{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/objective-see/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","privilege-escalation","macos","sip-bypass"],"_cs_type":"advisory","_cs_vendors":["Objective-See"],"content_html":"\u003cp\u003eA macOS vulnerability allows attackers to bypass System Integrity Protection (SIP) by coercing a SIP-entitled process to load an untrusted library. The vulnerability abuses macOS sandboxing mechanisms, leading to a privilege escalation scenario. While the exact details of the vulnerability are not provided, the attack involves tricking the system into loading a malicious library into a protected process. This can allow attackers to execute arbitrary code with elevated privileges and bypass system-level protections. The original write-up of the vulnerability was posted on the researcher\u0026rsquo;s personal site, and the vulnerability was reported in 2018.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious dynamic library.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a SIP-entitled process on macOS.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a sandboxing vulnerability or misconfiguration to influence the target process.\u003c/li\u003e\n\u003cli\u003eThe system is tricked into loading the malicious library into the SIP-entitled process.\u003c/li\u003e\n\u003cli\u003eThe malicious library executes within the context of the SIP-entitled process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges and bypasses SIP restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit of this vulnerability allows an attacker to bypass System Integrity Protection, a critical security feature in macOS. This can lead to complete system compromise, as the attacker can execute arbitrary code with elevated privileges. Although specific victim counts and targeted sectors are unavailable, the vulnerability poses a significant threat to any macOS system where SIP is relied upon for security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected library loads into SIP-entitled processes using process creation and image load logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexplained modifications to sandboxing configurations or profiles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the loading of unsigned libraries into protected processes.\u003c/li\u003e\n\u003cli\u003eEnable and review system integrity events to identify unauthorized modifications to system files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T07:47:15Z","date_published":"2026-05-07T07:47:15Z","id":"/briefs/2024-01-sip-bypass/","summary":"A macOS vulnerability enables bypassing System Integrity Protection (SIP) by abusing sandboxing mechanisms to load an untrusted library into a SIP-entitled process.","title":"macOS SIP Bypass via Sandboxing Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-sip-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flash Player","Word","macOS"],"_cs_severities":["high"],"_cs_tags":["macos","malware","backdoor","exfiltration","persistence"],"_cs_type":"advisory","_cs_vendors":["Adobe","Objective-See","Microsoft"],"content_html":"\u003cp\u003eThis threat brief summarizes Mac malware that emerged in 2017, based on a compilation by Objective-See. The analysis covers infection vectors, persistence mechanisms, features, and goals of various malware families, providing insights into the macOS threat landscape. Specific malware discussed includes FruitFly (discovered in January 2017), a backdoor designed to spy on users; MacDownloader (iKitten) (February 2017), an Iranian exfiltration agent; and others like Proton, XAgent, FileCoder, Dok, Snake, MacSpy, MacRansom, Pwnet, and CpuMeaner. The report aims to provide a comprehensive overview for defenders, facilitating detection and remediation efforts. The initial discovery of FruitFly received significant media attention due to its longevity and invasive capabilities. MacDownloader has been linked to Iranian offensive cyber operations targeting the defense industrial base and human rights advocates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Infection (MacDownloader):\u003c/strong\u003e A phishing email directs the user to a fake Adobe Flash Player download site.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The user downloads and executes the fake Flash Player installer (addone flashplayer.app). Gatekeeper may block execution unless disabled or explicitly allowed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (FruitFly):\u003c/strong\u003e The malware creates a launch agent (plist file) in the ~/Library/LaunchAgents/ directory (e.g., com.client.client.plist for FruitFly variant \u0026lsquo;A\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (MacDownloader):\u003c/strong\u003e Attempts to modify /etc/rc.common to execute /etc/.checkdev on startup, but this functionality may be incomplete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection (MacDownloader):\u003c/strong\u003e The malware harvests information on the infected system, including active Keychains, running processes, installed applications, and potentially usernames and passwords via fake System Preferences dialog.