State-sponsored Mac malware easily repurposed by ex-NSA hacker
A former hacker for the National Security Agency has demonstrated an effective approach for malware creators to attack macOS, by repurposing code developed by state-sponsored hackers.
As with other software development projects, creating malware typically requires a lot of effort to create software that takes advantage of exploits, so shortcuts to a completed piece of software is always sought after by those producing them. As explained by Jamf security researcher Patrick Wardle in a talk at the RSA Security conference, there are shortcuts available in malware development.
In essence, Wardle proposed taking advantage of exploits, spyware, and other code that has already been developed by major groups working on behalf of other countries, reports Ars Technica. The code developed by the teams is usually better and not as resource-intensive as other home-cooked efforts, and are probably more robust as well.
"There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that's fully featured and also fully tested," said Wardle. "The idea is, why not let these groups in these agencies create malware, and if you're a hacker, just repurpose it for your own mission?"
Wardle demonstrated to attendees four Mac malware creations that have been employed in attacks over the years, which he then altered to report to command servers under Wardle's control rather than the originals. By taking command, the malware could then be used to acquire data, install payloads, or other types of activity that have already been incorporated into the malware.
It is suggested there could be two key benefits for hackers by taking the approach, with the main one being how other state-sponsored groups could save having to develop or risk exposing their own malware to accomplish a task, This would allow them to keep their own techniques and software secret for use in the future, minimizing detection down the line.
The second byproduct is that, if the malware is detected and analyzed, blame for the attack could be attributed to the malware's original developers and not the active users.
As with other software development projects, creating malware typically requires a lot of effort to create software that takes advantage of exploits, so shortcuts to a completed piece of software is always sought after by those producing them. As explained by Jamf security researcher Patrick Wardle in a talk at the RSA Security conference, there are shortcuts available in malware development.
In essence, Wardle proposed taking advantage of exploits, spyware, and other code that has already been developed by major groups working on behalf of other countries, reports Ars Technica. The code developed by the teams is usually better and not as resource-intensive as other home-cooked efforts, and are probably more robust as well.
"There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that's fully featured and also fully tested," said Wardle. "The idea is, why not let these groups in these agencies create malware, and if you're a hacker, just repurpose it for your own mission?"
Wardle demonstrated to attendees four Mac malware creations that have been employed in attacks over the years, which he then altered to report to command servers under Wardle's control rather than the originals. By taking command, the malware could then be used to acquire data, install payloads, or other types of activity that have already been incorporated into the malware.
It is suggested there could be two key benefits for hackers by taking the approach, with the main one being how other state-sponsored groups could save having to develop or risk exposing their own malware to accomplish a task, This would allow them to keep their own techniques and software secret for use in the future, minimizing detection down the line.
The second byproduct is that, if the malware is detected and analyzed, blame for the attack could be attributed to the malware's original developers and not the active users.
Comments
What you do and what companies (etc) is similar, but the end result is attempting to get the bad guys to attack someone else, by making their life more difficult (education, patching, etc.). By using the toolkits your efforts might be meaningless... then it becomes an issue of how much resources you can throw at the problem (purchasing anti malware problems etc.) and planning on what to do when you get infected to minimize the damage. Bottom line, when dealing with state sponsored hackers and toolkits, they have much more resources than you so you better be prepared for the worst case scenario to minimize downtime. Or, you’re rolling the dice and hoping for the best...which will work until it doesn’t. From a personal perspective, you better (at least) have backups...
i swear, if I come across these scammers I will beat them to an inch of death for all the time and productivity we lose from their crap.