However, the second-generation samples that began to appear on the Pirate Bay in April 2021 had no traditional persistence methods, such as Launch Daemons or Launch Agents, that were observed. Later first generation samples changed to a user Launch Agent, which would not require the conspicuous prompt. However, this process involved a conspicuous password prompt stating that the application needed to make changes. The first-generation samples used the AuthorizationExecuteWithPrivileges API to gain elevated privileges, which were needed to install the Launch Daemon for persistence. Many of these techniques were not present in the first-generation samples that were previously reported on. We observed clear delineation points where the samples started to use new obfuscation techniques. Having found the direct source of this malware, we had the luxury of directly comparing the samples. This provided valuable insights into the progression of the malware and its evolution and allowed us to better understand the tactics and techniques used by those behind the malware.Īs we mentioned, our Final Cut sample was evading AV detection while the samples previously reported were being detected across the board. Our findings were made even more significant by the ability to trace the timeline of when the samples entered circulation in the torrent community, when they started being submitted to VirusTotal, and when vendors started to successfully detect the different stages of this malware. As far as we could tell, only samples from the first generation of this malware family have been reported on. What started as a rudimentary and conspicuous scheme had iterated through three distinct stages of evolution into something with creative evasion techniques. This discovery presented a rare opportunity to trace the evolution of a malware family. Furthermore, we found that virtually every one of the dozens of uploads that began in 2019 was compromised with a malicious payload to surreptitiously mine cryptocurrency. We observed that the torrent was uploaded by a user with a yearslong track record of uploading pirated macOS software torrents, many of which were among the most widely shared versions for their respective titles:Īfter a thorough analysis of the torrent upload DMGs, we discovered that the uploader was the source of the malware we found and also confirmed it to be the source of the previously reported samples. It matched the hash of the infected Final Cut Pro we had discovered in the wild. We downloaded the most recent torrent with the highest number of seeders and checked the hash of the application executable. In an attempt to pinpoint the source of the malware, we turned to a Pirate Bay mirror and searched for torrents of Final Cut Pro. Given that we were seeing a very similar scenario play out with Final Cut Pro, we also wanted to identify where this malware was coming from. However, they were unable to find the DMG itself. In their report, Trend Micro speculated that the Mach-O sample may have arrived in a DMG package for Adobe Photoshop CC 2019. Despite the similarities, there were still discrepancies and unanswered questions, such as why this particular sample went undetected by all vendors on VirusTotal, even though the malware family had already been documented. While searching for other examples of malware that use i2p routing, we found that the techniques of this sample were similar to those reported by Trend Micro in February 2022. This malware uses i2p to download malicious components and send mined currency to the attacker's wallet. i2p is a private network layer that anonymizes traffic, making it a less noticeable alternative to Tor. This malware makes use of the Invisible Internet Project (i2p) for communication. While cryptojacking itself is not a new concept, this particular variant employs some novel tactics. Given that crypto-mining requires a significant amount of processing power, it is likely that the ongoing advancements in Apple ARM processors will make macOS devices even more attractive targets for cryptojacking. Adware has traditionally been the most widespread type of macOS malware, but cryptojacking, a stealthy and large-scale crypto-mining scheme, is becoming increasingly prevalent.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |