That's. Made, by a company called PC. Vark and here's. A list of most, of their stuff, and. How we're detecting, it and you can see here as with. Pretty much every other category, we have one big outlier. At the top that's advanced mat cleaner that's their number one product, and. Then below that there. Are a whole bunch of other things and you'll notice here. If. You look at some of the ads they're things like Mac ads cleaner. Mac adware. Cleaner. Unpolluted. Malware, crusher. Disk. Cleanup, Pro, etc. So they have a whole bunch of these different scammy. Antivirus. Slash cleaning, programs. That. Are all junk, and, they're. Really, they promote these very aggressively, these, are often found in, things. Like these fake Adobe, Flash, Player, installers. You. Know they're some, of these are pretty nasty and they have a variety of, different. Tools. They. Have you know as I said a lot of them are cleaning tools, supposedly. They, have a lot of junk apps that are found in the App Store and that. Are still found in the App Store. They. Have several apps designed, to scrub porn, from, your browser history. If. You're into that sort of thing I don't know why you wouldn't just use private, mode or then clear, the history yourself. Why do you need to trust, some. App, to. Do it I. Don't, know who would do that but some. People do, and. Like, I said these are promoted, through these you know you're infected, pop-ups and through fake Adobe Flash Player installers. Another. Category. Of things that, we see. A lot of in. Our, detection zhh are key. Loggers, now. When I'm talking about key loggers in this case I mean, so-called, legitimate, key. Loggers that you can actually go to a website and buy, these. Are not malware. That has key logging capabilities. We. Would if, it was actually malware, with key logging capabilities we. Would detect that as malware these. Are all pup key loggers and, as, you can see once again we have one clear outlier, in the, at the, very top of the list and that's reef OGG. Which, is a very popular key, lager right now I was, actually kind of surprised, that this wasn't a oboe, because that was a number, of years ago that was a very popular one but evidently. Not so much anymore. So. Reef OGG is it right now. It. Is primarily, marketed for monitoring, your children. We. Do see a large number of detections of this and, just. Like with flexi, spy which we actually detectives, malware because of a variety of different reasons. We. Have had absolutely no, complaints, about, detections, of reef on, so. You. Know once again this tells you. People. Who have this on their computers, and that, are detecting, it and having it removed it's because they didn't know it was there there. It's not that they. Were actually using it to monitor their children, and malwarebytes, removed it they're like oh okay. You. Know that's people. Would complain about that so that's, not what it's actually being used for in the wild it's. Being, used for much creepier purposes. Like monitoring. You. Know, significant. Others or you. Know who. Knows who else so. Another. Interesting one, here ransomware. Has been a big buzzword in. The windows world at least, it's. Starting, to slack off a little bit in favor of crypto miners these days but. It's. Really interesting you know we've had some ransomware, on the Mac, but. It really, hasn't been significant. And we. Really aren't detecting any. These. Days now you'll notice I say we aren't detecting any but, you'll notice that there is a bar there for key. Ranger, that. Is the first and oldest, piece. Of ransomware, for the Mac it's. Been extinct. For a while it doesn't, actually function. Properly, anymore because it can't connect to its servers. So. I do not believe that this bar actually represents. In the wild, detection. 'he's my. Theory. On that is, that this is somebody's, testing. That somebody, is doing testing. With. Malwarebytes, against. Key ranger. And. That's where these detection czar coming from and that makes, sense because the other two are fairly obscure. Whereas key ranger is, it. Was a little bit higher profile, at the time it's probably the easiest one to find, if you wanted to do some testing, so. For all practical purposes we, really.
