fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft: WizardUpdate Mac Malware Adds New Evasion Tactics

Microsoft: WizardUpdate Mac Malware Adds New Evasion Tactics

Microsoft says it found new variants of macOS malware known as WizardUpdate (also tracked as UpdateAgent or Vigram), updated to use new evasion and persistence tactics.

As Microsoft security experts found, the latest variant — spotted earlier this month — is likely being distributed via drive-by downloads and it impersonates legitimate software, just as it was when threat intelligence firm Confiant discovered it camouflaged as Flash installers in January.

Since the first variants were observed in November 2020, when it was only capable of collecting and exfiltrating system info, WizardUpdate was updated multiple times by its developers.

Also Read: How PII Data Works In Businesses And Its Advantages

The sample collected by Microsoft researchers in October comes with several upgrades, including the ability to:

  • deploy secondary payloads downloaded from cloud infrastructure
  • grab the full download history for infected Macs by enumerating LSQuarantineDataURLString using SQLite 
  • bypass Gatekeeper by removing quarantine attributes from downloaded payloads
  • modify PLIST files using PlistBuddy
  • leverage existing user profiles to execute commands
  • change the sudoers list to give admin permissions to regular users
WizadUpdate evolution
WizadUpdate evolution (Microsoft)

After it infects a target’s Mac, the malware starts scanning for and collecting system information that gets sent to its command-and-control (C2) server.

The trojan will deploy second-stage malware payloads, including a malware variant tracked as Adload, active since late 2017 and known for being able to slip through Apple’s YARA signature-based XProtect built-in antivirus to infect Macs.

“UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file’s quarantine attribute,” Microsoft said.

“It also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/ LaunchDeamon for persistence.”

WizardUpdate’s developers have also included evasion features in the latest variant, which can cover its tracks by deleting created folders, files, and other artifacts created on the infected Macs

Also Read: How To Check Data Breach And How Can We Prevent It

WizardUpdate attack flow
WizardUpdate attack flow (Microsoft)

Malware on the Mac “worse than iOS”

AdLoad, one of the second-stage payloads delivered by WizardUpdate on compromised Macs, also hijacks search engine results and injects advertisements into web pages for monetary gain using a Man-in-The-Middle (MiTM) web proxy

It also gains persistence by adding LaunchAgents and LaunchDaemons and, in some cases, user cronjobs scheduled to run every two and a half hours.

While monitoring AdLoad campaigns active since November 2020, when WizardUpdate was also first spotted, SentinelOne threat researcher Phil Stokes found hundreds of samples, roughly 150 of them unique and undetected by Apple’s built-in antivirus.

Many of the samples detected by Stokes were also signed with valid Apple-issued Developer ID certificates, while others were notarized to run under default Gatekeeper settings.

Although both WizardUpdate and AdLoad now only deploy adware and bundleware as secondary payloads, they can switch at any time to more dangerous malware such as wipers or ransomware.

“Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS,” said Craig Federighi, Apple’s head of software, in May 2021 under oath while testifying in the Epic Games vs. Apple trial.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us