{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/macupdate.com/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MacUpdate.com","OSX.Mami","CrossRAT"],"_cs_severities":["medium"],"_cs_tags":["macos","malware","dns-hijacking","backdoor"],"_cs_type":"advisory","_cs_vendors":["MacUpdate"],"content_html":"\u003cp\u003eThis report retrospectively examines Mac malware identified throughout 2018, providing a comprehensive overview of emerging threats targeting macOS systems. The analysis covers various malware specimens, detailing their infection vectors, persistence mechanisms, and intended goals. Noteworthy examples include OSX.Mami, a DNS hijacker that redirects traffic to attacker-controlled servers, and CrossRAT, a cross-platform Java-based backdoor used in cyber-espionage campaigns. The report emphasizes the evolving threat landscape for macOS and the importance of understanding malware capabilities to defend against attacks. Specifics include the distribution of CreativeUpdate via trojanized applications on MacUpdate.com and the use of Launch Daemons and Launch Agents for persistence by OSX.Mami and CrossRAT respectively. The analyzed malware spans from January 2018 (Mami) to December 2018 (DarthMiner, LamePyre).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (OSX.Mami):\u003c/strong\u003e A user visits a malicious website, triggering a browser popup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Interaction (OSX.Mami):\u003c/strong\u003e The user interacts with the popup, leading to the download of a Mach-O executable named \u0026ldquo;MaMi\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (OSX.Mami):\u003c/strong\u003e The user executes the downloaded \u0026ldquo;MaMi\u0026rdquo; file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (OSX.Mami):\u003c/strong\u003e The malware installs itself as a Launch Daemon with the file path \u003ccode\u003e/Library/LaunchDaemons/Cyclonica.plist\u003c/code\u003e, referencing a malicious file in the user\u0026rsquo;s home directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (OSX.Mami):\u003c/strong\u003e The malware installs a malicious certificate in the System Keychain.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDNS Hijacking (OSX.Mami):\u003c/strong\u003e The malware modifies the \u003ccode\u003e/Library/Preferences/SystemConfiguration/preferences.plist\u003c/code\u003e file, changing the system\u0026rsquo;s DNS settings to attacker-controlled servers (82.163.143.135 and 82.163.142.137).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMan-in-the-Middle Attack (OSX.Mami):\u003c/strong\u003e The attacker performs man-in-the-middle attacks, potentially spying on user activity and injecting malicious content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mac malware of 2018 exhibited a range of malicious capabilities, including DNS hijacking, remote access, and data exfiltration. OSX.Mami\u0026rsquo;s DNS hijacking enabled attackers to potentially monitor user activity and inject malicious content, compromising user privacy and security. CrossRAT, a cross-platform backdoor, allowed attackers to remotely control infected systems and exfiltrate sensitive information. While specific victim counts and sectors are not detailed, the malware posed a significant threat to macOS users and organizations. Success of these attacks could lead to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for DNS queries to the known malicious DNS servers \u003ccode\u003e82.163.143.135\u003c/code\u003e and \u003ccode\u003e82.163.142.137\u003c/code\u003e associated with OSX.Mami (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect the creation of LaunchAgent plists containing references to java -jar execution, which is indicative of CrossRAT persistence.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for execution of binaries from the \u003ccode\u003e/Library/LaunchDaemons/\u003c/code\u003e directory, specifically looking for the \u003ccode\u003eCyclonica.plist\u003c/code\u003e file (Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:34:00Z","date_published":"2024-01-03T17:34:00Z","id":"/briefs/2024-01-mac-malware-2018/","summary":"This brief analyzes Mac malware discovered in 2018, including OSX.Mami, a DNS hijacker distributed via browser popups, and CrossRAT, a cross-platform Java-based backdoor likely spread through phishing, highlighting infection vectors, persistence mechanisms, and capabilities.","title":"Mac Malware of 2018 Retrospective","url":"https://feed.craftedsignal.io/briefs/2024-01-mac-malware-2018/"}],"language":"en","title":"CraftedSignal Threat Feed — MacUpdate.com","version":"https://jsonfeed.org/version/1.1"}