Don't See any real. Ransomware, out there. We. Do see a lot of coin miners though as in, the windows world. So. We, have on our list. Six, different categories that are crypto miners you'll notice that the. Top one there is actually, not we, don't consider that one malware. We're, calling that one app up. So. Let's take, a look at what that actually, is. The, pop dot, crypto, minor is. Sort. Of a general category for, any kind of applications. That are doing crypto, mining in kind of a sneaky, way but they're not outright, malicious. So. Some things that will get, them detected, are if. They're doing crypto mining but they have not informed. The user and in a clear way that, they're doing crypto, mining you know maybe it's hidden in some fine print somewhere. But. Not anywhere, the user can see it or. If. They don't give the user an opt-out. You. Know so you're you're having. The crypto mining going on but there's no way that you can stop it if you wanted to, you. Know so for example some ads some apps or, websites might, actually say, hey. You know you can you can choose to either have ads or crypto, mining which would you like and, you, know if, the user chooses, crypto, mining that's. Fine you know we don't have a problem with that just, as long as they know what what's happening, the, other thing that we don't like is when. And this, is even if they're, doing everything else right if they're using all, of your processor. Time for the mining, you know literally, there's no way to dial it down then. That's, a problem and a, lot, of times what we see is that when the user sees, this. Process, using. All their processor, time, they don't actually know, what it is they don't know why it's using that processor, time, so. Even if the app is saying hey we're doing mining, and. We know users don't like to read. They just say yeah yeah where's the ok button click. So. And, then later they find out why, is my machine so slow you know I don't, know what's going on there and they don't remember about this program they installed, so that's a that's a problem, so one. Example of. An. App that was doing it wrong, and. It this was actually in the news, not. Very long ago it was the calendar, - app that, was in the App Store. And. It was doing, basically. All of these things wrong it, really didn't, tell the user and it was using tall the processor, power. And. So, we. Detect that, fortunately. They did remove all the crypto mining code from that app at this point so it is no. Longer doing, this which, is good, what's. Interesting is that Apple has subsequently, banned, all crypto. Mining from the App Store and we believe this app is probably the reason why. Speaking. Of the App Store. We. See a lot, of pups. In the, App Store. And, you can see you, know these are some of the top detections, here, a lot. Of these actually, are, from. PC, vark but not all of them by any means so. PC vark is highly represented, but there. Are many many other companies making, pups. There. Are generally, two categories. Of, pups. In the Mac App Store, and. Those are fake. Or. Ineffective. Antivirus. Or anti. Programs. If you, go on the Mac up store right now and search for adware. You'll find a bunch of these. And. Basically what these do a. Lot. Of the anti. Adware, programs, all they will do is basically. Delete. All of your browser extensions. Regardless, of whether they're good or bad and then. Just blast your browser settings back, to Ground. Zero so. It's. Basically, a nuke and pave and, look your problem, went away and, you know in users. Fall for it they're like yeah my problem did go away now. Why, is my homepage changed. And where did my 1password, extension. Go and, you, know they. Don't associate. Those two things they just know they're adware problem, that got solved, or, maybe it didn't because not all had, where problems have a, browser. Extension as, the root cause so. And. Then as far as antivirus most, of these really don't do a very good job what. A lot of them are doing to get around. Any. Kind of technicalities. Or is there in integrating. The clamavi, engine, and, this. Is not clam, xav, which, is a legitimate, Mac. Antivirus, you know the guy that that manages, that I know him he's a good guy he does good work and it.
Does Have Mac signatures, the clam AV, engine does not have Mac signatures. At least not and not many, to speak of so. If your Mac antivirus, and all you're doing is incorporating, them clamavi. Engine you're really not back antivirus. And. Some. Of these apps have, been removed so when we find these things we report, them to Apple we. Report them to security, and Apple and. Some. Of them have been removed in some, cases it. Often, will take a long, time some. Some times as long as six months. There. Was one particular antivirus. App that was really, really bad, and. It took Apple six months to remove it unfortunately. That's not the worst news six, months sounds bad but some. Of these things that we report, to Apple have never, been, removed there. Is one particular app, by, a very, prominent. Major. Antivirus. Company, I'm not going to name them because we, don't have legal clearance do so yet. But. There is an app by them in the App Store that is currently, taking. Your, browser history for, Chrome, Firefox, and, Safari and. For, the App Store itself. Putting. It in a zip file and, sending. That up to a server that that, is from, the it's, definitely on. That. Antivirus. Company's domain so, it's not something, that's from somebody else that's pretending, to be from, that antivirus, company it's, actually going to their domain. So, and, we reported this to Apple, and, so. Far nothing has happened so. We're. Still trying to figure out what. The right way is to report. This to Apple because, it's really not clear there's no easy, clear. Method. For doing so and. That in itself is a big problem so. And until, Apple gets there. Their. Procedures. Together for this this, is gonna be a continuing, problem in the App Store really, is not trustworthy. Alright, so that's a. Interesting. Look at some of the different categories of things were detecting, I, know you guys probably want to find out what. Malware. Is is. In. The wild in 2018. What's new and how do you see, it how do you spot it you identify. It so. Let's, take a look at. What. Some of this stuff is and what some of the IOC s are or if, you're not in, familiar. With security, lingo IOC, s are indicators, of compromise, or things you can look for to, identify. That, a particular, system has been compromised. So. The. First one found. In, 2018. Was mommy. This. One was actually. First. Reported. By a user on the malwarebytes, forums. But. Patrick, Wartell beat us to getting finding, the sample, so. Patrick Wordle had he's got a really good blog post on, this thing he he did the analysis, on it initially. It. Is still currently, unknown, how it got installed we were never actually able to get an answer from that about. That from the user on our forums, he. Did not know how it got there but. However, it gets on the system, that. There are a few things that it does, the, first thing is that it installs, a launched. Daemon, with a fairly. Lengthy script, now it's not like huge. But, it's definitely unusual. For, a launch agent, or launch daemon. And, what. That script does is it downloads and, executes. A malicious, file. And. That. File. Actually changes. The DNS server settings, to use a malicious. DNS, server so. That opens up all kinds of problems you, know it, can do. Phishing, or any. Other kind of attacks where it's redirecting you to a malicious domain. And. You think you're on the real thing. It, also had some general purpose backdoor. Code. Patrick. Did say, that he could not, manage. To make that code get, called he couldn't figure out how to make that code active, but, it is there so. You. Know it's. Entirely possible during. His analysis, he was not actually passing, the right parameters somehow.
That The. Dropper, would have done and so though. That code wasn't active. Now. As, far, as Andrew indicators. Have compromised, the two DNS servers. Are. Listed, here and by, the way you don't, have to actually take notes here, I will. Give you a link at the end of the presentation, for these slides so you can download it yes. What. Oh. Yes. I am yes, Sam. There. We go DNS. Servers. So, anyway. You will be able to get these slides and get all this data out of the slides so. So. The DNS servers are listed there. The. Payload, itself would. Be downloaded, from a variety of different servers, these are the ones that we know of. And. It would also interestingly. Add, a. Trusted. Root certificate. From cloud garden. Me and that. Also needs to be removed that should not be in there and. What that would allow is that would help with, any phishing. Attempt, so if they're directing, you away, from. You. Know say say you're trying to go to Bank of America comm, and instead. They direct you to a phishing, site pretending, to be Bank of America calm but maybe they don't have a good certificate. For that well. If they can get this certificate, put, in as a trusted, root certificate, on your system, then suddenly they can make it look legit and that. Makes their phishing attack look even better. So. You want to look out for all of these things if you see any of this kind of stuff you know any of those network connections, on your network, or see, any. Of your machines with this particular, certificate you. Know you've got an infection. The, other thing to look for are. The launch demons. Now unfortunately. You can't look for these by name, they. It did use random, names. So. What. You have to look for is the content. Of the launch daemon and. This. Is sort of an excerpt, I did sniff, out some of the stuff so. You'll, notice there it's lists, two different fallback. URLs. Those, are the two URLs, that it will try, to download, them out the malicious, executable. From and, the. Part that I sniffed out there was a very lengthy bit, of data, encoded. Data that. Not. Sure exactly what was, in coated in that data but, it was passed to the URL it probably, had. Some kind of parameters, about the, machine itself, that it was being, installed on. And. So, you can see here what it would do is it would you know, make this list of these two URLs. And then it would try to it. Would use curl, to try to download a, file, from there. And. Then. It would execute it, and. So. That way every, time you restart your computer this, is actually, going out and grabbing, a new copy of this malware an updated, copy and pulling. It back down on your hard drive. So. If you see an unusually. Large. Launch. Demons. Or. If you see any of this content inside. Of the launch daemon you know you've got an infection on that machine. And. We. Have seen, only. 72. Cases, of this malware since, its discovery, in January.
So. It's, not, hugely, prevalent, it is out there but it's not hugely prevalent. The, next one this, was the second one discovered, in. 2013. 2014. Government. But I'm, always a little bit iffy, about trusting. Attributions. Like that a lot, of malware authors these days or are laying down false, trails. It's. The. The thing that makes me more you know believe, this is a why. Would you lay down a false trail to the Lebanese government the popular, target, today is either, China or Russia if you're making malware, and you want to throw. Off the investigation you. Make it look like it's coming from China or Russia and then everybody's like oh look at this new Russian malware and. You're like. So. Minoo. But, this was analyzed, by lookout they called it dark Caracol the whole class of government, malware and, cross. Rat was just a part of it and this was the only part, that was able, to actually. Infect, a Mac the, reason it was able to infect, a Mac is that it used Java. Which. Is lame, I mean. How. Many of you guys have Java, on, any. Of the machines in your fleets Oh. Interesting. That. Is not what I would have expected. Yeah. That's. That's a good question, probably, not happy about that. Yeah. But a lot of consumers. Don't. Have Java Macs have not had Java installed by default in, many years, there. Aren't very many websites. Out there that use Java so. You. Know barring, things like internal, tools which I'm guessing that's probably one reason you guys all have that. Stuff. Like that you know SPSS. So. Barring stuff like that you're not gonna see Java on. Macs. Very much these days. And. Another. Interesting thing about this is that it was a version. 0.1. So. It. Was very. Early in development and, a lot of its functionality, really, wasn't, there, yet, we, don't know if this is continuing. To be developed, or not it's. Entirely possible that, could say oh it was spotted. It you know it was spotted by somebody, we're gonna drop. This and start, working on something new that, nobody knows about so. We don't know. If. You. Have been infected, with this it's. Actually quite, easy to spot, you. Will have this launch agent, and this Java executable the. Names don't change the, content, doesn't change it's it's. Very, very easy to spot. So. If you have either one of these things present, you're. Infected, with cross ramp, now. That's. Fortunately. Very. Very unlikely. Because we've only seen 13. Cases of this. Ever. Since, it was since, it was first discovered. So. This is pretty uncommon it's not likely any of you guys have this in your fleets. The, next one is, actually. Crypto, minor this. Was the first new crypto, minor this, year and it's, called creative, update. This. One was actually discovered, by a guy. A former, indigo, employee, he. Was up until recently, working for Sentinel one name. Is our node Abbate, if, I'm saying that right I don't know I've never met him face to face, that. He's discovered, actually quite a few crypto, miners on the Mac. This. One was kind of interesting because it, was distributed via a hack, of Mac update. So. What happened is that somebody managed. To get in to Mac update, and they, replaced, several. Different, applications, so, instead, of go when you tried to download from, Mac. Update, it would actually redirect, you to a. Download. From a different site and you. Wouldn't, know because all you got was just the download it looked like it was downloading, the right thing from Mac, update, and.
