And yes our free, open-source tools detect & thus thwart this new implant even with no a priori knowledge of it! ๐
BlockBlock (objective-see.com/products/blockโฆ), which monitors persistence locations, alerts when the installer invokes /bin/cp to persist OSX.CDDS as a Launch Item:
LuLu (objective-see.com/products/lulu.โฆ), our user-mode macOS firewall, will detect and alert when the implant (installed as "UserAgent") first attempts to beacon out to its command & control server to check-in and ask for tasking ๐ฅ๐ก
(C&C servers: 123.1.170.152 & 207.148.102.208)
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
Themes of interest are ๐-security topics, such as:
โ๏ธ OS internals
๐ฆ Malware analysis
๐ ๏ธ Tool making & breaking
๐ Bug discovery & exploitation
The majority of Mac infections are "user-assisted", which Apple combats via:
โ Notarization
โ Gatekeeper
โ File Quarantine
...these have proven problematic for attackers
But oops, this bug sidesteps all, allowing unsigned (unnotarized) items to be launched ...with no alerts!๐ญ
Q: Can our free open-source tools protect you ...with no a priori knowledge of this insidious threat?
When the malicious script in the infected Xcode project is executed and attempts to connect to the attacker's remote C&C server for tasking (via /bin/bash), LuLu will intercept this, and alert you:
If we allow the malicious payload (EggShell), to be downloaded from the server ....when it attempts to persistently install itself as a Launch Agent, BlockBlock will alert you: