{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/macos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["WINDSHIFT APT"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["macos","url-scheme","apt"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe WINDSHIFT APT group is utilizing a novel infection mechanism to compromise macOS systems, observed as early as 2018. This method involves exploiting custom URL schemes, allowing for remote exploitation with limited user interaction. By crafting a malicious application that registers a custom URL scheme, attackers can trigger its execution when a user interacts with a specially crafted link (e.g., via a web page or email). This initial access can then be leveraged for further exploitation, such as bypassing System Integrity Protection (SIP) or dumping the keychain. This technique has been successfully used against government targets in the Middle East.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious application designed to register a custom URL scheme (e.g., \u003ccode\u003ewindshift://\u003c/code\u003e). This is done by modifying the application\u0026rsquo;s \u003ccode\u003eInfo.plist\u003c/code\u003e file to include the \u003ccode\u003eCFBundleURLTypes\u003c/code\u003e key with the custom URL scheme.\u003c/li\u003e\n\u003cli\u003eThe victim downloads or saves the malicious application to their file system.\u003c/li\u003e\n\u003cli\u003emacOS automatically registers the custom URL scheme when the application is saved to disk. This triggers an XPC message to the \u003ccode\u003elaunchservicesd\u003c/code\u003e daemon.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elaunchservicesd\u003c/code\u003e daemon parses the application\u0026rsquo;s \u003ccode\u003eInfo.plist\u003c/code\u003e file, extracts the custom URL scheme, and registers it in its database.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers a crafted link (e.g., via email or a web page) using the registered custom URL scheme (e.g., \u003ccode\u003e\u0026lt;a href=\u0026quot;windshift://payload\u0026quot;\u0026gt;Click here\u0026lt;/a\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious link.\u003c/li\u003e\n\u003cli\u003eThe operating system consults its registered URL schemes and launches the malicious application.\u003c/li\u003e\n\u003cli\u003eThe malicious application executes arbitrary code, potentially downloading and installing further payloads, exfiltrating data, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain initial access to a macOS system. This can lead to the execution of arbitrary code, data exfiltration, and the installation of persistent backdoors. The WINDSHIFT APT group has successfully used this technique against government targets in the Middle East. If successful, this attack could result in the compromise of sensitive information, disruption of services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for applications launched via custom URL schemes. Implement the \u003ccode\u003eDetect Suspicious Custom URL Scheme Execution\u003c/code\u003e Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eInspect application \u003ccode\u003eInfo.plist\u003c/code\u003e files for suspicious or unexpected \u003ccode\u003eCFBundleURLTypes\u003c/code\u003e entries, especially during software installation or updates.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks associated with clicking on untrusted links, even if they appear to be benign.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and auditing to capture details about process execution and file system changes.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unsigned or untrusted applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T07:33:40Z","date_published":"2026-05-07T07:33:40Z","id":"/briefs/2024-01-windshift-mac-url-scheme/","summary":"The WINDSHIFT APT group is infecting Macs by abusing custom URL schemes, where advertising support for a custom URL scheme in an application's Info.plist causes the application to be automatically launched when a URL with that scheme is opened, allowing attackers to remotely compromise systems with minimal user interaction and creating an initial access vector.","title":"WINDSHIFT APT Abuses Custom URL Schemes for macOS Infection","url":"https://feed.craftedsignal.io/briefs/2024-01-windshift-mac-url-scheme/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2019-8565"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS","iOS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","macos","xpc","race-condition"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe vulnerability, CVE-2019-8565, resides in macOS versions prior to 10.14.4 and iOS versions prior to 12.2. It involves a race condition in the privileged XPC service \u003ccode\u003ecom.apple.appleseed.fbahelperd\u003c/code\u003e, used by the Feedback Assistant application. This service incorrectly validates incoming XPC messages based on process IDs (PIDs) instead of more secure methods like audit tokens. An unprivileged or sandboxed process can exploit this by rapidly spawning processes to reuse PIDs, tricking the privileged service into accepting malicious requests. This allows attackers to bypass security checks and execute privileged operations, ultimately leading to privilege escalation to root. The original research was published in April 2019, highlighting the risks associated with PID-based security checks in inter-process communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged process sends multiple XPC messages to \u003ccode\u003ecom.apple.appleseed.fbahelperd\u003c/code\u003e to fill the message queue.\u003c/li\u003e\n\u003cli\u003eThe unprivileged process spawns a new process (using \u003ccode\u003eposix_spawn\u003c/code\u003e or \u003ccode\u003eNSTask\u003c/code\u003e) to reuse the PID while keeping the new process suspended.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFBAPrivilegedDaemon\u003c/code\u003e validates the XPC message based on the reused PID, incorrectly associating it with the trusted Feedback Assistant application.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003ecopyLogFiles:\u003c/code\u003e method to copy arbitrary files by bypassing path constraints using path traversal (e.g., \u0026ldquo;../../../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eFiles are copied to attacker-controlled locations, bypassing intended permission restrictions.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages \u003ccode\u003erunMobilityReportWithDestination:\u003c/code\u003e to trigger execution of \u003ccode\u003e/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/get-mobility-info\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget-mobility-info\u003c/code\u003e script checks for \u003ccode\u003e/usr/local/bin/netdiagnose\u003c/code\u003e and executes it with root privileges if found.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root privileges by executing a custom \u003ccode\u003enetdiagnose\u003c/code\u003e binary in \u003ccode\u003e/usr/local/bin\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2019-8565 allows a local attacker to gain root privileges on vulnerable macOS systems. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. The vulnerability impacts systems running macOS 10.14.3 and earlier, as well as iOS 12.2 and earlier. In CTF scenarios, it was used to directly read flag files. If an attacker can plant a binary in a location like /usr/local/bin, they can achieve instant root access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to macOS 10.14.4 or later to patch CVE-2019-8565.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious File Copy via FBAPrivilegedDaemon\u0026rdquo; to detect exploitation attempts targeting the \u003ccode\u003ecopyLogFiles:\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Execution of netdiagnose from get-mobility-info\u0026rdquo; to detect attempts to exploit the \u003ccode\u003erunMobilityReportWithDestination:\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for suspicious binaries executing from \u003ccode\u003e/usr/local/bin\u003c/code\u003e as described in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-rootpipe-reborn/","summary":"A race condition vulnerability (CVE-2019-8565) exists in macOS where a privileged XPC service, com.apple.appleseed.fbahelperd, improperly validates XPC messages based on process ID, allowing an unprivileged process to escalate privileges to root.","title":"macOS Privilege Escalation via Feedback Assistant Race Condition (CVE-2019-8565)","url":"https://feed.craftedsignal.io/briefs/2024-01-rootpipe-reborn/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Firefox","macOS","OSX.Mokes"],"_cs_severities":["high"],"_cs_tags":["malware","backdoor","osx.mokes","macos","firefox"],"_cs_type":"threat","_cs_vendors":["Mozilla","Apple","Kaspersky"],"content_html":"\u003cp\u003eIn June 2019, a Firefox 0-day exploit was leveraged to target employees at various cryptocurrency exchanges, deploying a previously unknown variant of the OSX.Mokes backdoor. This new variant, dubbed OSX.Mokes.B, shares significant code overlap and capabilities with the original OSX.Mokes discovered by Kaspersky in 2016. The malware, a 13MB 64-bit Mach-O binary, was initially undetected by VirusTotal engines. It installs itself under various names (quicklookd, storeaccountd), persists via launch agents, and communicates with a command and control server. The malware possesses capabilities including screen capture, audio recording, and the ability to discover and exfiltrate documents. The binaries are often very large due to statically linked libraries like OpenSSL. This campaign highlights the continued relevance of older malware families adapted for modern exploits and the importance of behavior-based detection to supplement signature-based AV.