Recently, Confiant and Malwarebytes analyzed a steganography based payload which was utilized by a "malvertizer" dubbed "VeryMal" by the two firms, to infect Macs. According to the firms, the attempted attack ad was viewed on as many as 5 million Macs.
This campaign was active from 11th January 2019 until 13th January 2019. Confiant detected and blocked 191,970 impressions across their publisher customers. They said that only the US visitors were targeted in this campaign.
According to Confiant, the Mac users who saw the ad, the attack displayed notices that the Adobe Flash Player needed to be updated and made the users to open a file that would attempt to download in their browsers. The download, when accepted and run, ended up infecting the user’s Mac with the Shlayer trojan.
The image could be viewed without harm despite containing the payload. It is harmful only when the code is run on the file, followed by the browser being redirected to a link included in the payload.
Eliya Stein, Security Engineering and research at Confiant, writes, “As malvertizing detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”
The same malicious actor VeryMal had performed a similar attack at the end December 2018:
- 437,819 Impressions detected and blocked by Confiant across two December campaigns.
- US targeting split between Mac OS and iOS.
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
However, this attack includes a method, which was difficult to detect.
Malware “is not only limited to advertising-based attacks, with reports in September noting even some apps in the Mac App Store were performing malicious actions, such as extracting a user's data”, according to an Apple Insider report.
To know more about how Confiant and Malwarebytes carried out this analysis, visit Eliya Stein’s blog post on Medium.
Twitter memes are being used to hide malware
Privilege escalation: Entry point for malware via program errors
Bo Weaver on Cloud security, skills gap, and software development in 2019
United States
United Kingdom
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Argentina
Austria
Belgium
Bulgaria
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
Greece
Hungary
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Singapore
Slovakia
Slovenia
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
