Interestingly, clicking on the "Close" button does in fact make the application exit. With this particular build of MacDownloader, a fake Adobe Flash Player dialog is displayed upon execution, prompting the victim to click on an "Update Flash-Player" button. The continuity of certain infrastructure and trends in targeting suggest a relationship to the Charming Kitten actor group, believed to based in Iran and connected to Iranian security entities. The packaging of the MacDownloader sample also provides further indication of its Iranian origin through its name, "addone flashplayer.app," which would suggest that a Persian-language speaker named the file based on grammar. The target will be provided either Windows or Mac malware based on the detected operating system, with Windows clients provided a dropper written in Go. MacDownloader is the first spearphishing attempt we have observed that honestly informs its target about its malicious nature. Air Force basic training page.Ĭounterintuitively, the bait to download the agent features a French-language warning in the place of a video player that informs the visitor that the "plugin has security flaws," with a link to activate Adobe Flash. The host used to stage the malware had also previously been used to deploy the BeEF framework on subdomains that appeared as a dental office and a U.S. The citation of the aforementioned companies also aligned with known targeting of spearphishing campaigns by the same group. The page claimed to offer "Special Programs And Courses," specifically mentioning employees and interns of Lockheed Martin, Sierra Nevada Corporation, Raytheon and Boeing. Incident and ImpactĪn active staging of the MacDownloader agent was first observed linked out from a site impersonating the aerospace firm "United Technologies Corporation," a spearphishing site was previously believed to be maintained by Iranian actors for spreading Windows malware. One of these communities is the human rights community, especially those focused on Iran, which based on anecdotal experience is strongly dependent on Apple devices. Thus, macOS users are at risk of assuming greater protection against malware than actually exists, and could be more vulnerable as a result. However, much of the added security afforded to macOS users stems from an expectation of Windows by attackers and less readily-available remote access tools for the OS, rather than better in-built defenses. While Windows remains the dominant operating system in the world, many communities have shifted over to macOS in the interest of security and stability. Since the start of the Iran Threats posts, we have documented an ever-changing array of malware agents targeting Windows and Android devices in order to exfiltrate files and record keystrokes from victims. While this agent is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers with certain community, and inaccurate perceptions about the security of those devices. Since the Technical Preview of our forthcoming Carnegie Endowment publication about state-sponsored espionage campaigns was released at Black Hat USA, we have continued to disclose information about current Iranian activities in order to promote public education and to provide indicators of compromise. Lastly, the exposure of test victim data and code references provide a unique insight into the development of the malware, with potential connections to agents developed by long dormant threat groups. The macOS malware also mirrors the approach of the ExtremeDownloader dropper previously documented in our research, and samples of the latter identified during this time used the same infrastructure. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions. Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases. IKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader) Public Notice (6 February 2017) SummaryĪ macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate.
0 Comments
Leave a Reply. |