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: A Firefox 0-day exploit is used to compromise a macOS system.\u003c/li\u003e\n\u003cli\u003eMalware Dropper: The exploit drops a Mach-O executable (mac) to the /Users/\u003cuser\u003e/Desktop/ directory.\u003c/li\u003e\n\u003cli\u003eInstallation: The malware copies itself to a location in the user\u0026rsquo;s Library directory, such as ~/Library/Dropbox/quicklookd or ~/Library/App Store/storeaccountd.\u003c/li\u003e\n\u003cli\u003ePersistence: A launch agent plist file (e.g., quicklookd.plist or storeaccountd.plist) is created in ~/Library/LaunchAgents/ to ensure persistence across reboots. The plist file sets the \u0026ldquo;RunAtLoad\u0026rdquo; key to 1.\u003c/li\u003e\n\u003cli\u003eExecution: The malware executes the copied binary from its new location using execve.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The malware initiates an outbound TCP connection to the C2 server at 185.49.69.210 over HTTP.\u003c/li\u003e\n\u003cli\u003eData Collection: The malware leverages AVFoundation frameworks to capture screen and audio recordings.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The malware searches for and exfiltrates documents with extensions like *.doc, *.docx, *.xls, and *.xlsx.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection leads to persistent remote access, allowing the attacker to capture sensitive information, including screen recordings, audio, and documents. This can result in financial loss, intellectual property theft, and reputational damage. While the specific number of victims is unknown, the targeting of cryptocurrency exchanges suggests a focus on high-value targets. The malware\u0026rsquo;s capabilities align with those of a fully-featured backdoor, providing extensive control over compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for executables running from non-standard directories like ~/Library/Dropbox/ or ~/Library/App Store/ using the \u0026ldquo;Process Created from User Library Directory\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;OSX.Mokes C2 Communication\u0026rdquo; Sigma rule to detect network connections to the identified C2 server IP address (185.49.69.210).\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of LaunchAgent plists that execute binaries from atypical installation paths, especially those masquerading as common system processes or applications based on the persistence steps described above.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for connections to 185.49.69.210 on port 80, and analyze the HTTP traffic for command and control patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-firefox-0day-mokes/","summary":"A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.","title":"Firefox 0-day Drops OSX.Mokes.B Backdoor on macOS","url":"https://feed.craftedsignal.io/briefs/2024-01-29-firefox-0day-mokes/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["sandbox-escape","privacy","macos"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA vulnerability exists in macOS Mojave that allows sandboxed applications to bypass intended restrictions on distributed notifications. Apple\u0026rsquo;s macOS sandbox aims to prevent malicious applications from spying on users. However, a flaw exists where sandboxed applications can register to receive distributed notifications by name, such as \u0026ldquo;com.apple.DownloadFileFinished\u0026rdquo;, effectively circumventing the intended restrictions. This vulnerability, disclosed in November 2018, allows a sandboxed application to monitor user activities, such as file downloads, which would normally be prohibited. This affects fully patched macOS Mojave systems and likely other versions of macOS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious application is created and sandboxed on macOS.\u003c/li\u003e\n\u003cli\u003eThe application registers to receive specific distributed notifications by name (e.g., \u003ccode\u003ecom.apple.DownloadFileFinished\u003c/code\u003e) using \u003ccode\u003eCFNotificationCenterAddObserver\u003c/code\u003e or \u003ccode\u003eNSDistributedNotificationCenter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe sandboxed application monitors system events by receiving distributed notifications.\u003c/li\u003e\n\u003cli\u003eThe application captures user activities, such as file downloads, screen lock/unlock events, screen saver start/stop, and bluetooth activity.\u003c/li\u003e\n\u003cli\u003eCollected information is stored within the application\u0026rsquo;s sandbox.\u003c/li\u003e\n\u003cli\u003eThe application may then exfiltrate the collected data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to user activity data, violating user privacy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows sandboxed applications to bypass intended privacy protections and monitor user activities, such as file downloads and system events. This can lead to unauthorized access to sensitive information and a violation of user privacy. While the exact number of victims is unknown, this vulnerability affects any user running a vulnerable version of macOS with a sandboxed application exploiting this flaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for sandboxed applications using \u003ccode\u003eCFNotificationCenterAddObserver\u003c/code\u003e or \u003ccode\u003eNSDistributedNotificationCenter\u003c/code\u003e registering for distributed notifications by name (e.g., \u003ccode\u003ecom.apple.DownloadFileFinished\u003c/code\u003e). Deploy the Sigma rule \u003ccode\u003eDetect Sandboxed Application Registering for Distributed Notifications by Name\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eInvestigate any sandboxed applications that are observed to be receiving distributed notifications using the event names listed in the overview.\u003c/li\u003e\n\u003cli\u003eConsider monitoring network connections made by sandboxed applications to detect potential data exfiltration attempts after gathering notification data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:10:00Z","date_published":"2024-01-26T18:10:00Z","id":"/briefs/2024-01-macos-sandbox-leak/","summary":"A vulnerability in macOS Mojave allows sandboxed applications to bypass sandbox restrictions and surreptitiously monitor user activities by registering for distributed notifications by name, circumventing intended privacy protections.","title":"macOS Mojave Sandbox Distributed Notification Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-sandbox-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2017-7170"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","macos","cve-2017-7170"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eCVE-2017-7170 is a now-patched, but historically significant, local privilege escalation vulnerability affecting macOS. The vulnerability resides in the insecure implementation of the \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e API. This API, intended for executing binaries with elevated privileges after user authentication, lacks proper validation of the binary path.  An unprivileged attacker could potentially manipulate the binary executed via \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e, or more subtly, sniff the externalized authorization reference passed to \u003ccode\u003esecurity_authtrampoline\u003c/code\u003e and reuse it to perform actions as root. The issue was disclosed in March 2020, although the CVE was assigned earlier. While this vulnerability has been patched, understanding its exploitation provides valuable insight into macOS security mechanisms and potential attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user executes a legitimate application (e.g., an installer) that utilizes the \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e function externalizes the authorization reference via \u003ccode\u003eAuthorizationMakeExternalForm\u003c/code\u003e creating an \u003ccode\u003eAuthorizationExternalForm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application invokes \u003ccode\u003eAuthorizationExecuteWithPrivilegesExternalForm\u003c/code\u003e, passing the externalized authorization reference.