MacOS is reported to be one of the most security Operating Systems. As of the beginning of 2023, there are over 100 million macOS devices worldwide. Due to its popularity, threat actors have begun to target macOS devices recently.
Based on the recent reports from SentinelOne, Bitdefender and Elastic, a new type of macOS malware is in the wild, exploiting multiple macOS devices in organisations. The number of victims of this malware is yet to be confirmed.
This malware is capable of providing an active adversary deployment, a backdoor and it is a form of open-source reconnaissance. It is a multi-platform exploitable tool and is capable of macOS exploitation.
The Initial phase of compromise of this malware is still being investigated. As per the current reports, the initial level of compromise is discovered to be linked with a trojanized QR generator in a file QRWriter.java that hides inside an open-source QR project.
Once the host OS is detected, the malware decodes an embedded base64 blob which is written and executed inside the temporary directory. This decoded file acts as the communication to the C2 (Command and Control) server at hxxps://git-hub[.]me/view/php.
The malware acts depending on the response from the C2 server and also creates a p.dat file and a prefTemp.java executable file that provides the reverse shell for the attacker. In addition to this, the malware also creates two other backdoor files shared.dat and sh.py.
According to the investigations, the following data is sent to the attacker at regular intervals.
On further analysis, a component was discovered to be only for macOS. A file is hidden under the name “xcc” that uses the Launch Services Identifier com.apple.xprotectcheck. This file executes on both Intel and Apple silicon architectures.
This file is capable of collecting the following information which is far more sophisticated for a normal attacker. The analysis shows that the attacker not only wants to infiltrate the system but also wants to study the behavioural pattern of the victim for further exploitation. The data includes,
Image: The file uses the IOServiceMatching() which is now IOHIDSystem, for querying about the system idle time from the last mousepad, trackpad, or keyboard use.
“AI-based email security measures Protect your business From Email Threats!” – .
The role of the Chief Information Security Officer (CISO) has never been more critical. As…
Digital forensics and incident response (DFIR) have become fundamental pillars of modern cybersecurity. As cyber…
In an era where digital identities have become the primary attack vector, CISOs face unprecedented…
In the ever-changing world of cybersecurity, organizations are constantly challenged to choose the right security…
In an era of digital transformation and rising cyber threats, Building Trust Through Transparency has…
Despite significant disruptions by international law enforcement operations targeting major ransomware schemes, cybercriminal groups continue…