The. Three apps that we know were affected, with Firefox. Onyx. And something, called deeper, that I had never heard of before this, I. Don't. Know why those apps were chosen I mean Firefox, is obvious, but I don't know about the other two we. Don't actually know, if there might have been other, apps, affected. You. Know I don't know that I necessarily really. Trust, Mac. Update, these days they've had some problems for. Example at one point in the past they. Were. Distributing. Adware. Installers. They. Actually, wrapped our software. In their installer, at one point which we had to ask them to stop, doing, and. They. Were a little resistant, so, I don't. Necessarily trust, them so I'm, not a, hundred. Percent certain, that these are the only three apps, were affected. But. These. Apps were infected what would happen when you downloaded, them is they would look and act perfectly, normal, but they would also install, this malware on your system, and, that's, it's. Become, a fairly common thing to happen you. Know that happened with key ranger hand, brake was. Compromised. And the hand brake app would deliver. Key, ranger, there. Have been a number of other pieces, of malware that have done the same thing so, these kinds of supply chain attacks are, definitely. Increasing, in in. Cominis. These days. Interestingly. When. We look back we did. A what's. Called a retro, hunt in virustotal, which is where you can go back in virustotal look through samples. Older. Samples, and see if anything matches the, criteria you're giving and we. Found a whole bunch of samples, that went all the way back to October of last year, so. This has been around for a while it didn't just appear this year it was just this particular delivery, mechanism. Was. New. And. Interestingly all of these were all, downloading. Their updates from public, Adobe, CC comm, which is a legitimate Adobe, site so they were you. Abusing. An Adobe, site, for. Delivering, their updates. If. You. Were infected if you had any machines, that were infected by any variant, of this. That. There are a variety of, different launch. Agents. That, could be created, and different executable, files that would be in your library. And. This. Is a comprehensive. List of every, single one that we found from every different variant, most of them used the same. The. Same ones but some branched. Out a little and interestingly. There. Were some kind of you know there there was some sneakiness, here, so for example m.d. worker. If. You, if you. Go. Out online on and, look for stuff relating. To m.d. worker you're gonna find a lot of spotlight. Related, issues. So, if the user sees, this using, a lot of processor, power they're. Gonna go looking and they're gonna find a lot of solutions relating, to spotlight, and. All. These, solutions are gonna be things like you know rebuild. Your spotlight, indices, and, you, know things like that and the. You know makes. It look like it's a legitimate, real problem. Not malware, on your system so that was kind of sneaky it was a very, good naming convention that these folks came up with. So. How is this being, detected we've. Seen a hundred and eighty-seven cases, of this since, it was first discovered. So. Not a huge number but, it's, definitely higher, than anything else we've talked about so far. In. The malware space, at least. So. Let's see what. Else we've seen. Cold, root was, the next one discovered. This. One was, a general-purpose. Rat. Or. Backdoor, whatever you want to call it. And. This, one was one. Of these is disguised, as a document, so you know you get this thing it looks like a Word document you, double-click it to open it and it turns out it's actually an application there. Are a lot of safeguards, built into Mac OS to prevent, that sort of thing, but. There are also ways, around some of those safeguards, so we don't know exactly how this was distributed, but there are ways that it could have gotten onto your system and you. Double-click it and you would not see, the. Typical Mac, OS you're, opening an application. Downloaded, from the internet prompt. It. Would just pop, open. Everything. Would look normal you get no gatekeeper, notifications. No X protect, no nothing. And. The, malware is running. So. It, just depends on how this was delivered how it got onto the user's system.
Now, Interestingly this, one was a, little. Less. Dangerous, because it won't run on some versions, of Mac OS, for. A variety of reasons, some. Involving, bugs, and. It. Will also attempt, to modify that. Ccdb. Database. This is the database that, controls. Accessibility. Rights for, applications, so. If. If, an application, wants to control, some aspect, of your computer. Then. It has to actually get user approval, for, that these, days. In, some, versions of Mac OS you, were able, to actually manually, change. This database and, add, your application. In, there, so. You didn't actually have to alert the user you could just sort of steal the, rights, that. Database. Has actually been protected, by sip, system. Integrity protection for a while now so this didn't work either unless you're on an older version of Mac OS. If. You. Did have an older version of Mac OS and you had, this, infection. It's. Really easy to spot you. Just have, one. Launch daemon, by a. Static. Name, and one executable, also by a static name. And. This. Uses a pretty. Common. Technique. Of making this look like it's coming from Apple, using, this compal. Naming convention. But. You. Guys are probably pretty familiar with with, what, Apple. Launch, agents, and Damons should be present, so for. Some folks like you guys it's, easy to spot for an average user not so much. So. Since, detect, since this was first spotted. In the wild, we. Have only seen seven. Cases. So. Really. Hasn't hasn't. Affected very many people. And. I find it interesting. That. It's. Really infected any, at all. You know it's it, really had. A lot of very significant. Limitations, so I. Kind. Of would expect, this to be a low detection way. The. Next one is actually, ocean, Lotus, D. And. That dot D means this is by. Somebody's, naming, convention, the. Fourth variant. Of ocean Lotus ocean, Lotus, was actually first discovered, the, first variant of it back in. 2014. Or 15, I believe. So. It's been around for a while at one point we thought it was extinct, and then of course on a new variant popped up and it. Has typically, been used to attack. Chinese. Targets, so. We don't typically see it very much in this country. But. This particular variant. Was, dropped, by. Macros. In a Word document. So, you open up the word document and, if you enable, macros, and, allow, them to run then, it. Will drop some, files on your hard drive now. There's, a lot of user interaction, required. There, the user has to do that you know enable. That but. In addition.
Modern. Versions, of office they, actually sandbox, all macros so if, you run this macro, in a modern version of Office it. Actually won't allow, the creation, of those files on your hard drive, so. If, you're using the latest version of Office you're. Totally safe from this it cannot, infect you even, if the user does the dumbest thing possible, and goes through all the steps needed to, run the macros, the macros, can't drop the payload. So. There's a narrow range of versions of office that, have. Macros. But. Haven't, been sandboxed, yet and in that narrow range you could get infected. Interestingly. There. Were. Alternate. Route, and non route, payloads, now I'd no. Idea how, you would get the route. Payload. I don't know how you would get root access with, this particular, delivery mechanism. We. Couldn't duplicate, that so, but. I know the malware had. A capability. To drop, root payload. So. Here's what it actually dropped so if you're looking at. Root. Access. However. It might have gotten it I don't know maybe the user was, running. As route had, been able the root user and with opening word documents, in the root user I don't know. It. Would drop a launch Damon. Calm down Apple, again you'll notice so. Good. To trick the, average user with and the, executable, is buried. Way down in, this obscure. Folder. This. Folder actually. Does exist. Up, to a certain point this, path does exist up to a certain point so it's this, again looks kind of normal. If, you did not have root permissions which. Is going to be the more normal. Scenario. Then. It would drop a user launch agent, calm, down Apple, dot spell, dot agent. And. It, would also drop this spell. Agent, D file. Into the spelling, folder. Again. That spelling folder, exists. In the user library already so, that's, perfectly. Legit. Spell. Agent, D does not but. They used a good naming, convention there. You know apples processes, all end in D so, if you're malware, you make some we you know real. Sounding, thing and put a D at the end of it. And. We. Have only seen two detection, zuv this which is as I would expect since, the method of delivery has. So many limitations, attached to it if, you look at our overall, ocean, Lotus detections, we've, seen one hundred and fifty one since.
January. When we started collecting data, so. Only. Two out of one hundred and fifty one this, really is not a prevalent, variant. Then. The next one is. PP. Minor. This, one is, a crypto, minor this one was actually one. It, was. Brought. Up on Apple's, forums, and we spotted, it we found it. Analyzed. It etc. The. The reason that it was spotted, is the, user, actually. It was several users, noticed. This process, called MS, helper, that was using a law of. Processor. Power on their machines and they were trying to figure out what it was, and. Obviously that sounds like something associated with Microsoft, Office. So. It sounded, kind of legit they were you know approaching. This not from a perspective, of, you know hey I think I'm infected but hey what's wrong here. And. This. Is a very simplistic, crypto, minor. All. Of the crypto miners and incidentally. That we've seen, lately all mine Manero rather than something else like Bitcoin. That's. That's, a very common one so. We. Do not know how this was, distributed. We. Just know what ends up on the user's machine so. We, don't know how it got there. Interestingly, the, malware itself was compiled, with golang. Which. There's. Huge, overhead, there and the. Malware itself is very very simple so this. Is most likely some, script kiddie who figured out how to you. Know wrap some crypto minor up in golang, and compile, it and you. Know so, it's it's not very sophisticated. And. The basic chain here is there's a launch daemon, that, loads a launcher, which, in turn loads the miner. So. Let's. Take a look here the launch, daemon. Is, actually. Called calmed pp, launcher, app he lists again not very sophisticated this. Is not a name that sounds, legitimate. You. Know they didn't use calm, down Apple they didn't they, were using MS helper why didn't they call it calm down Microsoft, you. Know it that, would have sounded more real. So, this is kind, of an unsophisticated name. It's not really trying to hide that heart. And, what that would do is it. Would launch, the. Launcher, which was called pipi launcher. Hidden. Away an application, support again, not very well hidden you know it wasn't in a, hidden, folder, it, wasn't named anything sneaky, you, know so it's it's not very well hidden and. Pipi. Launcher, which was the component, that was built with. Golang. Its, sole, purpose was. To launch, ms, helper with the proper. Arguments. Ms. Helper, it, was actually built from a legitimate, open source mining. Tool, so. It in and of itself is not necessarily. Malicious, it's not malware. But. Installed, in this location, you know it's associated, with that malware so. If. You see this ms helper. That's, that's. Your sign of trouble. Now. As far as how we've detected, this one. This. One it's. Definitely. The most. Highly. Detected. Piece of malware from this year eight, hundred and sixty-three cases. So. Probably. More than that by now because, this data is probably about a week old the. Last. One, that we'll talk about today, is. Dummy. And there. Are some good reasons for this name too. So. This. Was one it was again another one is discovered, by patrick Wartell our, act i'm sorry it wasn't actually discovered, by patrick well it was discovered by somebody. Else and then, subsequently, analyzed, further, by, patrick, Wordle the original, discoverer didn't give it a name he just said hey here's this thing and here's what it's doing so patrick. Wartell was the one who gave it the name dummy. This. One actually was, being spread via. A shell, script that, was, pasted. Into crypto. Mining forums, on. Slack, and. Kord. So. Basically. People that were posing as admins. We're. Hosting. This script and saying hey copy, this and paste it into the terminal, and see, if this solves the problem, you're having with your minor. You. Can see here there's an example. That. Was actually posted in, discord.
And This was this was how. They, were, convincing. The user to do, this so, this script, basically. It. Changed, does CD temp so it changes to the temporary, directory it. Does curl from. A malicious. URL, which is blacked out here, and. Then. Chain. Gives it. Executable. Permissions, and then. Runs it. And. I. Mean why. Would you run this why would you why would you do this and yet, people will will actually talk about that in a minute and. So. What this malware does is very simple. All it does is provides, reverse, shell, so. Basically, the. Person behind it can, get into that machine at any time via SSH. And. Once. You're in with SSH, you've got, total. Control over the machine you can do whatever you want you can upload any files execute, any files exfiltrating. Files whatever, you want to do. Now. One interesting thing that, it does it actually leaves, a, couple. Files on the hard drive with the user's password in it and. How does that happen. The. Script, file that gets downloaded and executed. Actually. Imitates. Sudo. So, even though this pasted. Script doesn't have sudo in there anywhere, after. You execute the script it will say password just. Like sudo would and you. Type your password and nothing appears on the screen just like sudo, would. So. The users type in their password the. Malware logs, it in plaintext into, a couple different files so that it has it for later and then. Proceeds to it's dirty work. And. That's. Got some big implications. To that we'll talk about in just a minute so. If you see an infection. This. Is what you're gonna see so the script itself that gets downloaded by that that shell. Script it's. In temp dot temp. Slash script. And that's. A big file it's like a 34, megabyte, file. This was, JavaScript. Code that was, wrapped in Google. V8. So. It. Was yeah, like why. Why. Why, not just make it an Apple script applet, or something like that you know this is script kiddie stuff. Then. The, launch daemon. Again, if this is not very sneaky calm, down startup not plist, I mean come. On guys use calm down Apple or some something that makes it look legitimate. And, then. That. Launched. Daemon, will. Launch, the persisted, shell script which is put in slash. Var slash, slash. Script, SH, and that script was very short, and, basically. All it did was open up a reverse shell. If. You want to actually see what that script looks, like Patrick wordles, analysis, is very good and it's. Got the full script listed, there. Also. I think I included, that script in our analysis. Too on our, blog. And. Then. The two files that contain the user's password in, clear-text, are.
Located. Here one in users shared, and one in temp. And. Then finally, the, reverse shell is going through a remote host here there's the IP. Address, and the. Port, port. 1 3 3 7. More. Script Kitty stuff right. So. There, as you, can see you, know the the password, files they're called dump, dummy so. Yet, another reason, to call this dummy but that's only one of many reasons, to call this dummy. So. The name is very, appropriate, now. Before. I talk further, about this. Number. Of detection since, discovery. Zero. We, have not seen, this in the wild at all and that does not surprise me at all. Although, if, we had seen a few that also would not surprise me for for. One big reason, so. It when when I said that you know people. Put, a script out on for forum, and said, hey copy. This and paste it in to the terminal, everybody, laughed right, but. People, do. That all the time, so. I'm gonna give you an example, I. Used. To be very very, active on Apple's forums you, know I haven't, had time to be active there lately but I used, to be really really active, there I've been on Apple's forums for more, than ten years now. There. Was this guy. He. Was also a very, very active on Apple's forums, and. He. Would go around and he would tell people hey. Run. This script, and. Then. Post the output here. You. Know his, his actual post was much longer than that very. Long but that, that was the gist of it and what. You would see is you would see this one line but. You could see there was a scrollbar under, it and if you scroll you could keep scrolling and, scrolling and. Scrolling and, scrolling this. Thing was, tens. Of thousands. Of characters, long if. You download it and put it into a text editor you would not be able to read it because it was highly. Obfuscated. Bash script. I. Am. NOT, like a. Bash. Guru. But, I know how to read a bash script and I. Had no, idea what. This thing was doing. And. Thousands. Upon thousands. Of people on apple's forums, have, copied. That script. Pasted. It into the terminal run, it and then, posted, the output on to the forum's. So. People do this as stupid, as it is people. Do this and they do this all the time. So. This. Is probably the, the big takeaway, from this malware for, you guys is. User. Education, this. Is critical. You've. Got to make sure your users do, not do, this kind of stupid stuff if. They see a shell script on a website they absolutely you, should make sure that they all know do not paste, this in. You. Know sometimes. It's. Really a helpful user who's trying to do good trying, to help you with something but. They don't know that so. The, only scripts, that should be run should. Come from you guys not, from, some. Random website some, stranger, somewhere. The. Other thing, that, is. Interesting, about, this malware is that, dump dummy, file. This. Is not actually, the first malware. That has left behind a plain text password, there, has been other malware in the past that, has