New Mac malware from Iran targets US defense industry, human rights advocates with fake Fl...

Posted:
in Mac Software
Security researchers have discovered new malware for macOS called 'MacDownloader,' which is believed to have been created by Iranian hackers to try and attack individuals and companies involved in the US defense industry.




Claudio Guarnieri and Collin Anderson, researchers analyzing online threats stemming from Iran, discovered the malware on a site that impersonated the US aerospace firm "United Technologies Corporation." The site -- which referenced Lockheed Martin, Sierra Nevada Corporation, and Boeing -- claimed to offer "Special Programs and Courses," in an attempt to try and attract potential defense targets.

The fake site was previously used as part of an earlier spearphishing attempt, which tried to spread Windows malware to victim systems. The host, thought to be "maintained by Iranian actors," has also been used for other phishing attempts, with fake sites for a dental office and a U.S. Air Force training page created for the attacks.

Visitors to the current fake site would be provided with malware for either Windows or macOS, depending on the detected operating system. In MacDownloader's case, it creates a fake Adobe Flash Player dialog that offers to update the Flash player, or to close the window.




Upon accepting the update, a second dialog would appear, claiming to be an "Adware Removal Tool by Bitdefender," and offering to search for adware. The researchers suggest MacDownloader was originally designed as a fake virus removal tool, but was repackaged as a fake Flash Player update as part of another social engineering effort.

Once installed, the malware attempts to harvest data from the infected Mac, sending the user's Keychain to the attacker's server among other items. The malware can also prompt a fake System Preferences dialog to try and acquire the username and password, which can then be used to access the encrypted Keychain data.

It is noted by the researchers that the code is "poorly developed" by the hackers, and is likely the "first attempt from an amateur developer." Aside from spelling and grammar issues, as well as the change from Flash to Bitdefender in the dialog boxes, code behind the malware is claimed to have been copied from other sources, such as the use of code from a "cheat sheet" for the simple task of downloading a remote file.

The code also reveals the developer initially intended to install a persistent process, one that would have been able to automatically run at start up, download a file, and run new commands. The "poorly-implemented shell script" is unused by the malware, with remote server calls using Apple's Core Services framework instead.

"Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work," the researchers write. "Instead, MacDownloader is a simple exfiltration agent, with broader ambitions."

Aside from targeting the US defense industry, the malware has also reportedly been used to attack a human rights advocate, suggesting the malware could be used to attack other communities that may be of interest to state-sponsored hackers in the future.

While Windows is considered the main target for malware attacks, due to its high usage by companies and individuals, the researchers note communities such as those involved in human rights and security tend to use Apple devices instead. Anecdotally, the researchers claim these communities focused on activities in Iran are "strongly dependent on Apple devices."

The status of Mac as a minority platform compared to Windows does provide some level of protection from attacks, though more is also being done to thwart such efforts. Taking a cue from Google and other tech companies, Apple started a bug bounty program last year, offering rewards to those who find weaknesses in the company's operating systems.
«1

Comments

  • Reply 1 of 23
    irelandireland Posts: 17,798member
    This thread is about to become political
    SpamSandwich
  • Reply 2 of 23
    rob53rob53 Posts: 3,241member
    Another reason to not install Flash. Come on Adobe, you know your software is the (current) largest method of spreading malware. Do something about like shutting it down.
    buckalecSpamSandwichlostkiwibaconstangwatto_cobra
  • Reply 3 of 23
    williamhwilliamh Posts: 1,032member
    Security researchers have discovered new malware for macOS called 'MacDownloader,' which is believed to have been created by Iranian hackers to try and attack individuals and companies involved in the US defense industry.


    I love how they spelled "Chrime." I assume that is pronounced "Crime." And "maybe will automatically closed." LOL!
    SpamSandwichcoolfactor
  • Reply 4 of 23
    neilmneilm Posts: 985member
    As if the real Flash were not bad enough, now we have something falsely claiming to be it.
    lostkiwibaconstang
  • Reply 5 of 23
    macxpressmacxpress Posts: 5,801member
    ireland said:
    This thread is about to become political

    Due to the political nature of this article, all comments have been disabled and the forum thread closed. Feel free to visit our Political Outsider forum to discuss this and other political topics. :wink: 
    mwhiteSpamSandwichwlym
  • Reply 6 of 23
    macxpressmacxpress Posts: 5,801member
    Flash can't die fast enough! 
    baconstangwatto_cobra
  • Reply 7 of 23
    eightzeroeightzero Posts: 3,056member
    macxpress said:
    ireland said:
    This thread is about to become political

    Due to the political nature of this article, all comments have been disabled and the forum thread closed. Feel free to visit our Political Outsider forum to discuss this and other political topics. :wink: 
    But but but...free speech rights! Oppression! Where's sog to save us?

    Sad!

    rob53
    said:
    Another reason to not install Flash. Come on Adobe, you know your software is the (current) largest method of spreading malware. Do something about like shutting it down.
    My macs are all flash free zones. 
    edited February 2017 lostkiwi
  • Reply 8 of 23
    thedbathedba Posts: 762member
    rob53 said:
    Another reason to not install Flash. Come on Adobe, you know your software is the (current) largest method of spreading malware. Do something about like shutting it down.
    Or if you must install flash, go directly to adobe.com and do it from there. 
    mwhitecharlesatlasbaconstang
  • Reply 9 of 23
    macxpressmacxpress Posts: 5,801member
    rob53 said:
    Another reason to not install Flash. Come on Adobe, you know your software is the (current) largest method of spreading malware. Do something about like shutting it down.