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eAuthorizationExecuteWithPrivilegesExternalForm\u003c/code\u003e executes the setuid binary \u003ccode\u003e/usr/libexec/security_authtrampoline\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esecurity_authtrampoline\u003c/code\u003e process invokes \u003ccode\u003eAuthorizationCopyRights\u003c/code\u003e, generating an XPC message to \u003ccode\u003eauthd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system prompts the user for authentication via the Security Agent.\u003c/li\u003e\n\u003cli\u003eAn attacker sniffs the externalized authorization reference passed to the \u003ccode\u003esecurity_authtrampoline\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker re-uses the captured authorization reference to execute arbitrary commands with root privileges, bypassing intended security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2017-7170 allows a local, unprivileged attacker to gain complete control of the affected macOS system. This could lead to arbitrary code execution as root, installation of malware, data theft, or denial of service. While the vulnerability has been patched, systems that have not been updated remain vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Execution of Security Authtrampoline\u0026rdquo; to identify potential exploitation attempts even on patched systems by monitoring for unusual invocations of \u003ccode\u003e/usr/libexec/security_authtrampoline\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to facilitate the detection of suspicious activity related to privilege escalation (reference the logsource in the Sigma rules).\u003c/li\u003e\n\u003cli\u003eWhile a direct fix isn\u0026rsquo;t possible given the patch status, monitor for applications using deprecated APIs such as \u003ccode\u003eAuthorizationExecuteWithPrivileges\u003c/code\u003e within your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:00:00Z","date_published":"2024-01-26T18:00:00Z","id":"/briefs/2024-01-26-macos-privesc-cve-2017-7170/","summary":"CVE-2017-7170 is a local privilege escalation vulnerability in macOS stemming from insecure use of the `AuthorizationExecuteWithPrivileges` API, allowing unprivileged users to execute arbitrary code as root by sniffing authorization references.","title":"macOS Local Privilege Escalation via CVE-2017-7170","url":"https://feed.craftedsignal.io/briefs/2024-01-26-macos-privesc-cve-2017-7170/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2017-7150"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["critical"],"_cs_tags":["macos","synthetic events","privilege escalation","defense evasion"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThis brief discusses a class of vulnerabilities on macOS that can be exploited through the programmatic generation of synthetic mouse events. These vulnerabilities allow attackers to bypass security mechanisms designed to protect user privacy and system integrity. The report references historic malware examples abusing synthetic events like OSX.FruitFly and OSX.DevilRobber, discusses CVE-2017-7150, and highlights unpatched 0-day vulnerabilities as of 2018. Attackers can manipulate UI prompts, including security alerts, privacy requests, and the \u0026ldquo;User Assisted Kernel Loading\u0026rdquo; interface, enabling malicious activities such as keychain theft, geolocation tracking, and unauthorized kernel extension loading. The core issue lies in the OS trusting synthetic events originating from internal processes or specific input methods like \u0026ldquo;Mouse Keys\u0026rdquo;. This creates a significant attack surface, particularly on older macOS versions, where protections against synthetic events are incomplete.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eGain initial access to the macOS system through an unspecified method (e.g., exploiting a separate vulnerability, social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker programmatically enables \u0026ldquo;Mouse Keys\u0026rdquo; via AppleScript, using \u003ccode\u003eSystem Preferences\u003c/code\u003e to reveal the \u003ccode\u003ecom.apple.preference.universalaccess\u003c/code\u003e pane and then sending synthetic mouse clicks to enable the feature.\u003c/li\u003e\n\u003cli\u003eThe attacker moves the mouse cursor to a target UI element (e.g., an \u0026ldquo;Allow\u0026rdquo; button on a security prompt) using \u003ccode\u003eCGEventCreateMouseEvent\u003c/code\u003e to create a mouse move event.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u0026ldquo;synthetic\u0026rdquo; keyboard event with keycode 87 (numberpad 5) via AppleScript, triggering a mouse click due to \u0026ldquo;Mouse Keys\u0026rdquo; being enabled.\u003c/li\u003e\n\u003cli\u003eThe OS converts the keyboard event into a trusted mouse click, bypassing protections on the target UI component.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the bypassed UI prompt to perform unauthorized actions, such as dismissing privacy alerts related to geolocation access.\u003c/li\u003e\n\u003cli\u003eThe attacker programmatically accesses sensitive data (e.g., geolocation information) that would normally require user consent.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data or uses the elevated privileges to further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass macOS security mechanisms, potentially impacting a large number of users. Attackers can steal sensitive information like keychain data, access private user data (geolocation, contacts, calendar), and load malicious kernel extensions without user consent. This can lead to complete system compromise, data theft, and persistent malware infections. The report highlights that privacy-related alerts can be trivially bypassed, raising serious concerns about user data protection. The ease of exploitation, especially with \u0026ldquo;Mouse Keys,\u0026rdquo; makes this a critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for processes enabling \u0026ldquo;Mouse Keys\u0026rdquo; via AppleScript or command-line tools; create a Sigma rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e events targeting \u003ccode\u003eosascript\u003c/code\u003e executing commands related to \u003ccode\u003ecom.apple.preference.universalaccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDetect the use of \u003ccode\u003eCGPostMouseEvent\u003c/code\u003e or \u003ccode\u003eCGEventCreateMouseEvent\u003c/code\u003e API calls, especially when combined with AppleScript execution, to identify potential synthetic event generation.\u003c/li\u003e\n\u003cli\u003eAudit and monitor processes accessing sensitive user data (geolocation, contacts, calendar) after the execution of AppleScript or CoreGraphics functions, to identify potential exploitation of synthetic event vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of AppleScript commands that simulate key presses (e.g., \u003ccode\u003ekey code 87\u003c/code\u003e) especially following mouse movement events, as this may indicate abuse of the Mouse Keys feature.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-synthetic-reality/","summary":"macOS is vulnerable to synthetic mouse event attacks, allowing threat actors to bypass security mechanisms and interact with protected UI components to perform unauthorized actions like dumping keychains and loading kernel extensions.","title":"macOS Synthetic Mouse Event Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-24-synthetic-reality/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["rat","macos","persistence","coldroot"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe Coldroot RAT is a cross-platform backdoor that targets macOS systems. This RAT masquerades as a legitimate Apple audio driver to avoid detection. Discovered in early January 2018, the malware persists on infected systems by installing a launch daemon, ensuring it is automatically restarted after each reboot. The malware beacons out to a command and control (C2) server for tasking, and also functions as a keylogger. It attempts to modify the TCC.db database, but this functionality is thwarted by System Integrity Protection (SIP). This RAT poses a significant threat to macOS users as it can provide unauthorized access to sensitive data and allow attackers to maintain persistent control over compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user downloads a DMG file containing the malicious application bundle, \u003ccode\u003ecom.apple.audio.driver.app\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user executes the application, which prompts for user credentials via a standard authentication prompt.\u003c/li\u003e\n\u003cli\u003eThe malware loads its settings from \u003ccode\u003ecom.apple.audio.driver.app/Contents/MacOS/conx.wol\u003c/code\u003e, which contains C2 information and other configuration.