Malware Discovered That Can Control a Mac’s Webcam and Keyboard, But It’s Old and Possibly Abandoned

Earlier this year, researchers from security firm Malwarebytes discovered a piece of Mac malware called Fruitfly that reportedly spied on computers in medical research centers for years before being detected. Apple has since updated macOS to automatically detect the malware, safeguarding users.


However, a new variant of the Fruitfly malware has recently been discovered by Patrick Wardle, a researcher with security firm Synack. Wardle said the malware has been targeting Macs for at least five years, with the number of infected Macs totaling nearly 400 and possibly much higher, reports Ars Technica.

The malware can supposedly capture screenshots, keystrokes, webcam images, and other info about each infected Mac. The Fruitfly variant also collects information about devices connected to the same network, according to the report.

Wardle said the method of infection remains unknown, but he suspects it involves tricking users into clicking on malicious links, as opposed to exploiting vulnerabilities in apps or in macOS. He added that the primary command-and-control server used by the malware's creators has since been shut down.

Many of the affected Macs have never been disinfected, however, allowing Wardle to create his own custom command-and-control server for the malware and witness the close to 400 infected machines connect to it.
After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.
Wardle will provide a briefing about his custom command-and-control server tactics on Wednesday at the Black Hat security conference in Las Vegas.

Since the method of infection is unknown, there aren't many specific steps users can take to ensure they're protected. But, given all domains known to be associated with the malware are no longer available, and the limited number of Macs infected beforehand, most users shouldn't be too worried about this malware.

One option Mac users have is to install OverSight, a free software tool that monitors a Mac's microphone and webcam, alerting the user when the internal microphone is activated, or whenever a process accesses the webcam.

Wardle has reported all of his findings to law enforcement officials, and the threat is likely neutralized, according to the report.

Tag: malware

Discuss this article in our forums

New Mac Malware Discovered on Dark Web as Security Experts Remind Mac Users Not to Be ‘Overconfident’

Two new pieces of malicious software aimed at Mac computers have been discovered on the Dark Web, offered through Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) portals and estimated to have been up for around the past three weeks, beginning May 25. Originally spotted by Bleeping Computer, the two portals offer software called "MacSpy" and "MacRansom" as services for potential buyers, as well as any future support that may be needed for the malware (via Motherboard).

Both portals are the work of the same malware developer, but security firms Fortinet and AlienVault described the person behind the scheme as an "inexperienced coder," pointing towards issues like the lack of digitally signed files, meaning the security measures on a standard installation of macOS would still be alerted to the malware. The researchers called MacSpy the "better-coded tool," but said MacRansom was more dangerous since it "has the potential to permanently wreck user files," if users of malicious intent ever wielded it.



Thankfully, the process by which crooks would have to go about getting either MacSpy or MacRansom will likely prevent either piece of malware from spreading. Both portals are described as "closed" offerings, meaning anyone wanting to actually purchase the services off the Dark Web would have to contact the author to receive demo packages, and then directly negotiate payment. As such, "none of these two appear to be part of any active distribution campaigns."

All the same, as Mac-focused security researcher Patrick Wardle told Motherboard, the increasing intent of cyber criminals to infect Apple's computers is "kind of a milestone." Security reporter Ruben Dodge said that macOS and iOS have so many "less technical people" using the software that it's simply too "ripe" of a target for criminals not to take notice. Although MacRansom and MacSpy aren't expected to take off in that way, Dodge said "it's only a matter of time" before another piece of malware or ransomware does.
Ruben Dodge: "There's an ideological shift for Mac and iPhone as being seen as the more friendly OS for older people. [...] It is a market that will be targeted. There are too many less technical people using it not to make it a 'ripe' target for threat actors."

