State-sponsored Mac malware easily repurposed by ex-NSA hacker

Posted:
in macOS
A former hacker for the National Security Agency has demonstrated an effective approach for malware creators to attack macOS, by repurposing code developed by state-sponsored hackers.




As with other software development projects, creating malware typically requires a lot of effort to create software that takes advantage of exploits, so shortcuts to a completed piece of software is always sought after by those producing them. As explained by Jamf security researcher Patrick Wardle in a talk at the RSA Security conference, there are shortcuts available in malware development.

In essence, Wardle proposed taking advantage of exploits, spyware, and other code that has already been developed by major groups working on behalf of other countries, reports Ars Technica. The code developed by the teams is usually better and not as resource-intensive as other home-cooked efforts, and are probably more robust as well.

"There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that's fully featured and also fully tested," said Wardle. "The idea is, why not let these groups in these agencies create malware, and if you're a hacker, just repurpose it for your own mission?"

Wardle demonstrated to attendees four Mac malware creations that have been employed in attacks over the years, which he then altered to report to command servers under Wardle's control rather than the originals. By taking command, the malware could then be used to acquire data, install payloads, or other types of activity that have already been incorporated into the malware.

It is suggested there could be two key benefits for hackers by taking the approach, with the main one being how other state-sponsored groups could save having to develop or risk exposing their own malware to accomplish a task, This would allow them to keep their own techniques and software secret for use in the future, minimizing detection down the line.

The second byproduct is that, if the malware is detected and analyzed, blame for the attack could be attributed to the malware's original developers and not the active users.

Comments

  • Reply 1 of 12
    georgie01georgie01 Posts: 436member
    So how does someone get ahold of state sponsored hacking tools? Maybe I’m missing something, but it sounds like he’s saying you can just get them and repurpose them as if they’re freely available, and that doesn’t sound right.
    FileMakerFellercat52
  • Reply 2 of 12
    longpathlongpath Posts: 393member
    georgie01 said:
    So how does someone get ahold of state sponsored hacking tools? Maybe I’m missing something, but it sounds like he’s saying you can just get them and repurpose them as if they’re freely available, and that doesn’t sound right.
    Put another way, if an official of country X claims country Y is responsible for some malware, all that may mean is that country X's  three letter organizations repurposed code from country Y. As for how country X acquires country Y code, there have been a number of leaks, including from NSA. If Wikileaks can get a catalog of NSA exploits & malware, as they have done, then it stands to reason that malfeasant actors can also get copies of said code. If nothing else, there are all sorts of resources on the dark web.
    edited March 2020 jony0
  • Reply 3 of 12
    lkrupplkrupp Posts: 10,557member
    This just reinforces the idea that government backdoors into encrypted data would be perfectly safe in the hands of bureaucrats. Nothing to worry about here. /s
    Beatsviclauyycrevenantunbeliever2razorpitbulk001FileMakerFellerAndy.Hardwakechasmjony0
  • Reply 4 of 12
    lkrupplkrupp Posts: 10,557member
    Correct me if I'm wrong but the user still has to be tricked into installing the malware, right? I'm currently using Safari Technology Preview as my browser and it always asks me if it's okay to download something from any site I happen to be on. I also think Safari's "open safe files" option should be removed so nothing launches after being downloaded. Most tech educated users probably have that option disabled already. I know I do.
    edited March 2020
  • Reply 5 of 12
    lkrupp said:
    Correct me if I'm wrong but the user still has to be tricked into installing the malware, right? I'm currently using Safari Technology Preview as my browser and it always asks me if it's okay to download something from any site I happen to be on. I also think Safari's "open safe files" option should be removed so nothing launches after being downloaded. Most tech educated users probably have that option disabled already. I know I do.
    Malware typically isn't targeted at the "tech educated" users.  Malware is typically targeted at "average joes", aka the general public.  There's far less potential financial or informational gain to be had going after someone with sound security practices.   From a criminal standpoint why not reuse known effective malware to target as many as possible?  If the attack is targeted, like the article says, blame can be attributed to the malware authors. Also, if the attack is target I doubt the attack vector would thwarted by Safari Tech Preview safeguards. 
    gatorguy
  • Reply 6 of 12
    lkrupplkrupp Posts: 10,557member
    lkrupp said:
    Correct me if I'm wrong but the user still has to be tricked into installing the malware, right? I'm currently using Safari Technology Preview as my browser and it always asks me if it's okay to download something from any site I happen to be on. I also think Safari's "open safe files" option should be removed so nothing launches after being downloaded. Most tech educated users probably have that option disabled already. I know I do.
    Malware typically isn't targeted at the "tech educated" users.  Malware is typically targeted at "average joes", aka the general public.  There's far less potential financial or informational gain to be had going after someone with sound security practices.   From a criminal standpoint why not reuse known effective malware to target as many as possible?  If the attack is targeted, like the article says, blame can be attributed to the malware authors. Also, if the attack is target I doubt the attack vector would thwarted by Safari Tech Preview safeguards. 
    Point taken. The Apple Discussion Forums are full of posts from users who clicked on a fake Flash installer and are out of their minds with fear and regret. 
  • Reply 7 of 12
    seanismorrisseanismorris Posts: 1,624member
    lkrupp said:
    Correct me if I'm wrong but the user still has to be tricked into installing the malware, right? I'm currently using Safari Technology Preview as my browser and it always asks me if it's okay to download something from any site I happen to be on. I also think Safari's "open safe files" option should be removed so nothing launches after being downloaded. Most tech educated users probably have that option disabled already. I know I do.
    Security is a wack-a-mole problem.  If you’re on a network everything is a potential problem from the CEO’s computer to the temp data entry person.  Once any device gets infected it’s a lot easier to spread to another system where the person has higher level permissions, then work to elevate those permissions.  The browser is the preferred target because it has the largest vulnerability footprint.  The problem is, to really secure a browser you need to break the browsers functionality (like disable JavaScript).  