\u003c/li\u003e\n\u003cli\u003eThe malware copies itself to \u003ccode\u003e/private/var/tmp/com.apple.audio.driver.app/Contents/MacOS/com.apple.audio.driver\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware creates a launch daemon plist file at \u003ccode\u003e/Library/LaunchDaemons/com.apple.audio.driver.plist\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware uses \u003ccode\u003e/bin/cp\u003c/code\u003e to install the launch daemon plist.\u003c/li\u003e\n\u003cli\u003eThe malware uses \u003ccode\u003e/bin/launchctl\u003c/code\u003e to launch the newly installed launch daemon.\u003c/li\u003e\n\u003cli\u003eThe malware beacons to the C2 server specified in the \u003ccode\u003econx.wol\u003c/code\u003e file, awaiting further commands, and logs keystrokes to \u003ccode\u003eadobe_logs.log\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection by the Coldroot RAT allows attackers to maintain persistent access to macOS systems. The malware\u0026rsquo;s keylogging capabilities enable attackers to steal credentials and sensitive information. While the malware attempts to modify the TCC.db database, SIP prevents this action. However, the persistent access and data theft capabilities still pose a significant risk. The number of victims and specific sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process executions for the use of \u003ccode\u003e/bin/cp\u003c/code\u003e and \u003ccode\u003e/bin/launchctl\u003c/code\u003e to install launch daemons, as highlighted in the attack chain. Deploy the \u003ccode\u003eDetect Coldroot Launch Daemon Installation\u003c/code\u003e Sigma rule to detect this behavior.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the C2 server IP address \u003ccode\u003e45.77.49.118\u003c/code\u003e listed in the IOC table and block the domain at the firewall.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for \u003ccode\u003e/Library/LaunchDaemons/com.apple.audio.driver.plist\u003c/code\u003e to detect unauthorized modifications of launch daemons. Deploy the \u003ccode\u003eDetect Coldroot Launch Daemon File Creation\u003c/code\u003e Sigma rule to detect the creation of this launch daemon.\u003c/li\u003e\n\u003cli\u003eScan systems for files matching the SHA256 hash \u003ccode\u003ec20980d3971923a0795662420063528a43dd533d07565eb4639ee8c0ccb77fdf\u003c/code\u003e to identify potentially infected machines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:10:00Z","date_published":"2024-01-03T18:10:00Z","id":"/briefs/2024-01-coldroot-rat/","summary":"The Coldroot RAT is a cross-platform backdoor targeting macOS systems, providing remote attackers persistent access through a launch daemon, masquerading as an Apple audio driver, and beaconing to a command and control server.","title":"Coldroot RAT Targeting macOS","url":"https://feed.craftedsignal.io/briefs/2024-01-coldroot-rat/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flash Player","Word","macOS"],"_cs_severities":["high"],"_cs_tags":["macos","malware","backdoor","exfiltration","persistence"],"_cs_type":"advisory","_cs_vendors":["Adobe","Objective-See","Microsoft"],"content_html":"\u003cp\u003eThis threat brief summarizes Mac malware that emerged in 2017, based on a compilation by Objective-See. The analysis covers infection vectors, persistence mechanisms, features, and goals of various malware families, providing insights into the macOS threat landscape. Specific malware discussed includes FruitFly (discovered in January 2017), a backdoor designed to spy on users; MacDownloader (iKitten) (February 2017), an Iranian exfiltration agent; and others like Proton, XAgent, FileCoder, Dok, Snake, MacSpy, MacRansom, Pwnet, and CpuMeaner. The report aims to provide a comprehensive overview for defenders, facilitating detection and remediation efforts. The initial discovery of FruitFly received significant media attention due to its longevity and invasive capabilities. MacDownloader has been linked to Iranian offensive cyber operations targeting the defense industrial base and human rights advocates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Infection (MacDownloader):\u003c/strong\u003e A phishing email directs the user to a fake Adobe Flash Player download site.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The user downloads and executes the fake Flash Player installer (addone flashplayer.app). Gatekeeper may block execution unless disabled or explicitly allowed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (FruitFly):\u003c/strong\u003e The malware creates a launch agent (plist file) in the ~/Library/LaunchAgents/ directory (e.g., com.client.client.plist for FruitFly variant \u0026lsquo;A\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (MacDownloader):\u003c/strong\u003e Attempts to modify /etc/rc.common to execute /etc/.checkdev on startup, but this functionality may be incomplete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection (MacDownloader):\u003c/strong\u003e The malware harvests information on the infected system, including active Keychains, running processes, installed applications, and potentially usernames and passwords via fake System Preferences dialog.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (FruitFly):\u003c/strong\u003e The malware connects to a command and control (C2) server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (MacDownloader):\u003c/strong\u003e Stolen data, including keychain contents and system information, are exfiltrated to the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Access (FruitFly):\u003c/strong\u003e The attacker gains remote access to the file system, can execute system commands, and access the webcam. They can also generate screen captures and simulate mouse/keyboard events.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe malware detailed in this report can lead to significant compromise of macOS systems. FruitFly allows attackers to spy on users via their webcams, access files, and control the system remotely. MacDownloader (iKitten) targets sensitive data, including keychain credentials, potentially enabling attackers to access protected accounts and services. Successful infections can result in data theft, espionage, and loss of control over the compromised system. Although specific victim counts are not provided, the malware targeted a wide range of users and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of launch agents in the ~/Library/LaunchAgents/ directory, especially those with suspicious names and associated executables, to detect persistence mechanisms used by malware like FruitFly. Deploy a tool like KnockKnock to aid in detection (Attack Chain - Step 3).\u003c/li\u003e\n\u003cli\u003eImplement detections for attempts to modify the /etc/rc.common file, which MacDownloader attempts to use for persistence, although the functionality may be incomplete (Attack Chain - Step 4).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of unsigned applications, which is a common characteristic of malware like MacDownloader that relies on tricking users into bypassing Gatekeeper (Attack Chain - Step 2).\u003c/li\u003e\n\u003cli\u003eEnable network monitoring to identify connections to command and control servers used by malware such as FruitFly (Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for connections to external IP addresses (Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing emails and the importance of verifying the authenticity of software downloads to prevent initial infection from malware like MacDownloader (Attack Chain - Step 1).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-mac-malware-2017/","summary":"A comprehensive analysis of Mac malware discovered in 2017, detailing infection vectors, persistence mechanisms, features, and goals, including FruitFly, MacDownloader (iKitten), and others.","title":"Comprehensive Analysis of Mac Malware in 2017","url":"https://feed.craftedsignal.io/briefs/2024-01-mac-malware-2017/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["applejeus","macos","lazarus group","backdoor","cryptocurrency"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe Lazarus APT group is distributing a new variant of its AppleJeus macOS backdoor through a fake cryptocurrency trading application called \u0026ldquo;JMT Trader.\u0026rdquo; The attackers created a fake company and website (jmttrading.org) to distribute the malicious application. The JMTTrader_Mac.dmg disk image contains a package installer (JMTTrader.pkg) that installs the AppleJeus backdoor. The malware utilizes a launch daemon for persistence and communicates with a command-and-control server to receive instructions. This campaign, observed in October 2019, targets macOS users interested in cryptocurrency trading and highlights Lazarus Group\u0026rsquo;s continued focus on financial gain. The analyzed sample\u0026rsquo;s SHA1 hash is 74390fba9445188f2489959cb289e73c6fbe58e4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user is lured to the fake JMT Trading website (jmttrading.org) and downloads the JMTTrader_Mac.dmg disk image.