{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/flash-player/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flash Player","Word","macOS"],"_cs_severities":["high"],"_cs_tags":["macos","malware","backdoor","exfiltration","persistence"],"_cs_type":"advisory","_cs_vendors":["Adobe","Objective-See","Microsoft"],"content_html":"\u003cp\u003eThis threat brief summarizes Mac malware that emerged in 2017, based on a compilation by Objective-See. The analysis covers infection vectors, persistence mechanisms, features, and goals of various malware families, providing insights into the macOS threat landscape. Specific malware discussed includes FruitFly (discovered in January 2017), a backdoor designed to spy on users; MacDownloader (iKitten) (February 2017), an Iranian exfiltration agent; and others like Proton, XAgent, FileCoder, Dok, Snake, MacSpy, MacRansom, Pwnet, and CpuMeaner. The report aims to provide a comprehensive overview for defenders, facilitating detection and remediation efforts. The initial discovery of FruitFly received significant media attention due to its longevity and invasive capabilities. MacDownloader has been linked to Iranian offensive cyber operations targeting the defense industrial base and human rights advocates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Infection (MacDownloader):\u003c/strong\u003e A phishing email directs the user to a fake Adobe Flash Player download site.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The user downloads and executes the fake Flash Player installer (addone flashplayer.app). Gatekeeper may block execution unless disabled or explicitly allowed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (FruitFly):\u003c/strong\u003e The malware creates a launch agent (plist file) in the ~/Library/LaunchAgents/ directory (e.g., com.client.client.plist for FruitFly variant \u0026lsquo;A\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (MacDownloader):\u003c/strong\u003e Attempts to modify /etc/rc.common to execute /etc/.checkdev on startup, but this functionality may be incomplete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection (MacDownloader):\u003c/strong\u003e The malware harvests information on the infected system, including active Keychains, running processes, installed applications, and potentially usernames and passwords via fake System Preferences dialog.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (FruitFly):\u003c/strong\u003e The malware connects to a command and control (C2) server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (MacDownloader):\u003c/strong\u003e Stolen data, including keychain contents and system information, are exfiltrated to the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Access (FruitFly):\u003c/strong\u003e The attacker gains remote access to the file system, can execute system commands, and access the webcam. They can also generate screen captures and simulate mouse/keyboard events.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe malware detailed in this report can lead to significant compromise of macOS systems. FruitFly allows attackers to spy on users via their webcams, access files, and control the system remotely. MacDownloader (iKitten) targets sensitive data, including keychain credentials, potentially enabling attackers to access protected accounts and services. Successful infections can result in data theft, espionage, and loss of control over the compromised system. Although specific victim counts are not provided, the malware targeted a wide range of users and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of launch agents in the ~/Library/LaunchAgents/ directory, especially those with suspicious names and associated executables, to detect persistence mechanisms used by malware like FruitFly. Deploy a tool like KnockKnock to aid in detection (Attack Chain - Step 3).\u003c/li\u003e\n\u003cli\u003eImplement detections for attempts to modify the /etc/rc.common file, which MacDownloader attempts to use for persistence, although the functionality may be incomplete (Attack Chain - Step 4).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of unsigned applications, which is a common characteristic of malware like MacDownloader that relies on tricking users into bypassing Gatekeeper (Attack Chain - Step 2).\u003c/li\u003e\n\u003cli\u003eEnable network monitoring to identify connections to command and control servers used by malware such as FruitFly (Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for connections to external IP addresses (Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing emails and the importance of verifying the authenticity of software downloads to prevent initial infection from malware like MacDownloader (Attack Chain - Step 1).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-mac-malware-2017/","summary":"A comprehensive analysis of Mac malware discovered in 2017, detailing infection vectors, persistence mechanisms, features, and goals, including FruitFly, MacDownloader (iKitten), and others.","title":"Comprehensive Analysis of Mac Malware in 2017","url":"https://feed.craftedsignal.io/briefs/2024-01-mac-malware-2017/"}],"language":"en","title":"CraftedSignal Threat Feed — Flash Player","version":"https://jsonfeed.org/version/1.1"}