macos

The Chief Information Security Officer of Slow Fog, 23pds, shared that the MacSync Stealer malware, active on the macOS platform, has shown significant evolution, with user assets already being stolen.The forwarded article mentions that it has upgraded from early low-threshold inducement methods like "dragging to terminal" and "ClickFix" to code signing and notarized Swift applications by Apple, significantly enhancing its concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguising itself as instant messaging or utility applications to induce users to download. Unlike previous versions, the new version does not require any terminal operations from the user; instead, a built-in Swift helper pulls and executes encoded scripts from a remote server, completing the information theft process.The malware has completed code signing and has been notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the relevant hash has not been revoked by Apple during analysis. This means it has a higher "trustworthiness" under the default macOS security mechanisms, making it easier to bypass user vigilance. The research also found that the DMG is unusually large, containing bait files such as LibreOffice-related PDFs to further reduce suspicion.Security researchers point out that such information-stealing Trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple’s signing and notarization mechanisms, the risks of phishing and private key leakage for cryptocurrency users in the macOS environment are on the rise.

According to 23pds, the Chief Information Security Officer of Slow Fog Technology, a new variant of the information-stealing malware MacSync has emerged, successfully bypassing the macOS Gatekeeper security mechanism, resulting in the theft of user assets.This malware employs various techniques to evade detection, including file inflation, network connection validation, and self-destruct scripts after execution. Attackers can use this software to steal sensitive data from victims, such as iCloud keychains, browser passwords, and cryptocurrency wallets. Users should remain vigilant, avoid downloading software from unknown sources, promptly update operating system security patches, and take additional measures to protect the security of their crypto assets.

ChainCatcher News: Recently, the Cybersecurity Threat and Vulnerability Information Sharing Platform (NVDB) of the Ministry of Industry and Information Technology detected a high-risk out-of-bounds write vulnerability in Apple's iOS/iPadOS/macOS, which has been exploited for cyber attacks.iOS/iPadOS/macOS is an operating system developed by Apple Inc. Due to an out-of-bounds write vulnerability in its ImageIO framework, processing malicious image files may lead to memory corruption.

ChainCatcher news, according to Decrypt, recently Check Point discovered a macOS malware named "Banshee" that mimics Apple's encryption algorithms to evade antivirus detection and targets cryptocurrency wallets and browser credentials. However, Apple security researcher Patrick Wardle stated that the threat has been overstated by the media and its actual harm is limited.Banshee was previously operated as "Stealer-as-a-Service," but it was terminated in November 2024 due to source code leakage. Wardle pointed out that the software's encryption methods are quite basic, and the latest macOS systems can defend against such threats by default, posing almost no risk to ordinary users. He emphasized that instead of focusing on specific malware, it is better to concentrate on basic security practices.

ChainCatcher news, according to Forbes, security company ESET has just released its latest threat report, which examines the threat landscape trends from June to November 2024. The number of password theft attacks targeting cryptocurrency wallets has increased, with the most significant rise occurring among macOS users.The report states: "According to ESET's telemetry data for the second half of 2024, the number of password-stealing software across multiple platforms (especially Windows, macOS, and Android) has increased," but compared to the first half of the year, the detection of password-stealing software targeting cryptocurrency wallets on macOS has more than doubled. Meanwhile, the number of password-stealing software on the Windows platform grew by 56%, while financial threats on the Android platform, including password-stealing malware, increased by 20%.ESET's analysis shows that the number of password-stealing software targeting the macOS platform (especially those related to cryptocurrency wallet credentials) surged by 127%. Security researchers noted: "Although these threats cannot be simply classified as password-stealing software just because they have broader functionalities, they do reveal a significant upward trend in password theft activities on the macOS platform." From a geographical perspective, ESET's analysis indicates that attacks on Bitcoin and other cryptocurrencies targeting macOS are mostly aimed at the United States, followed by Italy, China, Spain, and Japan.

ChainCatcher message, Slow Mist's Chief Information Security Officer 23pds posted a reminder that recently, the well-known cryptocurrency theft Trojan MacOS Stealer has been suddenly open-sourced.Previously, its attack source code was sold for 1 BTC, and now the open-sourcing means that more malicious attackers can easily access this tool. This not only potentially allows attackers to have "one tool per person" for attacks but may also give rise to more covert and complex attack methods, posing greater challenges to the security of cryptocurrency assets.

ChainCatcher news, according to Forbes, researchers have confirmed that a malware attack targeting macOS users has been active for four months. This attack uses malware disguised as a video conferencing application to steal passwords from Keychain, as well as session cookies and cryptocurrency wallet information from browsers like Google Chrome, Brave, and Opera.According to Tara Gould from Cado Security Labs, the attackers use AI-generated content to create fake websites and social media accounts, posing as trustworthy businesses. Victims are often contacted through platforms like Telegram, discussing business opportunities related to blockchain or cryptocurrency. Once the file is installed, users are prompted to enter their macOS password, further facilitating data theft.Security experts advise users to remain vigilant, especially regarding unfamiliar links related to business. Using protective tools like Intego VirusBarrier can effectively defend against such threats.

