Return to site

Mac Malware 2020

broken image


Malwarebytes said there was a 400 percent increase in threats on Mac devices from 2018 to 2019, and found an average of 11 threats per Mac devices, which about twice the 5.8 average on Windows. New Mac Malware Found to Infect via Xcode Monday August 17, 2020 12:02 am PDT by Hartley Charlton Security researchers at Trend Micro have discovered a new kind of Mac malware which can 'command. Quite on the contrary, Mac malware, similar to any other malware, is formulated to wreak as much havoc on a computer, server, or computer network as possible, and includes everything from viruses, worms to sophisticated forms of spyware, adware, and ransomware. Needless to say, Mac malware is capable of much more destruction than a simple virus.

Short on Time?

Before digging deep into what Mac malware is and how to clean it, here's a tip for you: Download Systweak Anti-Malware. It is a trusted app offered by Systweak. Using this best security software for Mac, you can perform a deep and quick scan, remove malicious startup and login items, schedule scans, and do a lot more. This best antimalware tool for Mac is powerful and light on system resources. To get rid of malware from Mac, try the tool today, and continue reading to check more solutions below.

Read More:Review: Systweak Anti-Malware For Mac

There's no denying 2020 will go down as a virus year, but this doesn't mean your systems are spared. According to a recent security report, they are still at risk; Mac's have outpaced Windows PCs in the number of threats. This means Mac machines are at a greater risk now. So, if your Mac is running slow or you see unwanted advertisements within your browser, chances of your system being infected are there. Don't panic; there are things that you can do to clean an infected Mac.

What is Mac Malware?

First thing first, Mac malware and virus are not the same. Malware is a code or software written to do nasty things like deleting files, encrypting data, or infecting a system with ransomware, among other things like adware, spyware, etc. It is more complicated and dangerous than the virus.

Common types of malware you can encounter on Mac are:

Spyware and keyloggers – steal the user's personal information.

Backdoor infections – remotely take control of your computer.

Botnet – alters Mac into a shadow bot.

PUP –potentially unwanted program source of adware

Ransomware – locks the system asking the user to pay the ransom.

Rootkit – penetrates admin privileges.

So, how to know if your Mac is infected and how to remove malware from Mac? Answers to these questions can be found below.

Signs of Mac Being Infected

When the following signs are witnesses on your Mac, there's a high probability of your system being infected:

  • Performance of your mac slows down suddenly
  • You see advertisement pop-ups now and then
  • Unknown app icon appears on the desktop
  • Default search engine, the home page is being replaced
  • Redirections to a fake page
  • Warning pop-ups and unwanted app downloads
  • Mac restarts without any warning and takes time to boot

How Does The Mac Get Infect?

There are 5 typical gateways responsible for infecting Mac with malware. They are as follows:

  1. Fake Flash player update
  2. Torrent download
  3. .Doc attachment
  4. Camera access request
  5. 'Your Mac is Infected scam.'

How To Remove Malware From Mac?

There are different ways to clean malware from Mac. First, we will remove malware from login items, followed by uninstalling unwanted apps and learning about the best and automatic way to clean malware.

1. Deleting Mac Malware from Login Items

Most malware or adware sneaks into the system through the startup process. Therefore, it is essential to prevent this from happening.

1. Click the Apple icon > System Preferences

2. Hit the Users & Groups section.

3. Select your username > click Login Items tab.

4. Check the list of login items. If you find any suspicious app, select and click '—. '

5. Reboot Mac to save the changes. Mac os upgrade to sierra.

Since Mac malware can hide behind a legitimate file, there's a possibility that you won't find any suspicious app. Therefore, to make sure they don't sit in our Mac, we will need to check the web browsers.

Note: Most Mac malware like adware, scareware, spyware, and others insert in web browsers.

2. Clearing Mac malware from web browsers

1. Press Q + Command to quit the web browser

2. Launch Finder > Downloads > check all the downloaded installation files > if you find a suspicious app > select right-click > Move to Trash.

