Google uncovered a sophisticated attack that leveraged both iOS & macOS exploits (n-/0-days) to infect Apple users! ๐Ÿ‘€

Interested in a triage of the macOS implant (named OSX.CDDS), including:
โ–ซ๏ธ Installation
โ–ซ๏ธ Persistence
โ–ซ๏ธ Capabilities

๐Ÿ“ Have a read:
objective-see.com/blog/blog_0x69โ€ฆ
Of course, we're sharing a sample (as always) + the binaries/modules dropped by the implant ๐Ÿ˜‡ #SharingIsCaring

๐Ÿ‘พ Download: objective-see.com/downloads/malwโ€ฆ (pw: infect3d)
Also be sure to also read:

1๏ธโƒฃ Google's Threat Analysis Group (TAG) authoritative analysis on the attack/exploits: blog.google/threat-analysiโ€ฆ

2๏ธโƒฃ @lorenzofb's excellent writeup
vice.com/en/article/93bโ€ฆ

๐Ÿ“๐Ÿ™Œ๐Ÿฝ
And yes our free, open-source tools detect & thus thwart this new implant even with no a priori knowledge of it! ๐Ÿ˜

BlockBlock (objective-see.com/products/blockโ€ฆ), which monitors persistence locations, alerts when the installer invokes /bin/cp to persist OSX.CDDS as a Launch Item:
LuLu (objective-see.com/products/lulu.โ€ฆ), our user-mode macOS firewall, will detect and alert when the implant (installed as "UserAgent") first attempts to beacon out to its command & control server to check-in and ask for tasking ๐Ÿ”ฅ๐Ÿ›ก

(C&C servers: 123.1.170.152 & 207.148.102.208)

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with Objective-See

Objective-See Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @objective_see

15 Sep
โš ๏ธ A new malware campaign is targeting Mac users via sponsored search results & poisoned installers.

๐Ÿ“ Blog post analyzes stealthy trojanization mechanism, 2nd & 3rd stage payloads, and more!

+ samples! ๐Ÿ˜‡

Read:
objective-see.com/blog/blog_0x66โ€ฆ

H/T @CodeColorist for discovery! ๐Ÿ™
Original discovery: zhuanlan.zhihu.com/p/408746101 ๐Ÿ™Œ
...and (as always?) LuLu has got you covered ๐Ÿ˜ Image
Read 4 tweets
17 May
[ #OBTS News ]

Objective by the Sea v4.0 (2021):
objectivebythesea.com/v4/

๐Ÿ‘จโ€๐Ÿซ Training: 09/28 - 09/29
๐Ÿ’ฌ Presentations: 09/30 - 10/01

๐Ÿ“ Location: Maui, Hawaii, USA

Can't wait to see y'all in lovely Maui!! โ˜€๏ธ๐ŸŒด
...more details (venue, registration, etc.) soon!
#OBTS v4.0 Call For Papers now open!

Themes of interest are ๐ŸŽ-security topics, such as:
โš™๏ธ OS internals
๐Ÿฆ  Malware analysis
๐Ÿ› ๏ธ Tool making & breaking
๐Ÿ› Bug discovery & exploitation

CFP details: objectivebythesea.com/v4/cfp.html
We've selected the newly remodeled beachside Westin Resort & Spa, in Ka'anapali Maui to host #OBTS v4.0๐Ÿ–๏ธ ๐Ÿ˜Ž

We've also secured a block of rooms at a massively discounted group rate. These will sell out, so don't wait (too long)!

More info / to book: objectivebythesea.com/v4/attending.hโ€ฆ ImageImageImageImage
Read 7 tweets
26 Apr
A massive bug, affecting all recent versions of macOS was actively exploited as an 0day by malware ๐Ÿ‘พ๐ŸŽ

Read our blog post, #100
"All Your Macs Are Belong To Us"
objective-see.com/blog/blog_0x64โ€ฆ
PoC.gif ๐Ÿ”ฅ
The majority of Mac infections are "user-assisted", which Apple combats via:
โœ…Notarization
โœ…Gatekeeper
โœ…File Quarantine
...these have proven problematic for attackers

But oops, this bug sidesteps all, allowing unsigned (unnotarized) items to be launched ...with no alerts!๐Ÿ˜ญ
Read 9 tweets
19 Mar
Today, @SentinelOne published a report on "XcodeSpy", a new macOS malware specimen. ๐ŸŽ๐Ÿ‘พ

๐Ÿ“ "New macOS malware XcodeSpy Targets Xcode Developers": labs.sentinelone.com/new-macos-malwโ€ฆ

Q: Can our free open-source tools protect you ...with no a priori knowledge of this insidious threat?
When the malicious script in the infected Xcode project is executed and attempts to connect to the attacker's remote C&C server for tasking (via /bin/bash), LuLu will intercept this, and alert you:
If we allow the malicious payload (EggShell), to be downloaded from the server ....when it attempts to persistently install itself as a Launch Agent, BlockBlock will alert you:
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Thank you for your support!

Follow Us on Twitter!

:(