Skip to main content
State-sponsored Mac malware going beyond the intended area

State-sponsored Mac malware going beyond the intended area


Take a dive into the risks of state-sponsored Mac malware being modified and used by cybercriminals to reach their nefarious objectives with little effort.

The fact that nation-states are immensely active in the realm of cyber-attacks isn’t much of a mystery. Aside from the obvious narrative regarding prevention and protection, governments hire hackers to orchestrate large-scale offensive operations whose goals range from stealing classified information from adversaries – to wreaking havoc by means of data wipers and suchlike types of destructive code. In this paradigm, no operating system is safe and Mac machines are nearly as vulnerable to this exploitation as PCs and Linux servers.

With readily available exploits and malware galore in governments’ repertoire, real-world cybercrooks might try to take a shortcut and put these existing attack tools to their very own malicious use. Patrick Wardle, an ethical hacker who used to work for the National Security Agency (NSA), has recently shown how a hypothetical malefactor can repurpose turnkey Mac malware masterminded by state-sponsored hackers. He presented his findings at the latest RSA Conference held in late February 2020.

A ton of state-sponsored Mac malware samples for crooks to choose from and repurpose

Wardle demonstrated how he managed to reconfigure several known strains of Mac malware whose existence has been previously attributed to nation-states. These include a backdoor codenamed FruitFly; a long-standing exploit documented as OSX.WindTail; and a unique Mac malware loader called AppleJeus that employs a fileless infection method. Whereas these are fully-featured samples that have been in use for years, all the researcher had to do was make a few tweaks to their code and set his test attacks in motion. In each scenario, the most notable change was about replacing the original Command & Control server address with a custom value. This way, the malware would interact with the server under Wardle’s control to submit the harvested information and receive instructions or download malware onto target Macs.

By deploying first-stage malware, which is a repurposed variant of the prototype, the analyst was able to execute additional malicious payloads on compromised Mac computers without being impeded. The backdoor access he obtained in these hosts also allowed him to capture the screen at random and surreptitiously exfiltrate other sensitive information belonging to the user.

Wardle used a trivial technique to make sure his recycled malware could easily slip below the radar of XProtect, Apple’s proprietary security feature that ships with Macs. All it took him to circumvent this system’s signature-based detection algorithm was altering a few bytes of the source code. Furthermore, according to the researcher, if the current signing certificate is revoked down the line, removing it and then signing the shady software with another certificate is a no-brainer. As a countermeasure for system alerts generated when users attempt to run unverified code downloaded off of suspicious sources, the attacker can easily eliminate the programming flags that trigger this response in the first place.

Another consideration is that remaking sophisticated Mac threats tailored by state-funded hacking groups provides seasoned cybercriminals with a substantial advantage. In case the breach is identified and the malware is thoroughly reverse-engineered, security analysts are likely to mistakenly attribute the raid to the original entity that’s known to have created the infection. All in all, while being a powerful instrument for non-commercial attacks such as espionage, malware with nation-state roots can play into seasoned cybercriminals’ hands. That’s something governments should take into account when launching their next cutting-edge Mac exploit or backdoor.





0

Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in