fished, the, password, from the user and left, it behind somewhere, on the hard drive. But. If, I were a malware creator. And. I. Tend to be a little, sneakier. Than a lot of the malware creators, that we actually see like the actual malware in the wild I always. Think you know I could do better but. If. I were doing this I, would. Go looking for those dumped dummy files I'd say hey this, person might, have been infected by malware before, if they're if they're running my malware they, might have run somebody else's before, so. I'd go look for that dump dummy file or, one. Of the files created, by any number of other pieces of malware in the past these, are known, files, they've. Been mentioned, in analysis. Before. Their. Locations. And names are known the. Contents. Are known so. If. Your malware, why don't you go and look for these files and then you don't have to bother fishing, a password. From the user you, don't have to worry about trying to find some you, know route escalation. Vulnerability. You've. Got plain text passwords, just go find them and use them and. I haven't figured out why no malware, has done that yet but. It is very very important, that you guys look for these files on your endpoints, and make sure that they are gone so.
If Somebody has been infected, with this malware in the past get rid of these files and the. Problem, is most Dayna by our software will, not look for something, like this it, will look for the executable. File and it'll. Remove that and then the malware is dead, right. But, the launch agent, or daemon is probably still present, which. In. It itself it's, not really a danger, but it's kind of clutter, but. More, importantly, those. Password. Files aren't being detected because they're not contained they don't contain any malicious code, so. You got to make sure you get those you got to make sure that for any malware like this you go back and you look for those password, files and get rid of them. Fortunately. Malwarebytes, if you're running it it will look for these files and get rid of them. Not. Meaning, to be a plug for malwarebytes, you know it's, I'm. Sure that there are other programs out there that will do the same thing I'm just saying that you know use. Something, or look, for it yourself use something like OS query to go looking for these files. Because. You definitely don't want plaintext, passwords. Your hard drives. And. That. Is it. We're. Ready for questions if you want to copy the slides you. Can get them from there I am, NOT rickrolling, you like has been done in a previous presentation. If, I'm gonna rickroll you is gonna be a little sneakier, you'll have to work for it so. This, is a legitimate. URL. It will go to my Dropbox, link. For. This file. But. Yeah any questions now, yeah. I can't. I can't hear I don't think is that on or. Sorry. No. I. Hear. Never Stroud there we go. Have, you noticed any similarities, with the with, a lot of these samples. That you're getting from machines between like machine types or locations, maybe. The type of person, that's downloading, them or or any of those things other than well. We had you know 50, 80 samples, this year so far we. Don't really. Collect. Specific. Data, about. The machine you, know not very significantly. So. So we're not tracking that sort of sort, of stuff, it. Would be very interesting, to see but, you, know, we try to make sure that this data is anonymized, and we don't we don't want to track it back to the user we don't you, know so. We're, not seeing, that sort of those sort of trends right now but, if. We can make sure that we can get that data anonymously in, the future then maybe. For. First. Tom thank you so much for this this is wonderful, excellent. Work second, I'm pleased that my user base has helped populate, your antivirus. Database so. Third. More seriously. Regarding. The all the PPS there in the App Store yeah, um do you recommend, or do you think it would help if more. Of us reported, this to Apple absolutely. The problem, is I don't really know how, I've been reporting, to product, security but. I have the feeling that the chain between product, security, and the. Guys who are in charge of the App Store is not a straight, and short. One. So. I'm still trying to figure out what the right way of doing. This is if you, have an, se, or somebody like that. Definitely. Let them know if you see C weird stuff on the App Store. Anybody. At Apple that you know. Know about this stuff because the more people, we tell an Apple the more chance, there is that, something will, be done about it and it, really is an epidemic problem, like right now in certain categories of software, you, can really barely trust anything. So. Sorry. I know there'd be some, security. Issues with this but I was wondering if anyone's. Ever tried to. Find. A way to actually. Scan for, a clear text password, you. Know if you could do a non-reversible, hash, and a. String, yeah, that's. So. To even see if someone's keeping, it in a text file yeah that. That's actually a very interesting idea. You. Would probably. If you wanted to do something like that you would probably want your users, to be involved. Because. You. Guys don't want to know your users passwords, that puts, a lot of responsibility on. You if you have those passwords somewhere, in clear-text and, then, that puts a lot of responsibility on, you. On. The other hand. Giving. Your users an app that's gonna say hey what's your password is. Another. Problem. There. Might be a good way to do, it with, enough user education, about. But I don't know it, would definitely be interesting.
