Another month, another round of Applesecurity news. Like last month, February has certainlykept the news coming―this time including a tidal wave of new malware designed to infect Macs.New Mac Malware:Filecoder/Findzip Ransomware
Yesterday the story broke that a new ransomware Trojan horse affecting Macs is out there in the wild. Called OSX/Filecoder by Intego and OSX.Findzip.A by Apple, the malware masquerades as a "patcher" or cracking tool forillegally unlocking unlicensed copies of Adobe Premiere Pro CC or Microsoft Office 2016.
Whilst the Trojan horse apppretends to do some mysteriouscracking magic, instead itsurreptitiously encrypts all of the user's documents, after which read-me files are dropped onto the desktop requesting payment of a multi-hundred dollar ransom to recover theuser's files.
Check out Intego's write-up for more details: Patcher Ransomware Attacks macOS, Encrypts Files Permanently .New Mac Malware: Sofacy XAgent
The biggest buzz in Mac malware this month involved a backdoor associated with a group known variously as Sofacy, APT28, and Fancy Bear. The malware itself is dubbed OSX/Sofacy.gen by Intego, and OSX.XAgent.A by Apple. If a Mac has previously been infected by Sofacy's malware known as Komplex, that malware may download and install XAgent as a secondary infection.
Intego VirusBarrier detects Sofacy XAgent
XAgent includes functions to allow an attacker to do just about anything with your Mac, including but not limited to logging everything you type (including your passwords), automatically taking a screenshot every ten seconds, stealing iPhone andiPad backups, and accessing the command shell (effectively equivalent to typing commands into your Mac's Terminal app).
For further details on this malware, see Intego's article: Komplex Malware: The Return of Sofacy's XAgent .New Mac Malware: iKittens
Earlier this month, a report was published describing Mac malware called MacDownloader or OSX.iKitten.A . The malware was targeted at the United States defense industry, and was distributed through a site that impersonated an aerospace firm (as depicted in the screenshot; image credit: Iran Threats ).
The deceptive page pushes a fake Flash Player installer that infects the victim's Macwith iKitten malware, after which iKittenattempts to upload a copy of the user'sKeychain (which contains a user's saved passwords) to a site maintained by the malware developer.
The malware itself is poorly written and doesn't seem to persist in memory after a reboot, but by the time a user reboots their system, theirpasswords may have already been stolen.New Mac Malware: EmPyre Word Macro
If you've been around long enough, you may remember hearing about Microsoft Office macro viruses nearly two decades ago. Around that time, Word and Excel macro viruses (that is,Microsoft Office documents containing malicious scripts that automatically execute predefined actions) had started to become a cross-platform threat, but in recent years we haven't heard much about macro viruses.
Well, don't count out macro viruses just yet, because at least one malware developer has gone retro!
Image credit: Patrick Wardle
A file named "U.S. Allies and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace.docm" recently circulated that contained a Microsoft Word macro (as indicated by the .doc m filename extension) which contained EmPyre malicious code.
If a user attempts to open the file, Word will present a dialog box stating that the document contains macros (and in fine print it states that "Macros may contain viruses that could be harmful to your computer").
If theuser ignores the warning andcarelessly clicks on the (non-default) button "Enable Macros" (as seen in the screenshot above), their Mac could become infected with additional malware. For more details, see Patrick Wardle's write-up .New Mac Malware: PROTON RAT
Reports circulated in early February about a new remote access Trojan (RAT), called PROTON ( OSX.Proton.A ), found on a Russian cybercrime message board. The RAT wasreportedly available for other would-be criminals to purchase for their own targeted campaigns,and even offered toadd an Apple-approved developer signature to the attacker'scustom RAT softwarein order to bypass Apple'sGatekeeper protection on the victim's Mac.
Afterdeployingthe RAT onto a victim's Mac, anattacker could allegedly gain complete remote access, including viewing the user's screen in real time, recording keystrokes, uploading the victim'sfiles, downloading additional malware, accessing the webcam, issuing shell commands, andother nefarious things. More information can be found in this PDF report published by Sixgill (their accompanying blog post was offline at the time of this article's publication).iCloud Was Storing "Deleted" Safari History
Forbes broke the story that a company in Russia had developed a tool, called Phone Breaker, that could recover (ostensibly) deleted Safari browser history as far back as November 2015. The tool's functionality was independently confirmed by a Forbes source.
Phone Breaker screen shot. Image credit: Forbes
Apple did not respond to Forbes' media inquiry, but shortly after the article was published, old browsing history records began disappearing from iCloud accounts that were known to have been affected.
Since Apple wastight-lipped about the ordeal, one can only speculate, but it's possible that in late 2015 Apple either made a programming error that caused Safari history to no longer get deleted and has now corrected the issue on the back end, or perhaps Apple has yet to fix the underlying issue and has started proactively deleting old history backups while working on a more permanent fix.Apple Security Updates Apple has released