Interesting mystery. New malware found on ~30,000 Macs is raising ??. Once hourly the Macs contact a control server to check for commands from attackers, but so far no payload delivered. Malware has self-destruct feature but attackers haven't triggered it. arstechnica.com/information-te…
The malware has been found in 153 countries. One version runs on M1 chip that Apple introduced in Nov, "making it only the second known piece of macOS malware to do so... it uses the macOS Installer JavaScript API to execute commands." Red Canary report: redcanary.com/blog/clipping-…
“Though we haven’t observed [it] delivering additional malicious payloads yet, its...M1 chip compatibility, global reach, relatively high infection rate, and operational maturity [make it] uniquely positioned to deliver a potentially impactful payload at a moment’s notice”
When executed the x86_64 binary displays the wrds "Hello World!" and the M1 binary "You did it!" Researchers suspect the files are placeholders "to give the installer something to distribute content outside the JavaScript execution." Apple has revoked developer cert for both.
"It checks for the presence of ~/Library/._insu on disk and if the file is present Silver Sparrow removes all of its components...The ._insu file [however] does not appear present by default on macOS, and we currently don’t know the circumstances under which the file appears"
For those who are asking, the IoCs for the Silver Sparrow threat are at the end of the Red Canary report, which you can find here: redcanary.com/blog/clipping-…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kim Zetter

Kim Zetter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KimZetter

21 Feb
Can't believe how close this United plane engine part came to crashing through the roof.
Read 4 tweets
16 Feb
Seeing all of these videos of people skating on thin ice - literally - and made me curious about when it's safe to skate on frozen bodies of water. survivalskills.guide/how-to-tell-if… Image
A tale of Dutch ice skaters, in two acts:

Act I:
Read 4 tweets
12 Feb
Story in 3 acts. 1) People publishes sympathetic story about Axios reporter's relationship w/ Biden aid who has cancer. 2) Turns out People scooped Politico on story. 3) Nope. It turns out Biden aid threatened Politico reporter before taking story to People to undermine Politico
If you're wondering about the difference between how People portrayed the story and how Politico planned to portray it: On left Politico Playbook snippet, on right People story
"After Vanity Fair published this account [of how Ducklo threatened the Politico reporter by telling her "I will destroy you"], the White House announced that Ducklo would be suspended for one week."
Read 5 tweets
8 Feb
With regard to news that hacker remotely accessed control system for water treatment plant in Florida to increase lye level, it's no surprise these are accessible online. Have been for yrs. But it sounds like they maybe didn't have 2-factor authentication set up to protect it
Here's a story I wrote in 2012 about critical industrial control systems accessible over the internet and easily discovered through a Shodan search wired.com/2012/01/10000-…
And in 2013 I wrote about a researcher who used Masscan to find systems using port 5900 (the port used by VNC and TeamViewer remote-management software). He found 30,000 connected systems that did not require authentication to access them wired.com/2013/11/intern…
Read 4 tweets
5 Feb
Wife of US diplomat who killed teen in UK while driving on wrong side of road was working for a US intelligence agency, as was her husband, her lawyer says, and that’s why she fled the UK after the accident. washingtonpost.com/world/europe/a…
Previously it had only been known that her husband was working for US gov at a Royal Air Force base in Croughton, England — a base known to be used by US intel agencies. The revelation raises questions about whether she should have had diplomatic unity to avoid prosecution in UK.
A 1995 agreement w/ US stipulates that American staff at Croughton base can’t claim diplomatic immunity to avoid prosecution. British gov was told the woman was the spouse of a diplomat. But if she was an intel employee at Croughton, she should not have been allowed to leave UK.
Read 4 tweets
4 Feb
Russian doctor who treated Navalny after poisoning has died suddenly in the intensive care unit where Navalny was treated. Reports say his blood pressure shot up to 250 suddenly, before he died of a heart attack dailymail.co.uk/news/article-9…
The news of the Russian doctor's death reminds me of this clip from last month, showing another doctor and ally of Navalny playing the piano as police raided her apartment
This piece says that the 55 yr old Russian doctor who died this wk had lost all his family members in a year, including both parents. The implication is that he was under a lot of stress and this may have led to the heart attack. content.novayagazeta.ru/news/2021/02/0…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!