{"id":6542,"date":"2017-02-07T14:30:24","date_gmt":"2017-02-07T22:30:24","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/07\/news-366\/"},"modified":"2017-02-07T14:30:24","modified_gmt":"2017-02-07T22:30:24","slug":"news-366","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/07\/news-366\/","title":{"rendered":"Mac malware, possibly made in Iran, targets U.S. defense industry"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt1.staticworld.net\/images\/article\/2017\/01\/dsc05476-100704596-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Michael Kan | Date: Tue, 07 Feb 2017 12:50:00 -0800<\/strong><\/p>\n<p>Just because you\u2019re using a Mac doesn\u2019t mean you\u2019re safe from hackers. That\u2019s what two security researchers are warning, after finding a Mac-based malware that may be an attempt by Iranian hackers to target the U.S. defense industry.<\/p>\n<p>The malware, called MacDownloader, was found on a website impersonating the U.S. aerospace company United Technologies, according to a <a href=\"https:\/\/iranthreats.github.io\/resources\/macdownloader-macos-malware\/\">report<\/a> from Claudio Guarnieri and Collin Anderson, who are researching Iranian cyberespionage threats.<\/p>\n<p>The fake site was previously used in a spear-phishing email attack to spread Windows malware and is believed to be maintained by Iranian hackers, the researchers claimed.<\/p>\n<p>Visitors to the site are greeted with a page about free programs and courses for employees of the U.S. defense companies Lockheed Martin, Raytheon and Boeing.<\/p>\n<p>The malware itself can be downloaded from an Adobe Flash installer for a video embedded in the site. The website will provide either Windows or Mac-based malware, depending on the detected operating system.<\/p>\n<p>A screenshot of the fake site.\u00a0<\/p>\n<p>The MacDownloader malware was designed to profile the victim&#8217;s computer, and then steal credentials by generating fake system login boxes and harvesting them from Apple&#8217;s password management system, Keychain.<\/p>\n<p>However, the malware is of shoddy quality and is &#8220;potentially a first attempt from an amateur developer,&#8221; the researchers said.<\/p>\n<p>For instance, once the malware is installed, it will generate a fake Adobe Flash Player dialog box, only to then announce that adware was discovered on the computer and that it will attempt to clean it up.<\/p>\n<p>&#8220;These dialogues are also rife with basic typos and grammatical errors, indicating that the developer paid little attention to quality control,&#8221; the researchers said.<\/p>\n<p>In addition, the malware failed to run a script to download additional malicious coding onto the infected Mac. \u00a0<\/p>\n<p>But despite the shoddy quality, the malware still managed to evade detection on VirusTotal, which aggregates antivirus scanning engines.<\/p>\n<p>The researchers found other circumstantial evidence that the malware is linked to Iran. An exposed server that the MacDownloader agent uploaded showed wireless networks called &#8220;Jok3r&#8221; and &#8220;mb_1986.&#8221; Both of these names have ties to previous Iranian hacking groups, including one known as <a href=\"https:\/\/www.crowdstrike.com\/blog\/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten\/\">Flying Kitten<\/a>, which is suspected of targeting U.S. defense contractors and political dissidents.<\/p>\n<p>In an email, Anderson said a colleague also observed MacDownloader targeting a human rights activist.<\/p>\n<p>The danger is that many human rights supporters, especially in Iran, are dependent on Apple devices, the researchers said. &#8220;While this [malware] is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers,&#8221; they wrote in their report.<\/p>\n<p>Mac malware is fairly rare, according to security researchers. That&#8217;s because hackers tend to attack Windows-based devices, because of their popularity.<\/p>\n<p>However, Mac-based malware is still popping up here and there. Last month, researchers found another kind designed <a href=\"http:\/\/www.computerworld.com\/article\/3159136\/malware-vulnerabilities\/mac-malware-is-found-targeting-biomedical-research.html\">to spy<\/a> on biomedical research centers. A separate Mac-based Trojan was <a href=\"http:\/\/www.computerworld.com\/article\/3124628\/security\/new-mac-trojan-uses-the-russian-space-program-as-a-front.html\">found<\/a> months earlier, targeting the aerospace industry.\u00a0<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3167027\/security\/mac-malware-possibly-made-in-iran-targets-us-defense-industry.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt1.staticworld.net\/images\/article\/2017\/01\/dsc05476-100704596-large.3x2.jpg\"\/><\/p>\n<article>\n<section class=\"page\">\n<p>Just because you\u2019re using a Mac doesn\u2019t mean you\u2019re safe from hackers. That\u2019s what two security researchers are warning, after finding a Mac-based malware that may be an attempt by Iranian hackers to target the U.S. defense industry.<\/p>\n<p>The malware, called MacDownloader, was found on a website impersonating the U.S. aerospace company United Technologies, according to a <a href=\"https:\/\/iranthreats.github.io\/resources\/macdownloader-macos-malware\/\">report<\/a> from Claudio Guarnieri and Collin Anderson, who are researching Iranian cyberespionage threats.<\/p>\n<aside class=\"fakesidebar\"><strong>[ To comment on this story, visit <a href=\"https:\/\/www.facebook.com\/Computerworld\/\" target=\"_blank\">Computerworld&#8217;s Facebook page<\/a>. ]<\/strong><\/aside>\n<p>The fake site was previously used in a spear-phishing email attack to spread Windows malware and is believed to be maintained by Iranian hackers, the researchers claimed.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3167027\/security\/mac-malware-possibly-made-in-iran-targets-us-defense-industry.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10403,11073,714],"class_list":["post-6542","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-macos","tag-malware-vulnerabilities","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6542"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6542\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6542"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}