If You, could have some kind of a script that your. Users knew was legitimate. And they. Could, use it to check and see if their password. Was stored somewhere on their hard drive in clear-text it's. Just the, logistics, of figuring out how to do that on scale. Are. Kind of difficult. So. You had mentioned. Mac. Update and, installing. Extra. Adware, along with the installers, you, know there's a couple of other sites that will. Do. Similar things and, I think, Softpedia, and a. Few others is there a good, list of places, that are known to do this so that we can have maybe, block them yeah. The problem with the list is that it does change like, Mac updates, not doing it anymore they used to do it. And. Before, they started doing it then they weren't doing it you know so it's it, this does change quite a bit. My. General, advice is, avoid. All, of. These. Aggregation. Sites so download, comm. Softpedia. Softonic. Mac, update, any of these kinds of sites that. Are offering, you you. Know the stew the ability to search apps. And. Then download, them right from their site avoid. It or if, you want to use it because. Sometimes it will be honest the reviews, can be useful, sometimes. And, sometimes, it's just sort of a nice place to go to get you know to look at a lot of different apps but. Once you've looked and once you've made a choice and you say okay I want to download this app don't. Get it from there, go. Find the developer's website and. Get. It directly from the developer that's, not a guarantee. Because. There have been cases in the past numerous. Times where the developers, website has, gotten hacked but. That's pretty rare so, it's it's not a huge. Danger, it's. Always safer to get it straight from the developer, than from. One. Of these software, aggregation. Sites. Just. One. Other little question when, you were saying, we. Found so many instances, of this. Malware, yeah. Did. You mean like individual, computers. Institutions. Or, what's. These yeah that's that's actual, devices so, that's, the number of computers, that we found any, trace. Of one. Of these things on, even. If it was just like, a launch daemon, or a launch agent, or something, so. Any any trace would trigger you know on on. A particular, machine I would count as one. Machine. One device that was detected. Wow. Yeah. No. Your product better than I do, users have the option to opt, out of that reporting, if they do, you. Have any idea, what. The appropriate, level of inflation. Would be to get an actual number of it I actually. Don't, know, we, we are not tracking, currently. How many people, have opted out and I, don't know if we ever will because I mean. Tracking. The, OP ow. You. Know I, don't know so, we don't we don't really know but we do know that it's there, is definitely. Some inflation, in the numbers, you. Know that the, real numbers, these numbers are actually a little lower than what would be if, we, didn't do opt out. So. For, education. Probably, a lot of people who are in education use, certain discount. Websites. That provide. For that I found that mat keeper was sold. In our. University, supported. Discount. Education site right alongside Adobe. Products and Microsoft products and I just, came upon you know happened to come upon that and immediately, we, were able to get it pulled but you may you may want to check that if you. Have these discount websites or, discount software, websites that. Look. As if the university, is endorsing that yeah, that's. That's an excellent we printed out a big nice big thing and our helpdesk and say with, the nice logo the robot on there and said do, not install, this crap yeah, that.
That's A really good point and I if, you, see that. I would. Definitely and, get as many people as possible to report, that to that particular. Site and say hey this is not good software. You, know and if. You're, interested, in that I can refer you any number of sources, that. You can send them to give them more information about, how bad my keeper, is. This. Case of, legitimate. Grabbing. Maybe. It could be interesting if you can publish. Some all the name of them yeah, because, basically now, in Europe we have, how. Kind. Of legal tools to chase, them and really. Beat them out yeah, so if, it's a legit, company while doing such a bad thing maybe. Publishing, the name could. Help us to. Correctly. Go against them yeah we. When. It when it comes to that that company that I mentioned, that is exfiltrating. User data from the AppStore work. We're. Giving them a chance to respond. But. We're, hoping to be able to blog about that maybe sometime, next week. It. Depends, though it depends on you know the. Lawyers are all over that so, it's, you know we're, being very careful about it because. They. Are a, big. Company. They, are a competitor. We don't want to be, you. Know we don't want to get sued for one obviously. But. We also you know we don't want to come off like we're, you know being. Like these, guys because, they're a competitor you know we so. We're being very careful about that so if we're able to blog about it I'm hoping, we can do so soon. I probably. Shouldn't. Say I don't want to get I don't want to get myself, or anybody else that they come for the interval so I. Might. If I knew Morse code. Do. You see like differences. In infections, based. On geography uh. You. Know we're not really. Correlating. The data that way, and. You know again we're trying to keep a lot of this anonymous. But. I'm sure that there is and I know that, there is because some of these threats like ocean Lotus for example, are. Primarily. Targeting. Particular regions, so ocean Lotus is primarily, a Chinese. Threat. We. Don't really see that much in this country. So. Yeah. We don't we don't have the data to show to say, hey this is found predominantly here. Or there it's just sort of what we know. About the malware. In. General. Anybody. Else. All. Right well thank you guys for attending.
2018-07-29 00:09
