Booby-trapped Sites Delivered Potent New Backdoor Trojan To macOS Users (arstechnica.com) 34
Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website. From a report: The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include: victim device fingerprinting, screen capture, file download/upload, execute terminal commands, audio recording, and keylogging.
Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy -- as well as the exploit chain used to install it -- is impressive. It also doesn't appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual. "First, they seem to be targeting Macs only," Eset researcher Marc-Etienne M.Leveille wrote in an email. "We haven't seen payloads for Windows nor clues that it would exist. Secondly, they have the resources to develop complex exploits and their own spying malware, which is quite significant."
Why not tell us... (Score:5, Insightful)
Why just post about the exploit and it's unique Mac target?
Why not tell us how you get infected and how you avoid it?
Re: (Score:2)
Re: Why not tell us... (Score:4, Informative)
Unfortunately Apple's approach to backwards compatibility (fuck it) means lots of Apple users can't upgrade or they lose access to software.
Comment removed (Score:5, Insightful)
Re: Why not tell us... (Score:5, Informative)
In my experience, the only way to run 16-bit Windows software is now under Wine on Linux.
Re: (Score:2)
No, there's still plenty of ways.
32-bit Windows 10 (I think Windows 11 is 64-bit only) running under a VM on 64-bit Windows. Or any version of 32-bit Windows, really. Windows 98 might be a great option.
Windows 3.1 (16 bit apps, after all), on DOSBox. DOSBox-X or DOSBox CE is recommended, though. You will have to spend a few terrible minutes trying to find Windows 3.1 install disks.
Hacked version of NTVDM with the emulat
Re: (Score:2)
Re: (Score:2)
The last official[ly provided] option for running 16 bit Windows software on Windows was XP Mode on Windows 7. This was XP32 running in Virtual PC and provided as an update/feature addon from Microsoft itself.
These days you would need to pay for a Windows license to run in a HyperV or wtfever Microsoft calls their bundled VM software now.
Apple doesn't even offer an option for legally running 32 bit software on MacOS.
Re: (Score:3)
the article is fairly detailed and further info in a link at the end and without saying exactly who it is it's not hard to guess the organisation who wrote it also fact it targets versions that are at least 1 year old, suggests Apples recent investment in China has reaped its first reward
Here's how to check (Score:5, Informative)
You had to follow that Slashdot link, to secondary link [welivesecurity.com], that actually had the "indicators of compromise" to look for (that link also has more detail on how the compromise works).
But, a brief summary of some files to look for that indicate potential compromise include:
$HOME/Library/LaunchAgents/com.apple.softwareupdate.plist
$HOME/.local/softwareupdate
$HOME/.local/security.zip
$HOME/.local/security/keystealDaemon
$HOME/.local/security/libkeystealClient.dylib
(at least that's what the article says). It also has a few other things.
Not sure I understand the Webkit exploit . . . (Score:3)
I see Apple got it patched tout suite, kudos. So, back to that question of how does what should be a user process get this kind of access to kernelspace?
Privilege escalation bug (Score:3, Informative)
I'm not sure why the Webkit engine can access kernel space. Does it run as root, or does it have some role-based access to the kernel?
Nope, just a classic privilege escalation bug in Mach handling of ports, more details here (linked to from the Slashdot article linked to).
Search for "adjust_port_type".
Those helpful comments in the code. . . (Score:2)
The level of moral detachment coupled with well-trained professionalism is quite disturbing.
Puzzled by the lack of credit (Score:5, Informative)
The article says Google "believe this threat actor to be a well-resourced group, likely state-backed"...
Yeah, right.
1. It was specifically targeted to people interested in a site "Democracy for Hong Kong",
2. When it contacts home base to sen information on a compromised computer, it sends the time in Chinese Standard Time. (Ref: https://www.welivesecurity.com... [welivesecurity.com] )
3. username wangping appears in paths embedded in the binary (same reference)
I think you might reasonably give credit to China for this exploit.
Re: (Score:2)
"One man's villain is another man's hero, Captain."
– Dukat, 2373 ("By Inferno's Light")
What the summary should have included... (Score:3)
From TFA:
While advanced and potentially dangerous, there’s no evidence DazzleSpy is targeting anyone other than those visiting sites advocating for democracy in Hong Kong. That means readers should remember the chances of being infected are extremely low for everyone else.
Re: (Score:2)
/sarcasm>
IoMac (Score:2)
Re: (Score:3)
Re: (Score:3)
It just works!
It does! Until it doesn't!
I recently put a new HDD into an old 27" iMac, in which the old drive was very, very sick. It would boot the main OS, but not recovery. Managed to get a Time Machine backup after 19 hours. Did the thing with the suction cups and the torx screws in strange places and the thermal sensor, got the new drive in there. Simply do the internet recovery, which is supported on this model, and... oops! You have to upgrade the SMC, by upgrading your OS, to get that function to work. OK,
Re: (Score:2)
" Being Apple, it's probably browser-independent too, since aren't all browsers on Apple basically using the same engine?'
I think that is true for IOS, but not for MacOS.
Re: (Score:2)
It is indeed true for iOS but not for macOS.
On the other hand, there's only really three rendering engines left on macOS:
- WebKit (Safari)
- Blink (Chrome, Edge, Opera)
- Gecko (Firefox)
And since Blink is a (now distant) fork of WebKit, they do share some percentage of code, so there's really only two-and-a-half rendering engines when you think about it.
It's finally paid off for Window's users (Score:2)
Everyone's shit on Windows so much that even the hackers have bought the line, and aren't even bothering, since 'everyone' is apparently on a Mac or something else.
Windows is going to become the safest OS!
Re: (Score:1)
I think it's more like all the Win machines has already been hacked, so no challenge there ;-)
Re: (Score:1)
...since 'everyone' is apparently on a Mac or something...
Considering the numbers Apple released today you might think that's the case.
macOS? That hasn't been used in 20 years! (Score:1)
I know, they mean OS X, But it would be like saying they found a new Flaw in DOS, or perhaps NT
Re: (Score:3)
OS X has not been around for a few years, it has been called macOS lately. Importantly, its not version 10 (X) anymore: Big Sur was 11, and Monterey is 12.
Re: (Score:2)
They did not mean OS X, because that's not been the name of the Mac operating system for seven years now: https://en.wikipedia.org/wiki/... [wikipedia.org]
Mac OS = System 9 and below (1984 to 1999, now also known as "Classic Mac OS")
Mac OS X = Versions 10.0 to 10.7 (2001 to 2011)
OS X = Versions 10.8 to 10.11 (2012 to 2015)
macOS = Versions 10.12 and up (2016 and up)
Re: (Score:2)
And as CompMD mentions, it's not macOS 10.x anymore, they stopped the 10.x number version at 10.15 with Catalina, the next one was macOS 11 Big Sur and we're now at macOS 12 Monterey. I wonder where that decision comes from and if it was triggered by Microsoft jumping ahead to Windows 10 at the time.
Why just Mac users (Score:2)
Good reason to use a VM (Score:2)
--This is an excellent reason to browse from a VM running TOR and maybe TAILS ISO. Keeps the host system from getting infected, and everything is transient.