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (FruitFly):\u003c/strong\u003e The malware connects to a command and control (C2) server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (MacDownloader):\u003c/strong\u003e Stolen data, including keychain contents and system information, are exfiltrated to the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Access (FruitFly):\u003c/strong\u003e The attacker gains remote access to the file system, can execute system commands, and access the webcam. They can also generate screen captures and simulate mouse/keyboard events.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe malware detailed in this report can lead to significant compromise of macOS systems. FruitFly allows attackers to spy on users via their webcams, access files, and control the system remotely. MacDownloader (iKitten) targets sensitive data, including keychain credentials, potentially enabling attackers to access protected accounts and services. Successful infections can result in data theft, espionage, and loss of control over the compromised system. Although specific victim counts are not provided, the malware targeted a wide range of users and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of launch agents in the ~/Library/LaunchAgents/ directory, especially those with suspicious names and associated executables, to detect persistence mechanisms used by malware like FruitFly. Deploy a tool like KnockKnock to aid in detection (Attack Chain - Step 3).\u003c/li\u003e\n\u003cli\u003eImplement detections for attempts to modify the /etc/rc.common file, which MacDownloader attempts to use for persistence, although the functionality may be incomplete (Attack Chain - Step 4).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of unsigned applications, which is a common characteristic of malware like MacDownloader that relies on tricking users into bypassing Gatekeeper (Attack Chain - Step 2).\u003c/li\u003e\n\u003cli\u003eEnable network monitoring to identify connections to command and control servers used by malware such as FruitFly (Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for connections to external IP addresses (Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing emails and the importance of verifying the authenticity of software downloads to prevent initial infection from malware like MacDownloader (Attack Chain - Step 1).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-mac-malware-2017/","summary":"A comprehensive analysis of Mac malware discovered in 2017, detailing infection vectors, persistence mechanisms, features, and goals, including FruitFly, MacDownloader (iKitten), and others.","title":"Comprehensive Analysis of Mac Malware in 2017","url":"https://feed.craftedsignal.io/briefs/2024-01-mac-malware-2017/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tresorit","MS Office 2016","Monitor.app","ProcInfoExample"],"_cs_severities":["high"],"_cs_tags":["dylib-hijacking","privilege-escalation","macos"],"_cs_type":"advisory","_cs_vendors":["Tresorit","Avira","Microsoft","Objective-See","FireEye"],"content_html":"\u003cp\u003eThis brief addresses a local privilege escalation vulnerability in macOS that leverages dylib hijacking within applications obtained from the official Mac App Store. The vulnerability allows a malicious actor to inject a dynamic library (dylib) into a legitimate application, potentially gaining elevated privileges. The attack exploits weaknesses in how macOS applications load dynamic libraries, specifically the use of weak loading and run-path dependent (rpath) dylibs. While applications dragged into the /Applications directory are typically owned by the user, applications installed from the App Store are owned by root, requiring privilege escalation to exploit. This vulnerability matters because it allows attackers to bypass intended security restrictions and gain root access, even on systems with standard security configurations. Successful exploitation enables persistence and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable application using tools like Dylib Hijack Scanner (DHS), looking for apps with weak or rpath-dependent dylib loading.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the absence of library-validation option (flag=0x200) using \u003ccode\u003ecodesign\u003c/code\u003e to verify if dylib hijacking is possible.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious dylib (e.g., \u003ccode\u003ehello-tresorit.dylib\u003c/code\u003e) containing code to be executed upon loading, such as opening a Terminal or creating a syslog entry.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003egcc\u003c/code\u003e to compile the dylib. The attacker uses a tool like \u003ccode\u003ecreateHijacker.py\u003c/code\u003e to fix the dylib version and add exports from the original dylib to the malicious dylib.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability to bypass root folder permissions to copy the malicious dylib to the application\u0026rsquo;s framework directory (e.g., \u003ccode\u003e/Applications/Tresorit.app/Contents/MacOS/TresoritExtension.app/Contents/PlugIns/FinderExtension.appex/Contents/MacOS/../../../../Frameworks/UtilsMac.framework/Versions/A/UtilsMac\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker launches the targeted application, causing the malicious dylib to be loaded into the application process.