WindShift APT Targeting Middle East with OSX.WindTail macOS Implant

The WindShift APT group is actively targeting government departments and critical infrastructure across the Middle East with a custom macOS implant known as OSX.WindTail. Discovered in 2018, this campaign utilizes malicious applications disguised as Microsoft Office documents to compromise macOS systems. The initial infection vector involves the abuse of custom URL schemes, allowing attackers to remotely infect Macs. Once installed, OSX.WindTail establishes persistence via login items and decrypts embedded strings indicating file types of interest for espionage purposes. The use of revoked signing certificates highlights a lapse in standard security measures, yet the malware exhibits a low detection rate, posing a significant threat to targeted entities.

Attack Chain

1. The attacker sends a spearphishing email containing a malicious ZIP archive (e.g., Meeting_Agenda.zip) to a target within a Middle Eastern government or critical infrastructure organization.
2. The target opens the ZIP archive, revealing a malicious application disguised with a Microsoft Office icon (e.g., Final_Presentation.app).
3. The target executes the malicious application, initiating the OSX.WindTail implant.
4. The implant leverages a custom URL scheme (e.g., openurl2622007) to gain initial access, exploiting a weakness in macOS URL handling.
5. The malware adds itself as a login item using the LSSharedFileListInsertItemURL API to ensure persistence across reboots.
6. The implant generates a unique identifier for the compromised system by creating and writing to a file named date.txt within its application bundle (Contents/Resources/date.txt).
7. The implant moves itself to /Users/user/Library/ and executes the persisted copy using the open command.
8. The tuffel method decrypts embedded strings related to file extensions of interest using AES decryption with a hardcoded key, enabling targeted data exfiltration.

Impact

Successful exploitation by the WindShift APT group can lead to significant data breaches within targeted Middle Eastern government departments and critical infrastructure organizations. The exfiltration of sensitive information can compromise national security, disrupt essential services, and provide attackers with valuable intelligence for further malicious activities. The low detection rate of the OSX.WindTail implant allows the attackers to maintain a persistent presence on compromised systems, increasing the potential for long-term damage and espionage.

Recommendation

• Deploy the Sigma rule Detect Suspicious macOS Application Bundle with Revoked Certificate to identify applications with revoked signing certificates.
• Monitor process creation events for executions of open command launching applications from the /Users/user/Library/ directory, as seen in the attack chain.
• Inspect network traffic for connections originating from processes related to the identified malicious applications (OSX.WindTail) or the usrnode executable.
• Block the identified SHA-1 hashes (4613f5b1e172cb08d6a2e7f2186e2fdd875b24e5, df2a83dc0ae09c970e7318b93d95041395976da7, 6d1614617732f106d5ab01125cb8e57119f29d91, da342c4ca1b2ab31483c6f2d43cdcc195dfe481b) at the endpoint and network levels.