\u003c/li\u003e\n\u003cli\u003eThe user mounts the disk image, which contains the JMTTrader.pkg installer.\u003c/li\u003e\n\u003cli\u003eThe user executes the JMTTrader.pkg installer, which prompts for administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe postinstall script within the package moves \u003ccode\u003e.org.jmttrading.plist\u003c/code\u003e to \u003ccode\u003e/Library/LaunchDaemons/org.jmttrading.plist\u003c/code\u003e and sets permissions.\u003c/li\u003e\n\u003cli\u003eThe script creates the \u003ccode\u003e/Library/JMTTrader\u003c/code\u003e directory and moves \u003ccode\u003e.CrashReporter\u003c/code\u003e to \u003ccode\u003e/Library/JMTTrader/CrashReporter\u003c/code\u003e, setting execute permissions.\u003c/li\u003e\n\u003cli\u003eThe script executes \u003ccode\u003e/Library/JMTTrader/CrashReporter\u003c/code\u003e with the \u003ccode\u003eMaintain\u003c/code\u003e command-line argument for initial connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCrashReporter\u003c/code\u003e binary connects to the C\u0026amp;C server at \u003ccode\u003ebeastgoc.com\u003c/code\u003e via HTTPS POST requests to \u003ccode\u003e/grepmonux.php\u003c/code\u003e, sending system information (token, version, PID) after XOR \u0026ldquo;encryption\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe backdoor awaits commands from the C\u0026amp;C server to perform malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection allows the Lazarus Group to gain persistent remote access to the compromised macOS system. This can lead to the theft of cryptocurrency, sensitive financial data, or further propagation of malware within the victim\u0026rsquo;s network. While specific victim counts are unavailable, previous AppleJeus campaigns have targeted cryptocurrency exchanges, potentially resulting in substantial financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for \u003ccode\u003e/Library/JMTTrader/CrashReporter\u003c/code\u003e executing with the \u003ccode\u003eMaintain\u003c/code\u003e argument, using the Sigma rule \u0026ldquo;Detect AppleJeus CrashReporter Execution\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to \u003ccode\u003ebeastgoc.com\u003c/code\u003e on TCP port 443, using the Sigma rule \u0026ldquo;Detect AppleJeus C2 Communication\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eBlock the C\u0026amp;C domain \u003ccode\u003ebeastgoc.com\u003c/code\u003e at the DNS resolver to prevent initial communication.\u003c/li\u003e\n\u003cli\u003eInspect macOS systems for the presence of the launch daemon \u003ccode\u003e/Library/LaunchDaemons/org.jmttrading.plist\u003c/code\u003e and the \u003ccode\u003eCrashReporter\u003c/code\u003e binary in \u003ccode\u003e/Library/JMTTrader/\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-applejeus-macos/","summary":"The Lazarus APT group is distributing a macOS backdoor named AppleJeus via a fake cryptocurrency trading application called JMT Trader, persisting through a launch daemon and communicating with the C\u0026C server beastgoc.com.","title":"Lazarus Group's AppleJeus macOS Backdoor via JMT Trader","url":"https://feed.craftedsignal.io/briefs/2024-01-applejeus-macos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Firefox","macOS"],"_cs_severities":["high"],"_cs_tags":["osx","malware","backdoor"],"_cs_type":"threat","_cs_vendors":["Mozilla","Apple"],"content_html":"\u003cp\u003eIn June 2019, a Firefox zero-day exploit was leveraged to target employees at cryptocurrency exchanges, leading to the deployment of the OSX.NetWire.A malware on macOS systems. The malware, identified as Finder.app (SHA256: 07A4E04EE8B4C8DC0F7507F56DC24DB00537D4637AFEE43DBB9357D4D54F6FF4), employs techniques to ensure persistent execution, including the use of launch agents and login items. The malware decrypts configuration data to reveal its command and control (C2) server address and is capable of remote tasking, indicating potential for data exfiltration or further malicious activities. Its capabilities include taking screenshots and simulating synthetic events, providing the attacker with extensive control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user visits a malicious website hosting a Firefox zero-day exploit.\u003c/li\u003e\n\u003cli\u003eThe exploit successfully executes, bypassing security measures in Firefox.\u003c/li\u003e\n\u003cli\u003eThe exploit downloads and executes the initial stage of OSX.NetWire.A, disguised as Finder.app.\u003c/li\u003e\n\u003cli\u003eThe malware copies itself to ~/.defaults/Finder.app to establish a persistent presence.\u003c/li\u003e\n\u003cli\u003eThe malware creates a launch agent (~/Library/LaunchAgents/com.mac.host.plist) to ensure execution upon user login.\u003c/li\u003e\n\u003cli\u003eOSX.NetWire.A decrypts its embedded configuration data, including the C2 server address (89.34.111.113:443).\u003c/li\u003e\n\u003cli\u003eThe malware communicates with the C2 server to receive commands.\u003c/li\u003e\n\u003cli\u003eBased on the commands received, the malware performs actions such as taking screenshots or simulating user events.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe OSX.NetWire.A malware poses a significant threat to macOS users, particularly those in the cryptocurrency sector. A successful compromise can lead to unauthorized access to sensitive information, financial loss, and reputational damage. The malware\u0026rsquo;s remote tasking capabilities allow attackers to perform a wide range of malicious activities, including data exfiltration, surveillance, and potentially lateral movement within the compromised network. The number of victims is unknown, but the targeting of cryptocurrency exchanges suggests a high-value objective.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect OSX.NetWire.A Launch Agent Persistence\u0026rdquo; Sigma rule to identify malicious launch agents created by the malware to ensure persistence on compromised systems.\u003c/li\u003e\n\u003cli\u003eBlock the C2 IP address (89.34.111.113) identified in the malware\u0026rsquo;s decrypted configuration data at the firewall to prevent communication and further compromise.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for the creation of files in the \u003ccode\u003e~/.defaults/Finder.app\u003c/code\u003e directory using the \u0026ldquo;Detect OSX.NetWire.A File Creation\u0026rdquo; Sigma rule, as this is the location where the malware copies itself.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-osx-netwire/","summary":"A Firefox zero-day exploit was used to target Mac users, resulting in the installation of the OSX.NetWire.A malware, which establishes persistence and communicates with a command and control server.","title":"OSX.NetWire.A Backdoor Dropped via Firefox 0-day","url":"https://feed.craftedsignal.io/briefs/2024-01-osx-netwire/"},{"_cs_actors":["WindShift"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OSX.WindTail","Excel","MacOS"],"_cs_severities":["high"],"_cs_tags":["windshift","osx.windtail","macos","apt","cyber-espionage"],"_cs_type":"threat","_cs_vendors":["Microsoft","Apple"],"content_html":"\u003cp\u003eThe WindShift APT group is actively targeting government departments and critical infrastructure across the Middle East with a custom macOS implant known as OSX.WindTail. Discovered in 2018, this campaign utilizes malicious applications disguised as Microsoft Office documents to compromise macOS systems. The initial infection vector involves the abuse of custom URL schemes, allowing attackers to remotely infect Macs. Once installed, OSX.WindTail establishes persistence via login items and decrypts embedded strings indicating file types of interest for espionage purposes. The use of revoked signing certificates highlights a lapse in standard security measures, yet the malware exhibits a low detection rate, posing a significant threat to targeted entities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a spearphishing email containing a malicious ZIP archive (e.g., Meeting_Agenda.zip) to a target within a Middle Eastern government or critical infrastructure organization.\u003c/li\u003e\n\u003cli\u003eThe target opens the ZIP archive, revealing a malicious application disguised with a Microsoft Office icon (e.g., Final_Presentation.app).\u003c/li\u003e\n\u003cli\u003eThe target executes the malicious application, initiating the OSX.WindTail implant.\u003c/li\u003e\n\u003cli\u003eThe implant leverages a custom URL scheme (e.g., openurl2622007) to gain initial access, exploiting a weakness in macOS URL handling.\u003c/li\u003e\n\u003cli\u003eThe malware adds itself as a login item using the LSSharedFileListInsertItemURL API to ensure persistence across reboots.\u003c/li\u003e\n\u003cli\u003eThe implant generates a unique identifier for the compromised system by creating and writing to a file named \u003ccode\u003edate.txt\u003c/code\u003e within its application bundle (\u003ccode\u003eContents/Resources/date.