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the dylib executes with the privileges of the application, potentially escalating privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or performs other malicious actions based on the gained privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete system compromise. An attacker gaining root access can install persistent backdoors, steal sensitive data, or deploy ransomware. The number of potential victims is large, as many macOS applications from the App Store are vulnerable. The affected sectors span various industries, as the vulnerability affects a wide range of applications. The consequences of a successful attack range from data breaches and financial loss to complete system control by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUse a tool like Dylib Hijack Scanner to identify vulnerable applications in your environment and prioritize patching or removal.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new dylibs within application framework directories, which may indicate a dylib hijacking attempt, using a file integrity monitoring system.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting Dylib Hijacking via DYLD_PRINT_RPATHS\u003c/code\u003e to detect attempts to identify vulnerable dylibs.\u003c/li\u003e\n\u003cli\u003eEnable library validation for applications to prevent the loading of unsigned or improperly signed dylibs.\u003c/li\u003e\n\u003cli\u003eUse process monitoring tools like Objective-See\u0026rsquo;s ProcInfo to detect suspicious process creation events that may be indicative of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-macos-dylib-hijacking/","summary":"A local privilege escalation vulnerability in macOS allows attackers to gain root privileges by hijacking dylibs in applications installed from the Mac App Store.","title":"macOS Local Privilege Escalation via Dylib Hijacking in App Store Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-dylib-hijacking/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BlockBlock"],"_cs_severities":["medium"],"_cs_tags":["kernel-extension","kev_msg_post","macos","process-monitoring"],"_cs_type":"advisory","_cs_vendors":["Apple","Objective-See"],"content_html":"\u003cp\u003eThis threat brief describes the abuse of the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function in macOS to broadcast process creation notifications from a kernel extension (kext) to a user-mode application. This technique, highlighted in Objective-See\u0026rsquo;s research, allows a kext to bypass standard userland APIs for process monitoring. The \u003ccode\u003ekev_msg_post\u003c/code\u003e function is part of the Kernel Events API. It\u0026rsquo;s designed for kernel-to-userland communication but lacks proper documentation, which makes it difficult to monitor.\u003c/p\u003e\n\u003cp\u003eThe communication involves a kext utilizing \u003ccode\u003ekev_msg_post\u003c/code\u003e to send data to a user-mode application through a system socket.  Objective-See\u0026rsquo;s BlockBlock tool uses this technique to correlate persistent file I/O events with the responsible process.  Abuse of \u003ccode\u003ekev_msg_post\u003c/code\u003e can allow malicious kexts to exfiltrate sensitive kernel-level information or trigger actions in user-mode without detection by conventional monitoring tools. This technique is relevant to defenders because it provides a stealthy mechanism for malware to operate within macOS, potentially leading to undetected data theft, privilege escalation, or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious kext is loaded into the macOS kernel, often requiring elevated privileges or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe kext uses the \u003ccode\u003ekev_vendor_code_find\u003c/code\u003e function to obtain a vendor ID associated with the kext (e.g., \u0026ldquo;com.objective-see\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe kext registers for process execution events using kauth or MAC policies.\u003c/li\u003e\n\u003cli\u003eWhen a new process is created, the kext\u0026rsquo;s callback function is triggered.\u003c/li\u003e\n\u003cli\u003eThe kext populates a \u003ccode\u003ekev_msg\u003c/code\u003e structure with process information, including the process ID (PID), user ID (UID), parent process ID (PPID), and path to the executable.\u003c/li\u003e\n\u003cli\u003eThe kext calls the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function to broadcast the process information to a system socket.\u003c/li\u003e\n\u003cli\u003eA user-mode application with a socket connected to the same vendor ID receives the broadcasted message, extracting the process information.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the process information for malicious purposes, such as injecting code into the new process, monitoring its activity, or terminating it.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to monitor and manipulate processes on a compromised macOS system without detection by standard userland monitoring tools.  This could lead to data exfiltration, privilege escalation, or other malicious activities. Due to the nature of the kernel, even a single successful compromise can lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted kernel extensions using system integrity monitoring tools that track kext loading events.