3. Besides this, if you know which app is infected, half the battle is already won. To get rid of it, open

4. Check all the listed apps. If any app looks suspicious > select it > click the X icon and Force Quit.

5. Afterward, open the Applications folder.

6. Find the problematic app > select it > right-click > Move to Trash.

7. Next, Empty Trash

This simple method will help get rid of malware from Mac. But it's still incomplete as there might be some leftovers present on your Mac. To remove these traces, you can use an antimalware app like Systweak Anti-Malware or can follow the manual steps explained below:

1. Quit any unwanted app

2. Launch Finder > Go > Go to Folder > type users/shared/

3. Delete Slimi files and folders.

Uninstall malicious extensions on Safari, Chrome, and Firefox

Browser extensions again are the most used carrier for adware, spyware, etc. Therefore, it is important to check all the extensions and uninstall the malicious ones. To do so, follow the steps below:

Safari:

1. Launch Safari > Preferences > General

2. Check the Homepage and ensure it is the one that you want to open

3. Next, head to Security and checkmark Block pop-up windows

Worst malware 2020

4. Afterward, head to go to Extensions > look for unknown extensions and uninstall them

Chrome:

1. Launch Chrome > Preferences > Advanced

2. Scroll down > Reset settings

3. Restore settings to defaults > confirm RESET SETTINGS

4. Head back to Advance > Privacy and security > content settings

5. Find Popups and Ads > Block.

Firefox:

1. Launch Firefox > type about: support in the address bar

2. Click Refresh Firefox

3. Next, run Firefox in Safe Mode and restart with Add-ons Disabled.

4. Firefox > Preferences > Privacy & Security.

5. Navigate to Security and checkmark the three options (Block dangerous and deceptive content/Block dangerous download/Warn you about unwanted and uncommon software)

How to Automatically Clear Malware from Mac Using Systweak Anti-Malware

Getting rid of something that you are not aware of is not easy. Luckily using Systweak Anti-Malware, you can scan your Mac for vulnerabilities and remove suspicious files. Offered by Systweak with a company with a reputation of 19+ years, Systweak Anti-Malware is the best security tool for Mac and a one-stop solution to fix malware infections. The tool helps remove adware, virus, spyware, ransomware, and other threats. Moreover, the app's database is regularly updated, and it even scans login items for infections.

Here's how to use Systweak Anti-Malware and clean malware from Mac.

1. Download, install and launch Systweak Anti-Malware

2. Click the Scan tab and select Deep Scan > click Deep Scan to perform scanning

3. Wait for the scan to finish. Once done, click Fix Now

4. This will help quarantine all the infected files and remove malware from Mac.

In addition to this, if you want to schedule scanning, click the Preferences tab > Schedule > set the time and day > Apply. Now Systweak Anti-Malware will run at the specified time, and you will be protected from malware on Mac. This robust security tool works flawlessly and keeps your Mac guarded against the latest and old threats. To stay protected, we suggest using it once every month. However, if you are not comfortable using a third-party tool, you can use the manual steps explained above to clean malware. Do let us know which steps you picked and why in the comments section. We'd love to hear from you.

SAN FRANCISCO—Malware developers are always trying to outdo each other with creations that are stealthier and more advanced than their competitors'. At the RSA Security conference this week, a former hacker for the National Security Agency demonstrated an approach that's often more effective: stealing and then repurposing a rival's code.

Patrick Wardle, who is now a security researcher at the macOS and iOS enterprise management firm Jamf, showed how reusing old Mac malware can be a smarter and less resource-intensive approach for deploying ransomware, remote access spy tools, and other types of malicious code. Where the approach really pays dividends, he said, is with the repurposing of advanced code written by government-sponsored hackers.

'There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that's fully featured and also fully tested,' Wardle said during a talk titled 'Repurposed Malware: A Dark Side of Recycling.'

'The idea is: why not let these groups in these agencies create malware and if you're a hacker just repurpose it for your own mission?' he said.

Hijacking the hijackers

To prove the point, Wardle described how he altered four pieces of Mac malware that have been used in in-the-wild attacks over the past several years.

The repurposing caused the malware to report to command servers belonging to Wardle rather than the servers designated by the developers. From there, Wardle had full control over the recycled malware. The feat allowed him to use well-developed and fully featured applications to install his own malicious payloads, obtain screenshots and other sensitive data from compromised Macs, and carry out other nefarious actions written into the malware.

Besides saving time and resources, malware repurposing provides two key benefits:

  • It may allow attackers, particularly those from state-sponsored groups, to infect high-risk environments, such as those that are already infected and under the eye of other malicious software actors. In that position, many nation-state hacking groups will forgo deploying their crown-jewel malware to keep proprietary tactics, techniques, and procedures private. Repurposing someone else's malware might be a suitable alternative in these scenarios.
  • In the event that the malware infection is detected and forensically analyzed, there's a good chance that researchers will misattribute the attack to the original hackers and not the party that repurposed the malware.
There's no shortage of evidence that the repurposing of rivals' malware is already a common practice among nation-state hackers. WannaCry and NotPetya—the worms that wreaked worldwide computer shutdowns in 2017 and are widely attributed to North Korea and the Russian Federation, respectively—spread rapidly from computer to computer with crucial help from EternalBlue, the Windows exploit developed by, and later stolen from, the National Security Agency. Researchers at security firm Symantec found that a hacking group widely tied to the Chinese government reused NSA malware that gets installed by EternalBlue, in March 2016, 14 months before the powerful NSA hacking tools were published.Advertisement This 2017 article by freelance reporter Kim Zetter reports that files published by Wikileaks showed CIA hackers recycling techniques and snippets of code used in previous attacks for use in new projects. A few years ago, according to evidence unearthed by Symantec, the Russian-speaking hacker group known as Turla hijacked the servers of OilRig, a rival outfit connected to Iran's government. Turla then used the infrastructure to attack a Middle Eastern government.

Getting Jeused

One of Wardle's repurposings involved AppleJeus.c, a piece of recently discovered malicious code embedded in a fake cryptocurrency trading app for macOS. The sample was notable for being the first, or at least among the first, known malware specimens for macOS to use an in-memory, or fileless, method to execute second-stage malicious payloads onto targeted Macs.

By executing malicious code solely in memory—rather than using the more common route of saving the code to disk and then executing it—AppleJeus.c significantly lowered the chances antivirus programs and other forms of endpoint security would detect the infection or be able to capture the second-stage payloads. Researchers have tied the malware to Lazarus, a hacker group working for the North Korean government.

Rather than develop his own fileless payload installer for macOS, Wardle made just one minor modification to AppleJeus.c: instead of obtaining the fileless payload from the server originally hardcoded into AppleJeus.c, the modified malware now got the payload from a server he controlled.

'This means that when the [first stage of the] malware is executed, it will now talk to our server instead of the hacker's original infrastructure,' and thus will download and execute a new second-stage payloads, Wardle said.

The first step was to thoroughly analyze the inner workings of AppleJeus.c. Among the things he observed were the malware's capabilities and the protocol it used to communicate with the original developers' command and control server. Using a disassembler, for instance, he observed the malware using a cryptographic hashing function and a decryption function to load and then execute the second-stage payload.

By using a debugger to stop the malware just before it ran the hashing function, he found the string VMI5EOhq8gDz, which when passed to the hash function turned out to be the decryption key. He then used the disassembler and debugger to discover the decryption cipher and parameters in a similar way.

Next, Wardle used a hex editor to change the original version's hard-coded control server domain to the address of the server under his control. He designed this new control server to use the same communication protocol and to interact step by step with each function of the malware.

Advertisement

To get the modified version of AppleJeus.c to accept the second-stage payload, Wardle's control server had to, among other things, encrypt it with the same key and cipher he observed during his analysis. With that, Wardle could use his repurposed AppleJeus.c to load and execute any Mac mach-O executable file of his choice.

'With a single modification to the binary, (and building a light-weight C&C server), we now have access to an advanced nation-state loader that will perform to our bidding ..without having to write any (client-side) code!' Wardle wrote in a message following his talk. 'This is way easier than writing it from scratch :) Also, if this repurposed variant is ever detected, it will likely be misattributed back to the North Koreans.'

As an interesting aside, much of the code used to carry out AppleJeus.c's in-memory infection was itself lifted from a deep-dive technical analysis published by Cylance researcher Stephanie Archibald.

Thrice more with feeling

Apple Mac Malware

Wardle used similar techniques to repurpose three other pieces of Mac malware that have circulated in the wild. The malware included Fruitfly, a remote-access tool that stole millions of user images, many of them nudes, over 13 years before finally being shutdown, a ransomware app discovered in 2016, and Windtail, which targeted mostly government agencies and companies in the Middle East.

Common Malware 2020

Wardle was able to make other tweaks to his repurposed pieces of code so they would bypass malware mitigations built in to macOS. For instance, because the Xprotect malware scanner is based on file signatures, changing a single byte of reused code is sufficient for it to completely escape detection. And when Apple-issued signing certificates have been revoked, it's trivial to unsign the software and sign it with a new certificate. And to remove warnings displayed when users try to execute code or install apps downloaded from the Internet, it's easy to remove the programming flags that make those warnings appear.

Mac Antivirus 2020

This week's RSA talk may give the impression that malware repurposing is unique to Mac offerings. The examples of recycled malicious code mentioned earlier should make clear that this kind of recycling works against any operating system or platform. Given the wealth of working malware and the ease in reusing it, it's easy to understand why the practice is so common, Wardle said. 'The idea is to let those with more time, money, and resources do all the hard work.'





broken image