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe implant moves itself to \u003ccode\u003e/Users/user/Library/\u003c/code\u003e and executes the persisted copy using the \u003ccode\u003eopen\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etuffel\u003c/code\u003e method decrypts embedded strings related to file extensions of interest using AES decryption with a hardcoded key, enabling targeted data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation by the WindShift APT group can lead to significant data breaches within targeted Middle Eastern government departments and critical infrastructure organizations. The exfiltration of sensitive information can compromise national security, disrupt essential services, and provide attackers with valuable intelligence for further malicious activities. The low detection rate of the OSX.WindTail implant allows the attackers to maintain a persistent presence on compromised systems, increasing the potential for long-term damage and espionage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious macOS Application Bundle with Revoked Certificate\u003c/code\u003e to identify applications with revoked signing certificates.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for executions of \u003ccode\u003eopen\u003c/code\u003e command launching applications from the \u003ccode\u003e/Users/user/Library/\u003c/code\u003e directory, as seen in the attack chain.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for connections originating from processes related to the identified malicious applications (OSX.WindTail) or the \u003ccode\u003eusrnode\u003c/code\u003e executable.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA-1 hashes (\u003ccode\u003e4613f5b1e172cb08d6a2e7f2186e2fdd875b24e5\u003c/code\u003e, \u003ccode\u003edf2a83dc0ae09c970e7318b93d95041395976da7\u003c/code\u003e, \u003ccode\u003e6d1614617732f106d5ab01125cb8e57119f29d91\u003c/code\u003e, \u003ccode\u003eda342c4ca1b2ab31483c6f2d43cdcc195dfe481b\u003c/code\u003e) at the endpoint and network levels.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-windshift-osx-windtail/","summary":"The WindShift APT group is targeting Middle Eastern governments with a first-stage macOS implant called OSX.WindTail, abusing custom URL schemes for initial infection and establishing persistence via login items, while decrypting embedded strings to identify file extensions of interest.","title":"WindShift APT Targeting Middle East with OSX.WindTail macOS Implant","url":"https://feed.craftedsignal.io/briefs/2024-01-windshift-osx-windtail/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["quicklook","cache","macos","thumbnail","privacy"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe macOS QuickLook feature, designed for quickly previewing file contents, caches thumbnails and file paths of files, including those stored within encrypted containers (e.g., VeraCrypt, macOS Encrypted HFS+/APFS drives) and removable USB devices. This cached information is stored in the clear within the user\u0026rsquo;s temporary directory ($TMPDIR/../C/com.apple.QuickLook.thumbnailcache/) and persists across reboots. This behavior, while known in forensics circles, is not widely understood by Mac users and can lead to unintended data leakage. The file paths, names, and thumbnail previews are accessible to any code running in the context of the user, even after the encrypted container is unmounted or the USB device is removed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser mounts an encrypted container (e.g., VeraCrypt, APFS) or inserts a USB drive into a macOS system.\u003c/li\u003e\n\u003cli\u003eUser views a directory containing files within the mounted container or USB drive using Finder, or previews a file using the space bar, triggering QuickLook.\u003c/li\u003e\n\u003cli\u003eQuickLook generates thumbnails and caches file paths and names in the \u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eindex.sqlite\u003c/code\u003e file stores the file paths and names, while \u003ccode\u003ethumbnails.data\u003c/code\u003e stores the thumbnail images.\u003c/li\u003e\n\u003cli\u003eUser unmounts the encrypted container or removes the USB drive.\u003c/li\u003e\n\u003cli\u003eThe cached thumbnails and file paths remain in the \u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the user\u0026rsquo;s macOS system.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the cached thumbnails and file paths from the QuickLook cache directory, potentially revealing sensitive information about the contents of the encrypted container or USB drive.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with access to a macOS system to recover thumbnails and file paths of files that were stored in encrypted containers or on removable USB devices. This can lead to the disclosure of sensitive information, even if the encrypted containers are unmounted or the USB drives are removed. The impact is significant for users who rely on encryption to protect sensitive data, as the QuickLook cache undermines the security provided by encrypted containers. The size of the thumbnails, even the smaller automatically generated ones, may be sufficient to discern the content of the files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRegularly clear the QuickLook cache, particularly after unmounting encrypted containers. Since \u003ccode\u003eqlmanage -r\u003c/code\u003e doesn\u0026rsquo;t reliably clear the cache, consider deleting the entire \u003ccode\u003ecom.apple.QuickLook.thumbnailcache\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection rules to detect unauthorized access or modification of the QuickLook cache directory (\u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e) using the \u0026ldquo;Detect Suspicious QuickLook Cache Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for attempts to access or manipulate the QuickLook cache files (\u003ccode\u003eindex.sqlite\u003c/code\u003e, \u003ccode\u003ethumbnails.data\u003c/code\u003e) using the \u0026ldquo;Detect QuickLook Cache File Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-quicklook-cache-leak/","summary":"macOS QuickLook caches thumbnails and file paths of files, even those stored within encrypted containers or on removable USB devices, potentially revealing sensitive data to attackers with access to the running system.","title":"macOS QuickLook Thumbnail Cache Leak","url":"https://feed.craftedsignal.io/briefs/2024-01-quicklook-cache-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS","CleanMyMac","Malwarebytes","Airo AV","FileMonitor.app","Ransomwhere?","BlockBlock"],"_cs_severities":["medium"],"_cs_tags":["file-monitoring","endpoint-security","macos"],"_cs_type":"advisory","_cs_vendors":["Apple","Objective-See"],"content_html":"\u003cp\u003eThis brief examines the creation of a file monitor on macOS 10.15 (Catalina) using Apple\u0026rsquo;s Endpoint Security Framework, as detailed by Objective-See. This framework offers a user-mode interface to a new Endpoint Security Subsystem, providing a simplified API and comprehensive process information. The file monitor can capture file I/O events, file paths, and process details like process ID, path, and code-signing information. Objective-See highlights the limitations of older file monitoring methods like \u003ccode\u003e/dev/fsevents\u003c/code\u003e and OpenBSM, which lack detailed process information or face deprecation. This new framework aims to address these limitations, enabling more robust user-mode security tools. Tools like Ransomwhere? and BlockBlock use file monitoring for detecting ransomware and persistence events respectively, demonstrating its importance in macOS security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., through exploitation or social engineering).\u003c/li\u003e\n\u003cli\u003eAttacker executes a malicious binary or script.\u003c/li\u003e\n\u003cli\u003eThe malicious process creates or modifies a file on the system.\u003c/li\u003e\n\u003cli\u003eThe Endpoint Security Framework captures the file I/O event.\u003c/li\u003e\n\u003cli\u003eThe file monitor, leveraging the Endpoint Security Framework, receives a notification about the event.\u003c/li\u003e\n\u003cli\u003eThe file monitor extracts information about the event, including the process ID, path, code-signing information, and the type of file event (e.g., create, write).\u003c/li\u003e\n\u003cli\u003eBased on the extracted information, the file monitor determines if the event is malicious (e.g., rapid creation of encrypted files, persistence attempt).