I don't do Windows but here are some (initial) details about why the CrowdStrike's CSAgent.sys crashed

Faulting inst: mov r9d, [r8]
R8: unmapped address

...taken from an array of pointers (held in RAX), index RDX (0x14 * 0x8) holds the invalid memory address

@_JohnHammond

The other "drivers" (e.g. 'C-00000291-...32.sys') appear to be obfuscated data ...and are x-ref'd (perhaps ingested?) by CSAgent.sys

...so maybe invalid (config/signature) data triggered the fault in CSAgent.sys

This would be easier to tell/confirm via debugging 😅

New Blog Post:
"The LockBit ransomware (kinda) comes for macOS": objective-see.org/blog/blog_0x75… 🍎🔐

Includes full technical analysis of LockBit's macOS arm64 variant ("locker_Apple_M1_64") + sample for download + heuristic methods of detection 🔥

H/T @malwrhunterteam @vxunderground First, (can't stress this enough), this variant though *compiled* for macOS is not specifically designed for macOS.

It's buggy (crashes), has an invalid signature, nor takes into account as of macOS's file-system security mechanisms.

So, impact to macOS users (for now): 0

RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) 🍎🐛☠️

One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"

...let's dive in! 1/n 🧵 We'll start with 3CXDesktopApp-18.12.416.dmg
(SHA 1: 3DC840D32CE86CEBF657B17CEF62814646BA8E98)

It contains a *notarized* app ("3CX Desktop App.app") ...meaning Apple checked it for malware "and none was detected" 😜☠️ 2/n

Ever wondered what it's like writing security tools for macOS? 🤔

As Apple provides no official way to detect what app is using the webcam/mic, OverSight simply monitored the system log.

This was (independently) reported to Apple, who decided to assign it a CVE/patch it 🥲🤦🏻‍♂️





Unfortunately this means OverSight is now broken on macOS 13.3

Apple still doesn't provide a method for security tools to determine what app is accessing the mic/camera, even after years of requesting (begging) for this capability 😭

I've just posted slides from my #OBTS v5 talk: "Making oRAT, Go" 🍎🐀

speakerdeck.com/patrickwardle/…

After creating a custom C&C server, we can uncover the malware’s full capabilities - simply by asking (tasking) the right questions! 🤭 1️⃣ First, we must understand how the malware figures out how to find its C&C server - so we can coerce it to talk to our C&C instead!

As this (encrypted) info is embedded within the malware, we can write a simple decryptor/encryptor to (re)configure the malware 👾🔓✍🏼🔒 → 🖥✅

⚠️ Latest macOS 0day (credit: Park Minchan)
...bypasses File Quarantine, Gatekeeper, etc.

Advisory:
📝 "macOS Finder RCE" ssd-disclosure.com/ssd-advisory-m…

😅 Confirmed Big Sur & Monterey are vulnerable

🧮 I've posted Park's PoC (pops Calc) if you'd like to play: objective-see.com/downloads/PoCs… The PoC once downloaded still has to be manually executed by the user.

macOS should, via File Quarantine/Gatekeeper, alert/warn/block as this is an 'executable' item from the Internet.

Apple attempted to patch (blocking file:// prefix), but File:// or fIle:// still work 🤣🤣🤣