Patrick Wardle: "Apple continues to improve the security of them," Wardle said. "But Mac users should just be cautions, should not be not be overconfident, and should not assume that just because they're using a Mac they're inherently safe."
Malware attacks on Mac computers were up 744 percent in 2016, although that percentage was largely weighted due to adware bundling in software on MacBooks and iMacs, which is far less alarming than any potential wide-scale malware purchased by a criminal on the Dark Web. Still, Bleeping Computer pointed out in its report that Mac ransomware in particular -- which holds user data ransom until a fee is paid -- has been steadily growing over the past year.

The number of Macs has grown, and so has the number of Mac-targeting malware. The launch of MaaS portals, even if hard to use and engage with as MacSpy and MacRansom, will drive more crooks towards the Mac userbase, and will lower the entry bar for some individuals and groups that had no previous experience with creating Mac malware.
As a rule of thumb, in order to stay safe users should only download apps and programs from Apple's own Mac App Store, and if an app is available only on a third-party website the developer behind the software should be trusted. Although Apple has long advertised the Mac as a truly anti-virus and anti-malware machine, Wardle reminds Apple fans to remain vigilant online: "Mac users...should not be overconfident, and should not assume that just because they're using a Mac they're inherently safe."

Tag: malware

Discuss this article in our forums

Source Code for Several Panic Apps Stolen via HandBrake Malware Attack

In early May, a mirror download server hosting popular Mac transcoder app HandBrake was hacked, and the legitimate version of HandBrake was replaced with a version infected with OSX.PROTON, a remote access trojan giving hackers root-access privileges to a Mac.

In a blog post shared today, Panic Inc. developer and co-founder Steven Frank said he downloaded the infected version of HandBrake, which led to the theft of much of the source code behind Panic's apps. Panic offers several apps, including web editor Coda, FTP app Transmit, SSH client Prompt, and Firewatch, an adventure game.


Hackers accessed Frank's computer through the infected HandBrake software and were able to obtain his usernames and passwords, including login information for Github. Several source code repositories were cloned by the attackers, who have demanded "a large bitcoin ransom" to stop the release of the source code, a ransom Panic does not intend to pay.

While Panic's source code has been stolen, the company says that a careful review of its logs indicates that the theft was the extent of the damage - the hacker did not access customer information or Panic Sync Data.
- There's no indication any customer information was obtained by the attacker.
- Furthermore, there's no indication Panic Sync data was accessed.
- Finally, our web server was not compromised.

(As a reminder, we never store credit card numbers since we process them with Stripe, and all Panic Sync data is encrypted in such a way that even we can't see it.)
According to Panic, the source code for the apps could potentially be used by hackers to create malware-infected builds of the company's apps, so users should be vigilant and download Panic apps only from the company's website or the Mac App Store.

Panic has been in contact with both the FBI and Apple. Apple's security team is "standing by to quickly shut down any stolen/malware-infested versions" of Panic apps that are discovered, while the FBI is actively investigating the attack.

Panic is asking customers to notify the company of any unofficial or cracked versions of Panic apps that are discovered in the wild, as any such content is likely infected with malware.


Discuss this article in our forums

Handbrake Developers Issue Mac Security Warning After Mirror Download Server Hack

The developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked.

The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file.

The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert.

To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist


  • rm -rf ~/Library/RenderFiles/activity_agent.app


  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores.

The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update its XProtect definitions on Saturday and the update should already be rolling out to machines silently and automatically.

Handbrake users should note that the primary download mirror and the Handbrake website were unaffected by the hack. Downloads via the application's built-in updater with 1.0 and later are also unaffected, since these are verified by a DSA Signature and won't install if they don't pass. However, users with Handbrake 0.10.5 and earlier who used the application's built-in updater should check their system, as these versions don't have the verification feature.

For reference, HandBrake.dmg files with the following checksums are infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 / SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

(Thanks, Alfonso!)


Discuss this article in our forums

Windows ‘Snake’ Malware Ported to Mac, Imitates Adobe Flash Player Installer

Well-known Windows backdoor malware "Snake" has been ported to the Mac for the first time, according to MalwareBytes. Described as "highly-sophisticated," Snake (also called Turla and Uroburos) has been infecting Windows systems since 2008 and was ported to Linux systems in 2014 before making its way to the Mac.

