Macs

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

The malware isn’t entirely fileless. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light earlier this week, only two out of 57 antivirus products detected it as suspicious. On Friday, according to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it.

Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:

  • move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
  • set it to be owned by root
  • create a /Library/UnionCrypto directory
  • move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
  • set it to be executable
  • execute this binary (/Library/UnionCrypto/unioncryptoupdater)

The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly.

Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. Another piece of Mac malware, dubbed AppleJeus, did the same thing.

Another trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars’ worth of cryptocurrencies from exchanges in an attempt to fund the country’s nuclear weapons development programs.

Begin in-memory infection

It is around this point in the infection chain that the fileless execution starts. The infected Mac begins contacting a server at hxxps://unioncrypto[.]vip/update to check for a second-stage payload. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac.

“As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).”

Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. Given the theme of cryptocurrency in the file and domain names—and North Korean hackers’ preoccupation with stealing digital coin—it’s a decent bet the follow-on infection is used to access wallets or similar assets.

When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncrypto[.]vip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. By Friday, the domain was no longer responding to pings.

Patrick Wardle

While fileless infections are a further indication that Lazarus is growing increasingly more adept at developing stealthy malware, AppleJeus.c, as Wardle has dubbed the recently discovered malware, is still easy for alert users to detect. That’s because it’s not signed by an Apple-trusted developer, a shortcoming that causes macOS to display the warning to the right.

As is typical when applications are installed, macOS also requires users to enter their Mac password. This isn’t automatically a tip-off that something suspicious is happening, but it does prevent the first stage from being installed through drive-bys or other surreptitious methods.

It’s unlikely anyone outside of a cryptocurrency exchange would be targeted by this malware. Those who want to check can look for the existence of (1) /Library/LaunchDaemons/vip.unioncrypto.plist and (2) the running process or binary /Library/UnionCrypto/unioncryptoupdater.

Silent Mac update nukes dangerous webserver installed by Zoom

Pedestrians use crosswalk in large metropolis.

Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.

Apple on Wednesday issued an update of its own, a company representative speaking on background told Ars. The update ensures the webserver is removed—even if users have uninstalled Zoom or haven’t installed Tuesday’s update. Apple delivered the silent update automatically, meaning there was no notification or action required of end users. The update was first reported by TechCrunch.

Apple’s update causes Zoom users who click on a conference link to receive a prompt requiring them to confirm they want to join. Previously, clicking on a link—or even encountering a link hidden in a malicious website—automatically opened Zoom and put them into the conference. Zoom developers came under criticism for this behavior as well, because it had the potential to catch users off-guard and expose them to hackers.

Apple occasionally issues silent updates to block malware that’s actively circulating on the Internet. It’s less common for the company to issue silent updates that block or remove something installed by an app users installed by choice. The Apple representative said the company took this action to protect users against risks posed by the webserver. The Zoom app is installed on about 4 million Macs, researcher Jonathan Leitschuh estimated.

Representatives from Zoom didn’t respond to an email seeking comment for this post.