According to ChainCatcher news reported by Cointelegraph, North Korean hackers appear to have developed malware that can evade Apple's security checks. Researchers at Jamf Threat Labs, who focus on Apple, indicate that these applications seem to be experimental. This is the first time they have seen such technology used to infiltrate Apple's macOS operating system, but it does not run on the latest systems.Researchers found that Microsoft's VirusTotal online scanning service reported these applications as harmless, but they are actually malicious. Variants of these applications are written in Go and Python, utilizing Google Flutter applications. Flutter is an open-source development toolkit used for creating cross-platform applications.Out of six malicious applications, five are signed with developer accounts and have been temporarily notarized by Apple. Researchers wrote, "The domains and techniques in the malware are very similar to those used in other North Korean hacker malware, with indications that the malware was once signed and even temporarily passed Apple's notarization process."

ChainCatcher news, according to IT Home, developer Pedro Vieito posted an update on the Thread platform 2 days ago, stating that the macOS version of the ChatGPT app stores user conversations in plain text. OpenAI responded today that it has updated its app and encrypted the chat logs stored on Mac devices.According to Vieito's analysis, since conversations are stored in plain text outside the sandbox, this also means that conversations can be accessed by other applications, processes, or even malware running on the Mac without the user's knowledge.

ChainCatcher news, according to OpenAI's announcement, the ChatGPT desktop application is now available for all macOS users. Users can quickly access ChatGPT using the shortcut Option + Space, making it easier to chat, handle emails, take screenshots, and manage other content on the screen.In addition, OpenAI has launched a new feature that allows users to search through past conversation history. Users can also quickly and easily query any information on their computers.

ChainCatcher message, Kaspersky Labs has discovered new malware entering macOS users' computers through pirated applications, stealing users' cryptocurrency wallets. This malware targets macOS versions 13.6 and above, allowing hackers to access the user's computer security password when the user inputs their computer security password into the activator box; when the user attempts to open the cryptocurrency wallet compromised by the malware, hackers can access the private keys of the cryptocurrency wallet.Kaspersky Labs reminds cryptocurrency users that they can avoid the ongoing malware activities by using trusted websites, keeping their computer operating systems updated, and employing security solutions.

ChainCatcher message, Blockfence has issued a reminder that due to a security vulnerability being frequently exploited, Apple has released emergency updates for macOS, iOS, iPadOS, tvOS, and watchOS. Please update to the following versions as soon as possible: iOS 17.2.1, iPadOS 17.2, macOS 14.2.1, tvOS 17.2, watchOS 10.2.

ChainiCatcher news, according to Cointelegraph, a new type of malware called "KandyKorn" related to the North Korean hacker group Lazarus has been discovered on Apple's macOS system, targeting the crypto community and engineers.According to analysis by Elastic Security Labs, "KandyKorn" is an invisible backdoor capable of data retrieval, directory listing, file upload/download, secure deletion, process termination, and command execution.Initially, the attackers impersonated community members through Discord channels to spread a Python-based module. Social engineering attacks lured community members into downloading a malicious ZIP archive named "Cross-platform Bridges.zip," which mimicked an arbitrage bot designed for automatic profit. However, the file imported 13 malicious modules that worked together to steal and manipulate information.

ChainCatcher message, Slow Mist's Chief Information Security Officer 23pds issued a reminder that a new malware named Realst has emerged, targeting Apple macOS systems with large-scale attacks, including the latest macOS 14 Sonoma. It is written in Rust, and after victims are attacked, their cryptocurrency assets are stolen along with sensitive information such as passwords. All macOS users are strongly advised to remain vigilant and take necessary security measures to prevent their sensitive information and cryptocurrency assets from being stolen.

ChainCatcher news, according to Sekoia.io, has discovered a malware for macOS written in Rust and Objective-C called "RustBucket." It consists of a macOS installer that installs a fully functional PDF reader with a backdoor. This fake PDF reader requires opening a specific PDF file as a key to trigger malicious activities, after which it collects and sends information about the compromised system.It is reported that this malware is suspected to be linked to the hacker group Bluenoroff, which has ties to North Korea. Since 2017, Bluenoroff has been conducting financial activities targeting cryptocurrency exchanges and venture capital-related entities in Europe and Asia. (source link)

ChainCatcher news, according to Cyble, a Telegram channel is promoting a new type of information-stealing malware called Atomic macOS Stealer (AMOS), which is specifically designed for macOS and can steal various types of information from victims' machines, including keychain passwords, complete system information, files in the desktop and documents folders, and even the macOS password. This stealer is designed to target multiple browsers and can extract autofill, passwords, cookies, wallet, and credit card information. Specifically, AMOS can target cryptocurrency wallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.Additionally, AMOS provides a management web panel for victims, which includes a MetaMask brute force tool for stealing mnemonic phrases and private keys, an encryption checker, and a dmg installer, after which logs are shared via Telegram. The price for these services is $1000 per month. (source link)

ChainCatcher message, the antivirus software Kaspersky officially stated, "A very serious vulnerability has been found again in the Apple operating system. Attackers can gain root access, which may jeopardize user asset security. These several very serious security vulnerabilities in iOS and macOS have been exploited by attackers. To address these vulnerabilities, Apple has quickly released updates for several previous versions. These vulnerabilities are critical, please update promptly." (source link)

Chain Catcher news, cybersecurity company SentinelOne recently stated that in the latest variant of a hacking activity known as "Operation In(ter)ception," the North Korean hacker group known as Lazarus Group has been using enticing job opportunities offered by cryptocurrency exchanges to attract macOS users. The hackers disguise malware as recruitment information from popular cryptocurrency exchanges, using carefully crafted and seemingly legitimate bait PDF documents to promote vacancies for positions such as Singapore Art Director - Concept Art (NFT).According to the company's report, the hacker group did the same thing as early as August 2022, but this time using fake recruitment information from the Coinbase cryptocurrency exchange. (Source link)