Saturday 25 January 2014

Attackers Celebrate Macintosh's 30th Anniversary With Data Stealing Malware

Apple
This week, the researchers at Sophos posted an interesting breakdown of a nasty scam that's targeting both Windows and Mac users. As a Mac user myself, I know that it's easy to forget that anyone can be a target, and Mac malware, though rare, is a very real thing. A sobering reminder on the 30th anniversary of the Macintosh.
Pending Parcel
The attack begins with an email purporting to be from a courier company—sometimes a real one, and sometimes one invented by the attackers. Careful readers will remember that packages or Amazon deliveries are a favorite for social engineers, since they combine a common experience with an emotional response. In this case, the common desire to get something through the mail.
The email includes some kind of pretext for including a link. In the case Sophos investigated, it's a bit unusual since the sender ("FedEx") claims that they have scanned the contents of a document intended for delivery. While that's certainly comprehensive service, I'd personally be a little perturbed if my courier of choice decided to open and meticulously scan my mail instead of, you know, delivering it.
The link in the email is, not surprisingly, a phony one. Interestingly, the attackers tailor the payload to the victim. If you're on a mobile browser, you'll see an error message. Non-Safari users will receive a ZIP file containing a variant of the Zeus malware. Safari users receive a ZIP file masquerading as a PDF document. Clever.
Nasty RAT
Victims who launch the "PDF" are actually starting up a malicious application Sophos designates as OSX/LaoShu-A. "LaoShu-A as good as hands control of your Mac over to the attackers," writes Sophos. "But its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional money-making botnet." This is similar to the functions of a Remote Access Trojan, or RAT.
Once running, LaoShu-A can search for specific file types and then send them back to the attacker's server. It can also run arbitrary commands and download fresh malware on your Mac. Sophos reported that in their investigation, the malware attempted to take screenshots and send those back to the attackers as well.
A tantalizing possibility raised by this research is that attackers may be tailoring the behavior of malicious payloads to the victim's devices. Sophos writes that, "data thieves are interested in what Mac users have on their computers." More so than on PCs? Are Windows machines better for botnets and Macintoshes better for data exfiltration? Interesting questions.
Protecting Your Mac
Sophos has some hard truths for lackadaisical Mac users. They point out that Mac malware doesn't always need to ask for permission to run, doesn't always require installation, and can be dressed up with fake digital certificates to circumvent protections built-in to OS X.
And regardless of your operating system, you should scrutinize every message you receive. Were you expecting a link, an attachment, or a package? Is it normal for a courier company to open your mail and scan its contents? Taking just a few seconds to think before you click can save you a lot of trouble in the long run.

No comments:

Post a Comment