    Well sometimes you just don't have a choice. 
    mwhiteanome
  • Reply 10 of 23
    I really think that it is time that Adobe starts pushing its software and updates through the AppStore and that will remove this particular issue altogether. 
    coolfactorlostkiwiMicDorsey
  • Reply 11 of 23
    volcanvolcan Posts: 1,799member
    I really think that it is time that Adobe starts pushing its software and updates through the AppStore and that will remove this particular issue altogether. 
    It doesn't make a bit of difference what Adobe may or may not do, stupid people will still click on the fake updater button.
    coolfactorlostkiwi
  • Reply 12 of 23
    irnchrizirnchriz Posts: 1,616member
    If you are dumb enough to fall for this you should pack up all of your computers and return them as you are just a liability :smiley: 
    coolfactormagman1979watto_cobra
  • Reply 13 of 23
    flaneurflaneur Posts: 4,526member
    Based on the run-up to the Iraq invasion in 2003, we should be wary of accepting this story at face value. (E.g., the fake uranium yellowcake letter.)

    In fact, the grammar and spelling mistakes are so crude, it seems to be too obviously designed to be discovered as malware.

    It's possible that this is a fake malware "plot" meant to incriminate Iran as part of a new neocon plan to drum up support for military action against Iran. The watchwords in times like these: "healthy skepticism," which dupes label "paranoia."
    edited February 2017 williamlondoneightzerobaconstang
  • Reply 14 of 23
    flaneurflaneur Posts: 4,526member
    ireland said:
    This thread is about to become political
    As well it should; see my post above. Maybe you meant it in another way? Please elaborate.
  • Reply 15 of 23
    volcanvolcan Posts: 1,799member
    flaneur said:
    Based on the run-up to the Iraq invasion in 2003, we should be wary of accepting this story at face value. (E.g., the fake uranium yellowcake letter.)

    In fact, the grammar and spelling mistakes are so crude, it seems to be too obviously designed to be discovered as malware.

    It's possible that this is a fake malware "plot" meant to incriminate Iran as part of a new neocon plan to drum up support for military action against Iran. The watchwords in times like these: "healthy skepticism," which dupes label "paranoia."
    If you bothered to read the original article on Github you would discover the legitimacy of Claudio Guarnieri and Collin Anderson's research including revealing strings in the code as well as the IP addresses of the hacker servers. If your so-called Neocons have control of Github, we are in real trouble.
    edited February 2017 williamlondongatorguy
  • Reply 16 of 23
    thedba said:

    Or if you must install flash, go directly to adobe.com and do it from there. 
    That should be standard operating practice for anything, from software updates to supposed email notices from bank or credit card companies. A healthy dose of paranoia isn't such a bad thing in today's online world.
    baconstang
  • Reply 17 of 23
    flaneurflaneur Posts: 4,526member
    volcan said:
    flaneur said:
    Based on the run-up to the Iraq invasion in 2003, we should be wary of accepting this story at face value. (E.g., the fake uranium yellowcake letter.)

    In fact, the grammar and spelling mistakes are so crude, it seems to be too obviously designed to be discovered as malware.

    It's possible that this is a fake malware "plot" meant to incriminate Iran as part of a new neocon plan to drum up support for military action against Iran. The watchwords in times like these: "healthy skepticism," which dupes label "paranoia."
    If you bothered to read the original article on Github you would discover the legitimacy of Claudio Guarnieri and Collin Anderson's research including revealing strings in the code as well as the IP addresses of the hacker servers. If your so-called Neocons have control of Github, we are in real trouble.
    Quite right, I might better have read the original Github article. The Iranian links seem many and real. 

    My theory must be judged "paranoid." Guilty as charged, but still a sign of the times. 

    By the way, the false-flag theory would not necessarily mean that Github or G & A were involved at all. They could be fooled as well by a well-executed operation, just as the real source of the yellowcake letter has never been fingered convincingly. But since it's Iran we're dealing with here, it's hard to conceive an ongoing false operation coming from inside the country, as the article outlined.
  • Reply 18 of 23
    MplsPMplsP Posts: 3,911member
    Totally agree - the worst part about OS X is having to install Flash. Unfortunately I have several sites that I have to use and require flash, so the best I can do is have Safari block it by default and only turn it on for sites when I have to. 

    I try to be careful about updating/installing software, but it seems like I get a pop up to update flash about 3 times a week; they come up so often that you start automatically clicking on them without thinking, so I can see how someone would get caught by this. The big red flag is the adware scan - that's a sure sign of malware.
    baconstang
  • Reply 19 of 23
    coolfactorcoolfactor Posts: 2,239member
    irnchriz said:
    If you are dumb enough to fall for this you should pack up all of your computers and return them as you are just a liability :smiley: 

    But that's exactly the problem. People will fall for this, especially seniors and kids.
  • Reply 20 of 23
    I haven't seen this particular one. But can y'all give quick recommendations on what anti-virus programs you use on your Macs? Thanks!
Sign In or Register to comment.