Mac malware attack found to hide payload in advertising graphics

Posted:
in General Discussion
A new way of attacking macOS with malware has been detailed by security researchers, with malicious online advertising found to have used steganography to disguise its payload within the ad's image files, in order to fool security systems.

The results of malware-based advertising that hid code in graphic files.
The results of malware-based advertising that hid code in graphic files.


Analyzed by Confiant and Malwarebytes, an attempt to infect Macs from January 11 until January 13 was performed by a "malvertizer" dubbed "VeryMal" by the firms. It is believed that the attempted attack ad was viewed on as many as 5 million Macs during the brief period of time it was active.

To those who saw the ad, the attack went down a familiar tactic of displaying notices that the Adobe Flash Player needed to be updated, and urged users to open a file that would attempt to download in their browser, writes Confiant. Those who accepted the download and ran the malware ended up infecting their Mac with the Shlayer trojan.

While many attempts to obscure an attack via advertising fail to dupe the various protection systems in place in advertising networks and on user's desktops, the attempt is notable for hiding the payload of the attack within the visible advert itself. The graphic file had hidden code, using steganography, that required other non-malicious code to examine the image file for extraneous data, which was then used as a payload.

Specifically, the code would create a Canvas object, grab an image file from a specific URL, and define a function that checks if a specific font family is supported by the browser. If a check for Apple fonts failed, nothing would happen, but on success, the underlying data in the image file would be looped through, with each loop determining a pixel value that became an alphanumeric character. This was turned into a string and executed.

Despite containing the payload, the image itself can be viewed without harm. It is only harmful when the code is run on the file, followed by the browser being redirected to a link included in the payload.

"As malvertizing detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscaton are no longer getting the job done," writes Eliya Stein of Confiant. Noting that common JavaScript obfuscators result in a "very particular type of gibberish" that is easy to spot, Stein adds "Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables."

VeryMal had performed similar attacks in the past, including targeting Macs and iOS in December, but the latest attempt is a subtle shift for the outfit to a less detectable method.

While macOS is generally easier to protect compared against other operating systems like Windows, it is still possible for bad actors to attempt to infect or acquire data from a target system. Mac users should continue to be wary of online notices urging to install or to update software from unofficial sources, and to closely scrutinize such notices to determine if they are indeed genuine. Additionally, users should not authenticate any request from the operating system, without knowing what it is for, and why it is asking.

Malware continues to be a problem for online users, but is becoming more of an issue for those using macOS, with seemingly more frequent attempts to defeat its security being discovered. It is not only limited to advertizing-based attacks, with reports in September noting even some apps in the Mac App Store were performing malicious actions, such as extracting a user's data.

Apple itself has also come under fire from critics for failing to share definitions of existing threats with third-party antivirus companies in a timely fashion.

Comments

  • Reply 1 of 15
    MacProMacPro Posts: 19,718member
    Time for the penalty to be drastically increased.  Eternity in a cell watching Big Brother maybe?
  • Reply 2 of 15
    tbornottbornot Posts: 116member
    What is an “ad?”  Oh that’s right, I use AdBlock so I never see those pernicious snids...
    lostkiwi
  • Reply 3 of 15
    tyler82tyler82 Posts: 1,100member
    I use adblock too but ads still get through.

    Can someone tell me how to block these battery draining ads such as on this site:

    https://www.sfgate.com/local/article/Selfieville-Monterey-tickets-golden-state-theatre-13558792.php

    I'm sure there is malware festering all over the place there. 
  • Reply 4 of 15
    MplsPMplsP Posts: 3,911member
    So wait... the malware was Adobe Flash, right?
    xTenderlostkiwibaconstang
  • Reply 5 of 15
    davendaven Posts: 696member
    MplsP said:
    So wait... the malware was Adobe Flash, right?
    No. An image from an ad has some code in it which puts up a message telling the user that they need to update Flash and sends them to a third party site for the 'update'. Because people fall for this, some users allow the execution which installs the malware. I removed Flash a long time ago so I ignore such requests.
    minicoffeelostkiwi
  • Reply 6 of 15
    So a user needs to be dumb enough to install this - so not like the thousands of Windows viruses that self-install.
  • Reply 7 of 15
    docno42docno42 Posts: 3,755member
    More reasons to Adblock on device, on the network with solutions like pi-hole, etc.
    lostkiwi
  • Reply 8 of 15
    I’ve been hacked my epics account (Fortnite) 
    My gmail keep having unknown phone devices try to log in account tired of this bs 
  • Reply 9 of 15
    macguimacgui Posts: 2,350member
    So a user needs to be dumb enough to install this
    Like 99.99% of the various exploits 'out there'. Reminds me of an old Tower of Power song – Social Engineering.
  • Reply 10 of 15
    Another reason I’m glad I dumped Flash...since I no longer use it, I would have no reason to update it.
  • Reply 11 of 15
    MplsPMplsP Posts: 3,911member
    daven said:
    MplsP said:
    So wait... the malware was Adobe Flash, right?
    No. An image from an ad has some code in it which puts up a message telling the user that they need to update Flash and sends them to a third party site for the 'update'. Because people fall for this, some users allow the execution which installs the malware. I removed Flash a long time ago so I ignore such requests.
    Sorry I was being sarcastic - since flash is pretty close to malware in many people’s view
  • Reply 12 of 15
    MplsPMplsP Posts: 3,911member

    macgui said:
    So a user needs to be dumb enough to install this
    Like 99.99% of the various exploits 'out there'. Reminds me of an old Tower of Power song – Social Engineering.
    benji888 said:
    Another reason I’m glad I dumped Flash...since I no longer use it, I would have no reason to update it.
    Unfortunately, I still need flash for a work-related web site. I think it’s the only site around that still uses it. 

    The problem is, messages about updating Flash are so common that  the message is completly believable if you aren’t careful and think about the context in which it popped up.
  • Reply 13 of 15
    mpantonempantone Posts: 2,033member
    This is why I have been using ad blockers for 15-20 years. Web browsers are one of the most vulnerable applications on any connected device.

    Even major websites with purportedly "good" security teams have unwittingly served up malware. Even if you "like" a particular website, you cannot trust the operator to guarantee safe usage.

    Using ad blockers for security reasons is unassailable.
    lostkiwibaconstang
  • Reply 14 of 15
    welshdogwelshdog Posts: 1,897member
    Ad blockers prevent me from using many websites. I gave up on them for this reason.

    I never update Flash except by manually typing in adobe.com in Safari and navigating to the Flash update page.
    Similar to the ad blocker issue, I keep Flash because it's still widely in use. Hopefully not for much longer.

    I do wish there was an organization solely dedicated to apprehending these people. Not current law enforcement, something new and specifically tasked to catching hackers and malware creators.
    baconstang
  • Reply 15 of 15
    welshdog said:
    Ad blockers prevent me from using many websites. I gave up on them for this reason.

    I've never had Flash on my 2016 MBP and never will.
    I also use adblockers (Adguard in my case)
    Any site that demands I use flash I...
    - give them the finger and go elsewhere
    OR
    - Change my browser so that it appears to be using IOS. This is only if I really need to visit that site.

    Most of the time I use the first option. Flash is both Malware and an agent of malware and I refuse to use it.

    Eventually the sites that rely on this POS will realise that their traffic is dropping and fix their site but I really don't hold out much hope.
Sign In or Register to comment.