\u003c/li\u003e\n\u003cli\u003eThe file monitor alerts the user or security system about the malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to various detrimental outcomes, including data encryption by ransomware, persistent malware installation, and unauthorized access to sensitive information. File monitors, such as the one described, aim to detect and prevent such attacks. Without proper file monitoring, malicious activities can go unnoticed, leading to significant data loss, system compromise, and financial damage. The Endpoint Security Framework intends to address the limitations of previous monitoring solutions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Endpoint Security Framework event collection to monitor file creation events using the \u003ccode\u003eES_EVENT_TYPE_NOTIFY_CREATE\u003c/code\u003e event type described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting file creation by unsigned processes to identify potentially malicious activity (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for processes with missing or invalid code-signing information, as these may be indicators of malicious activity, using the Endpoint Security Framework\u0026rsquo;s process information detailed in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:41:00Z","date_published":"2024-01-02T18:41:00Z","id":"/briefs/2024-01-macos-file-monitor/","summary":"Objective-See details how to create a file monitor for macOS 10.15 using Apple's Endpoint Security Framework to capture file I/O events and process information.","title":"macOS File Monitoring via Endpoint Security Framework","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-file-monitor/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["adware","persistence","macos"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe \u0026lsquo;Mac File Opener\u0026rsquo; adware, signed with an Apple Developer ID belonging to \u0026lsquo;Techyutils Software Private Limited,\u0026rsquo; is distributed within an \u0026lsquo;Advanced Mac Cleaner\u0026rsquo; installer. This adware distinguishes itself through its persistence mechanism, registering itself as the default \u0026lsquo;document handler\u0026rsquo; for a wide array of file types via its Info.plist file. When a user opens a file without a pre-existing default handler that matches one registered by \u0026lsquo;Mac File Opener,\u0026rsquo; the malware is launched. While this persistence method is less reliable than traditional methods, as it requires user interaction, it effectively bypasses tools that monitor for automatically executed persistence mechanisms. This technique abuses the macOS Launch Services to gain execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser downloads a bundled installer, \u0026lsquo;Advanced Mac Cleaner,\u0026rsquo; containing the \u0026lsquo;Mac File Opener\u0026rsquo; adware.\u003c/li\u003e\n\u003cli\u003eUser executes the installer, unknowingly installing the \u0026lsquo;Mac File Opener\u0026rsquo; application.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;Mac File Opener\u0026rsquo; application, upon installation, registers itself as a document handler for a wide variety of file types by modifying its Info.plist file.\u003c/li\u003e\n\u003cli\u003eThe Launch Services Daemon (lsd) automatically parses the Info.plist file of newly installed applications.\u003c/li\u003e\n\u003cli\u003eLsd identifies the registered document handlers within \u0026lsquo;Mac File Opener\u0026rsquo;s\u0026rsquo; Info.plist file.\u003c/li\u003e\n\u003cli\u003eLsd registers \u0026lsquo;Mac File Opener\u0026rsquo; as a handler for the specified file types.\u003c/li\u003e\n\u003cli\u003eUser attempts to open a file type that does not have a default application handler, and is handled by \u0026lsquo;Mac File Opener.\u0026rsquo;\u003c/li\u003e\n\u003cli\u003eThe OS launches the \u0026lsquo;Mac File Opener\u0026rsquo; application, initiating the adware\u0026rsquo;s malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe \u0026lsquo;Mac File Opener\u0026rsquo; adware, once launched, can perform various unwanted actions, such as displaying intrusive advertisements, modifying browser settings, or installing additional potentially unwanted programs (PUPs). Although the exact number of victims is unknown, the broad scope of file types targeted suggests a potentially wide impact. Successful exploitation leads to a degraded user experience and potential compromise of system security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for the execution of applications from unusual locations (e.g., user\u0026rsquo;s Desktop) when opening document files, using the \u0026ldquo;Suspicious Application Execution via Document Handler\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor file system events for applications modifying their Info.plist to register a large number of CFBundleTypeExtensions, using the \u0026ldquo;Suspicious Info.plist Modification for Document Handling\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly audit installed applications and their associated document handlers to identify and remove any suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement application allowlisting to prevent the execution of unauthorized applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-mac-file-opener-persistence/","summary":"The 'Mac File Opener' adware achieves persistence by registering itself as a document handler for numerous file types, leveraging the Launch Services Daemon (lsd) to automatically parse the application's Info.plist and register the handlers.","title":"Mac File Opener Adware Persists via Document Handler Registration","url":"https://feed.craftedsignal.io/briefs/2024-01-02-mac-file-opener-persistence/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macos"],"_cs_severities":["high"],"_cs_tags":["lazarus","fileless","macos","trojan"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe Lazarus Group, known for targeting cryptocurrency exchanges, continues to evolve its macOS capabilities. This campaign, observed in late 2019, involves a trojanized application named UnionCryptoTrader.dmg, masquerading as a legitimate cryptocurrency trading platform. The application, hosted on the domain unioncrypto.vip (104.168.167.16), is delivered to victims via an assumed download link. Once executed, the application installs a persistent launch daemon and then downloads and executes further payloads directly in memory, minimizing its footprint on the compromised system. This \u0026lsquo;fileless\u0026rsquo; approach, combined with targeting of cryptocurrency platforms, demonstrates Lazarus Group\u0026rsquo;s ongoing interest in financial gain and their increasing sophistication in macOS malware development.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim downloads a disk image (UnionCryptoTrader.dmg) from unioncrypto.vip.\u003c/li\u003e\n\u003cli\u003eThe victim mounts the DMG, revealing an unsigned package installer (UnionCryptoTrader.pkg).\u003c/li\u003e\n\u003cli\u003eThe victim executes the package, which prompts for administrator credentials due to the installation of a launch daemon.\u003c/li\u003e\n\u003cli\u003eThe postinstall script within the package moves a hidden plist file (.vip.unioncrypto.plist) to \u003ccode\u003e/Library/LaunchDaemons/vip.unioncrypto.plist\u003c/code\u003e for persistence.\u003c/li\u003e\n\u003cli\u003eThe script also moves a hidden executable (.unioncryptoupdater) to \u003ccode\u003e/Library/UnionCrypto/unioncryptoupdater\u003c/code\u003e and sets its permissions to executable.\u003c/li\u003e\n\u003cli\u003eThe launch daemon (\u003ccode\u003e/Library/UnionCrypto/unioncryptoupdater\u003c/code\u003e) is executed and configured to run on each system reboot.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunioncryptoupdater\u003c/code\u003e binary gathers system information, including the serial number using IOKit (\u003ccode\u003eIOPlatformSerialNumber\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunioncryptoupdater\u003c/code\u003e binary connects to the C2 server \u003ccode\u003eunioncrypto.vip/update\u003c/code\u003e to download and execute payloads in memory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack targets employees of cryptocurrency exchanges. Successful infection allows the Lazarus Group to gain persistent access to systems within these organizations, potentially leading to theft of cryptocurrency, sensitive financial data, or disruption of trading operations. The fileless nature of the secondary payload execution makes detection more difficult, increasing the attacker\u0026rsquo;s dwell time and potential for damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of launch daemons by unsigned installers, specifically those moving plist files to \u003ccode\u003e/Library/LaunchDaemons\u003c/code\u003e (see attack chain steps 4-5).\u003c/li\u003e\n\u003cli\u003eMonitor network connections to \u003ccode\u003eunioncrypto.vip\u003c/code\u003e from unusual processes or those located in \u003ccode\u003e/Library/UnionCrypto\u003c/code\u003e using the provided IOCs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect UnionCryptoTrader Package Installation\u0026rdquo; to identify the execution of the malicious installer.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003eunioncrypto.vip\u003c/code\u003e at the network perimeter (DNS or firewall) to prevent initial infection and C2 communication using the provided IOC.