The Snake malware was found earlier this week in an installer masquerading as Adobe Flash Player, buried inside a file named "Install Adobe Flash Player.app.zip." It is designed to look like a legitimate Adobe Flash installer, but is signed by an illegitimate certificate.


It does, actually, install Adobe Flash Player, but it is accompanied by additional software that is malicious and designed to provide a backdoor into the Mac. The malicious files are well hidden in the /Library/Scripts/ folder and disguised as an Adobe launch process.
In all, this is one of the sneakier bits of Mac malware lately. Although it's still "just a Trojan," it's a quite convincing one if distributed properly. Although Mac users tend to scoff at Trojans, believing them to be easy to avoid, this is not always the case.
Apple already revoked the certificate that the Snake malware was using to infect Mac machines, but another iteration could pop up, so Mac users should be aware of the possibility.

Those infected by Snake are vulnerable to having data stolen, including login information, passwords, and unencrypted files.

To avoid malicious software, Apple recommends downloading content only from the Mac App Store or from trusted developers.

Tag: malware

Discuss this article in our forums

Malware Attacks on Macs Up 744% in 2016, Mostly Due to Adware

Malware attacks on Macs were up 744 percent in 2016, according to the latest Threat Report shared by McAfee Labs [PDF]. Mac users don't need to be overly alarmed, though, because much of that huge jump can be attributed to adware bundling. macOS malware samples jumped up 245 percent in the fourth quarter of 2016 alone just from adware.

Adware, while irritating, is less alarming than true malware attacks that can hijack a machine or render it unusable.


McAfee says it discovered 460,000 malware samples on Mac machines, a huge increase over 2015 numbers, but still just a small portion of overall malware out in the wild. According to McAfee, there were more than 630 million total instances of malware last year.


While most of the surge in Mac malware was adware, we've still heard about some alarming Mac-based attacks over the course of the last year, including ransomware distributed via trusted BitTorrent client Transmission, Backdoor.MAC.Eleanor, Xagent, which could steal passwords and iPhone backups, and more.

Mac users who want to avoid malware and adware should only download software from trusted developers and directly from the Mac App Store, which should keep Mac machines relatively safe.

Tag: malware

Discuss this article in our forums

This Android malware is hacking into your Google account to install apps

Https%3a%2f%2fblueprint-api-production.s3.amazonaws.com%2fuploads%2fcard%2fimage%2f302314%2fap_917826219528

Feed-twFeed-fb

Your Google accounts could have been compromised if you own a Android phone, thanks to a new malware variant known as “Gooligan.”

The malware has infected more than 1 million accounts, according to research released Wednesday from cyber security company Check Point, and that figure is growing by a massive 13,000 devices per day.

In August, Gooligan emerged as a complex malware that infects devices after users download apps from third party stores. It was originally related to a malicious app from 2015 named SnapPea. 

The malware steals authentication tokens that can be used to access data from Google Play, Gmail, Google Docs, Google Drive and more. The malware installs certain apps on a user’s phone and highly rates them. Its main mission is to install adware to generate revenue for those apps, reportedly raking in as much as $320,000 a month. Read more…

More about Gooligan, Malware, Hack, Apps, and Android

San Francisco transit hack hints at possible attacks to come

Https%3a%2f%2fblueprint-api-production.s3.amazonaws.com%2fuploads%2fcard%2fimage%2f298941%2f3ad5483bf58b45ddb6033419733eba95

Feed-twFeed-fb

The start of this news story reads like a typical vaguely futuristic plot from a movie that isn’t hard to imagine coming to a theater near you. 

First, a hacker breaks into the fare system of the San Francisco Municipal Railway on Friday. Unable to immediately regain control of the system, railway officials allow free rides until further notice. Then the hacker demands a ransom to stop the attack, but officials release a statement on Sunday saying the situation is “contained,” and things are soon mostly back to normal. 

More about Malware, Ransomware, Ransom, Hacker, and Attack