    Usually the best we can do is keep machines as isolated as possible from each other, keep patches up to date, and monitor the network for issues (anomalies), then respond.  The problem is patches often break things, so they must be tested first.  That leaves a window of opportunity even if it’s not a zero day vulnerability.  State sponsored hackers have resources to find zero day vulnerabilities.  Also, if the NSA (for example) finds a vulnerability they’re not necessarily going to report it, and use it for their own spy toolkit.  Those toolkits are valuable and seem to get sold regularly...now criminals have those tools.

    What you do and what companies (etc) is similar, but the end result is attempting to get the bad guys to attack someone else, by making their life more difficult (education, patching, etc.).  By using the toolkits your efforts might be meaningless... then it becomes an issue of how much resources you can throw at the problem (purchasing anti malware problems etc.) and planning on what to do when you get infected to minimize the damage.  Bottom line, when dealing with state sponsored hackers and toolkits, they have much more resources than you so you better be prepared for the worst case scenario to minimize downtime.  Or, you’re rolling the dice and hoping for the best...which will work until it doesn’t. From a personal perspective, you better (at least) have backups...
  • Reply 8 of 12
    sflocalsflocal Posts: 6,092member
    lkrupp said:
    lkrupp said:
    Correct me if I'm wrong but the user still has to be tricked into installing the malware, right? I'm currently using Safari Technology Preview as my browser and it always asks me if it's okay to download something from any site I happen to be on. I also think Safari's "open safe files" option should be removed so nothing launches after being downloaded. Most tech educated users probably have that option disabled already. I know I do.
    Malware typically isn't targeted at the "tech educated" users.  Malware is typically targeted at "average joes", aka the general public.  There's far less potential financial or informational gain to be had going after someone with sound security practices.   From a criminal standpoint why not reuse known effective malware to target as many as possible?  If the attack is targeted, like the article says, blame can be attributed to the malware authors. Also, if the attack is target I doubt the attack vector would thwarted by Safari Tech Preview safeguards. 
    Point taken. The Apple Discussion Forums are full of posts from users who clicked on a fake Flash installer and are out of their minds with fear and regret. 
    Funny... a few days ago I had to do an emergency visit to a client who did exactly that.  A lawyer, he mistyped a common court-document website by one letter and the first prompt was that his Flash was out of date.  Hi clicked it, and was embarrassed to tell me.

    i swear, if I come across these scammers I will beat them to an inch of death for all the time and productivity we lose from their crap.
  • Reply 9 of 12
    flyingdpflyingdp Posts: 45member
    Why stop an inch from the goal line?
    dave marshFileMakerFeller
  • Reply 10 of 12
    bulk001bulk001 Posts: 764member
    Sometimes the smarter the person, the easier it is to fool them. Just check the Shark Tank investor who lost 400k in a scam! Hopefully Apple is buying this malware up and finding fixes to patch them. 
  • Reply 11 of 12
    digitoldigitol Posts: 276member
    Apple "Security" is a joke. I will continue to help thwart the propagation of malware and exploitation of the Mac OS X platform as I have done for many years. That said, Apple's solutions for "security" is more trouble than it is worth. Gatekeeper, FileVault, quarantine, Rootless/CSR, are all jokes. Absolutely not the way to go. SAD. 
  • Reply 12 of 12
    chasmchasm Posts: 3,273member
    Aaaand this is why no backdoor is a good backdoor that only the "good guys" (HIGHLY questionable term) will use for "good" purposes.
    jony0
Sign In or Register to comment.