\u003c/li\u003e\n\u003cli\u003eEnable endpoint detection and response (EDR) systems to detect and block the execution of unsigned binaries from \u003ccode\u003e/Library/UnionCrypto\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-lazarus-fileless-macos/","summary":"The Lazarus APT group is distributing a trojanized macOS application named UnionCryptoTrader.dmg that installs a launch daemon for persistence, downloads and executes secondary payloads in-memory, and communicates with the command and control server unioncrypto.vip.","title":"Lazarus Group's macOS 'Fileless' Implant","url":"https://feed.craftedsignal.io/briefs/2024-01-lazarus-fileless-macos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["macos","endpoint-security","process-monitoring","defense-evasion","discovery"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThis document explores the use of Apple\u0026rsquo;s Endpoint Security Framework, introduced in macOS 10.15 (Catalina), as a modern alternative to the OpenBSM subsystem for process monitoring. The Endpoint Security Framework provides a user-mode API that offers a simpler interface, comprehensive code-signing information, and proactive event response capabilities. This allows developers to create robust security tools for macOS without relying on kernel-level access, which Apple is actively deprecating. The framework requires the \u003ccode\u003ecom.apple.developer.endpoint-security.client\u003c/code\u003e entitlement and the use of Xcode 11 or later with the macOS 10.15 SDK or newer. This framework enables process monitoring with details such as process ID, path, arguments, and code-signing information, simplifying the development of security tools like Ransomwhere?, TaskExplorer, and BlockBlock.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis attack chain represents how a malicious actor can potentially bypass security measures by exploiting the capabilities of process monitoring frameworks:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A malicious program gains initial access to the macOS system through a vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The program attempts to escalate privileges to gain broader access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess Creation:\u003c/strong\u003e The attacker creates a new process (e.g., \u003ccode\u003e/tmp/evil.sh\u003c/code\u003e) to execute malicious code on the system using \u003ccode\u003ees_event_type_notify_exec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e The malicious process injects code into another running process to hide its activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The injected code collects sensitive data and attempts to exfiltrate it from the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating a launch agent or daemon.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to evade detection by modifying system files or disabling security tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objectives, such as stealing sensitive data, disrupting system operations, or gaining control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of process monitoring frameworks and the subsequent bypass of security measures can lead to various detrimental outcomes. This includes unauthorized access to sensitive data, system compromise, and the disruption of critical services. The number of affected systems can range from individual machines to entire networks, depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Endpoint Security Framework logging to capture process execution events (\u003ccode\u003ees_event_type_notify_exec\u003c/code\u003e) for enhanced visibility.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected or unauthorized process creations, especially in sensitive directories like \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/var/tmp\u003c/code\u003e, using a Sigma rule targeting \u003ccode\u003ees_event_type_notify_exec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement code-signing verification to ensure that only trusted processes are allowed to execute, leveraging process code signing information.\u003c/li\u003e\n\u003cli\u003eDevelop a detection rule to identify processes lacking proper code signatures or exhibiting suspicious signing characteristics.\u003c/li\u003e\n\u003cli\u003eMonitor the ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED error to detect unauthorized attempts to leverage the Endpoint Security framework.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-macos-endpoint-security-framework/","summary":"This brief discusses the use of Apple's Endpoint Security Framework in macOS 10.15 and later for user-mode process monitoring, offering improved capabilities over the older OpenBSM subsystem.","title":"Leveraging Apple's Endpoint Security Framework for Process Monitoring","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-endpoint-security-framework/"},{"_cs_actors":["HackingTeam"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["hackingteam","rcs","malware","macos"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe Objective-See blog post from February 2016 analyzes an implant installer believed to be associated with HackingTeam\u0026rsquo;s Remote Control System (RCS) implant. The analysis reveals that this installer employs Apple\u0026rsquo;s native OS X encryption scheme and a custom packer, a notable shift in tactics. The sample, available on VirusTotal, was initially undetected by AV vendors. This suggests a potential resurgence of HackingTeam and an effort to evade traditional detection methods. The use of encryption and packing highlights the need for advanced analysis techniques and tools to uncover the malicious payload. The installer drops and executes a persistent implant, along with an encrypted configuration file. This activity indicates a sophisticated attempt to maintain long-term access to the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker deploys the encrypted HackingTeam RCS implant installer to the target macOS system.\u003c/li\u003e\n\u003cli\u003eThe installer uses Apple\u0026rsquo;s native OS X encryption scheme to protect the binary.\u003c/li\u003e\n\u003cli\u003eThe installer decrypts itself using a static Blowfish key.\u003c/li\u003e\n\u003cli\u003eThe decrypted installer unpacks itself from a custom packer.\u003c/li\u003e\n\u003cli\u003eThe unpacked installer drops a persistent implant to \u003ccode\u003e~/Library/Preferences/8pHbqThW/_9g4cBUb.psr\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe installer drops an encrypted data file to \u003ccode\u003e~/Library/Preferences/8pHbqThW/Bs-V7qIU.cYL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe installer executes the dropped implant using \u003ccode\u003eexecve\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe persistent implant installs itself as a user Launch Agent with the name \u003ccode\u003ecom.apple.FinderExtAvt.plist\u003c/code\u003e, ensuring persistence upon reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful infection leads to the installation of the HackingTeam RCS implant on the macOS system. This allows the attackers to remotely control the system, potentially exfiltrate sensitive data, monitor user activity, and install additional malicious software. The use of encryption and packing significantly hinders detection and analysis, potentially allowing the implant to remain undetected for an extended period. While the number of victims is not specified, the use of sophisticated techniques suggests targeted attacks against high-value individuals or organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events for the creation of files in \u003ccode\u003e~/Library/Preferences/8pHbqThW/\u003c/code\u003e to detect potential RCS implant activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the creation of the LaunchAgent file associated with the RCS implant.\u003c/li\u003e\n\u003cli\u003eBlock the listed IOCs, specifically the SHA256 hashes of the implant installer and persistent implant, at the endpoint to prevent execution.\u003c/li\u003e\n\u003cli\u003eUtilize tools like Objective-See\u0026rsquo;s BlockBlock and KnockKnock to detect and block persistence attempts and enumerate installed binaries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2016-02-26T07:47:15Z","date_published":"2016-02-26T07:47:15Z","id":"/briefs/2016-02-hackingteam-rcs/","summary":"An implant installer for HackingTeam's RCS implant uses Apple's native OS X encryption scheme and a custom packer to deliver a persistent implant, indicating a potential resurgence of the group and an evolution in their techniques for macOS malware.","title":"HackingTeam RCS Implant Installer Analysis","url":"https://feed.craftedsignal.io/briefs/2016-02-hackingteam-rcs/"}],"language":"en","title":"CraftedSignal Threat Feed — MacOS","version":"https://jsonfeed.org/version/1.1"}