\u003c/li\u003e\n\u003cli\u003eImplement detections for user-mode applications creating system sockets with the \u003ccode\u003eSYSPROTO_EVENT\u003c/code\u003e protocol, as described in the \u0026ldquo;Receiving the Data in User-Mode\u0026rdquo; section. This can be done using an endpoint detection and response (EDR) solution or auditd.\u003c/li\u003e\n\u003cli\u003eDevelop YARA rules to scan kernel memory for the presence of kexts using the undocumented \u003ccode\u003ekev_msg_post\u003c/code\u003e function to detect malicious kexts attempting to communicate outside kernel space.\u003c/li\u003e\n\u003cli\u003eAudit the use of \u003ccode\u003eioctl\u003c/code\u003e calls with \u003ccode\u003eSIOCGKEVVENDOR\u003c/code\u003e and \u003ccode\u003eSIOCSKEVFILT\u003c/code\u003e to detect user-mode applications attempting to filter for specific kernel events, using the code samples from the \u0026ldquo;Receiving the Data in User-Mode\u0026rdquo; section as reference.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kev-msg-post-process-creation/","summary":"The kev_msg_post function can be abused by malware to broadcast process creation notifications from a kernel extension (kext) to a user-mode application, potentially bypassing security tools that rely on standard APIs and leading to undetected malicious activity.","title":"macOS Kernel-to-Userland Process Creation Notification via undocumented kev_msg_post","url":"https://feed.craftedsignal.io/briefs/2024-01-kev-msg-post-process-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS","CleanMyMac","Malwarebytes","Airo AV","FileMonitor.app","Ransomwhere?","BlockBlock"],"_cs_severities":["medium"],"_cs_tags":["file-monitoring","endpoint-security","macos"],"_cs_type":"advisory","_cs_vendors":["Apple","Objective-See"],"content_html":"\u003cp\u003eThis brief examines the creation of a file monitor on macOS 10.15 (Catalina) using Apple\u0026rsquo;s Endpoint Security Framework, as detailed by Objective-See. This framework offers a user-mode interface to a new Endpoint Security Subsystem, providing a simplified API and comprehensive process information. The file monitor can capture file I/O events, file paths, and process details like process ID, path, and code-signing information. Objective-See highlights the limitations of older file monitoring methods like \u003ccode\u003e/dev/fsevents\u003c/code\u003e and OpenBSM, which lack detailed process information or face deprecation. This new framework aims to address these limitations, enabling more robust user-mode security tools. Tools like Ransomwhere? and BlockBlock use file monitoring for detecting ransomware and persistence events respectively, demonstrating its importance in macOS security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., through exploitation or social engineering).\u003c/li\u003e\n\u003cli\u003eAttacker executes a malicious binary or script.\u003c/li\u003e\n\u003cli\u003eThe malicious process creates or modifies a file on the system.\u003c/li\u003e\n\u003cli\u003eThe Endpoint Security Framework captures the file I/O event.\u003c/li\u003e\n\u003cli\u003eThe file monitor, leveraging the Endpoint Security Framework, receives a notification about the event.\u003c/li\u003e\n\u003cli\u003eThe file monitor extracts information about the event, including the process ID, path, code-signing information, and the type of file event (e.g., create, write).\u003c/li\u003e\n\u003cli\u003eBased on the extracted information, the file monitor determines if the event is malicious (e.g., rapid creation of encrypted files, persistence attempt).\u003c/li\u003e\n\u003cli\u003eThe file monitor alerts the user or security system about the malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to various detrimental outcomes, including data encryption by ransomware, persistent malware installation, and unauthorized access to sensitive information. File monitors, such as the one described, aim to detect and prevent such attacks. Without proper file monitoring, malicious activities can go unnoticed, leading to significant data loss, system compromise, and financial damage. The Endpoint Security Framework intends to address the limitations of previous monitoring solutions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Endpoint Security Framework event collection to monitor file creation events using the \u003ccode\u003eES_EVENT_TYPE_NOTIFY_CREATE\u003c/code\u003e event type described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting file creation by unsigned processes to identify potentially malicious activity (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for processes with missing or invalid code-signing information, as these may be indicators of malicious activity, using the Endpoint Security Framework\u0026rsquo;s process information detailed in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:41:00Z","date_published":"2024-01-02T18:41:00Z","id":"/briefs/2024-01-macos-file-monitor/","summary":"Objective-See details how to create a file monitor for macOS 10.15 using Apple's Endpoint Security Framework to capture file I/O events and process information.","title":"macOS File Monitoring via Endpoint Security Framework","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-file-monitor/"}],"language":"en","title":"CraftedSignal Threat Feed — Objective-See","version":"https://jsonfeed.org/version/1.1"}