Brief #16: MacOS Malware Alert, North Korean Cyber Espionage, and More

Mandos Brief, Week 36 2023: Unveiling the Atomic MacOS Stealer malware, W3LL's phishing kit, iOS 16.6.1 update insights, and the security flaws in GenAI.

Brief #16: MacOS Malware Alert, North Korean Cyber Espionage, and More

Mac Users Beware: Atomic MacOS Stealer Malware Unleashed Through Malvertising Campaign

  • Atomic Stealer Malware (AMOS): A new malvertising campaign is distributing an updated version of the macOS malware known as Atomic Stealer or AMOS. This malware, actively maintained and updated by its creators, is being sold for $1000 per month and targets gamers and cryptocurrency users, stealing a wide range of data including keychain passwords, browser data, and files from compromised devices.
  • Distribution through Google Ads: The malware is primarily distributed through Google Ads, directing users to fraudulent websites hosting rogue installers when they search for popular software. A notable fraudulent website used in this campaign impersonates the TradingView financial market tracking app, offering downloads for Windows, macOS, and Linux, with the macOS file delivering the AMOS malware.
  • Evading macOS Security: Once downloaded, the malware instructs users on how to bypass Apple's Gatekeeper security feature, exploiting the system to exfiltrate stolen data to a server controlled by the attackers. It has evasion capabilities to bypass Gatekeeper protections and is capable of harvesting files and data stored in iCloud keychains and web browsers, including crypto-related browser extensions.
  • Targeting Cryptocurrency Users and Gamers: The malware has evolved to target a broader range of operating systems, focusing particularly on gamers and cryptocurrency users. It seeks to steal information related to cryptocurrencies and has a hardcoded list of crypto-related browser extensions to attack. The attackers are leveraging the wide availability of Apple systems in organizations, marking a trend of increasing macOS-targeted attacks.

North Korean Threat Actors Exploit Zero-Day to Target Cybersecurity Experts

  • Zero-Day Exploitation: North Korean threat actors have been exploiting a zero-day vulnerability in an unspecified software to target cybersecurity researchers. The vulnerability is currently being patched.
  • Sophisticated Social Engineering: The attackers utilized social media platforms such as "X" (formerly Twitter) and Mastodon to build trust with potential targets, engaging them in month-long conversations before moving to encrypted messaging apps like Signal, WhatsApp, or Wire to send malicious files exploiting the zero-day.
  • Shellcode and Anti-VM Checks: Upon successful exploitation, the shellcode performs a series of anti-virtual machine checks, transmitting collected data and screenshots back to an attacker-controlled server.
  • Collaborative Lures: This is not the first time North Korean actors have used collaboration-themed lures. Previously, they have used GitHub and fake personas to target the cybersecurity sector, inviting targets to collaborate on GitHub repositories and convincing them to execute malicious contents.
  • Global Intelligence Gathering: Recent activities suggest a concerted effort by North Korean government-backed groups to gather intelligence globally, targeting defense industries and governments in various countries including Russia, Germany, and Israel, to improve their military capabilities.

W3LL Phishing Kit Bypasses MFA to Hijack Thousands of Microsoft 365 Accounts

  • W3LL Phishing Kit: A creation of the threat actor known as W3LL, this phishing kit has successfully bypassed multi-factor authentication (MFA), compromising over 8,000 Microsoft 365 corporate accounts in the past ten months. The kit has been utilized in business email compromise (BEC) attacks, causing substantial financial losses.
  • W3LL Store: A marketplace where W3LL promotes and sells its tools to a closed community of over 500 cybercriminals. The store offers 16 more tools ready for BEC attacks, including SMTP senders and a vulnerability scanner named Okelo.
  • Advanced Phishing Techniques: The W3LL panel, a part of the phishing kit, employs sophisticated techniques such as adversary-in-the-middle functionality and API source code protection to bypass security measures and successfully phish credentials. It also uses various obfuscation methods to bypass email filters and security agents.
  • Global Reach and High Success Rate: The W3LL phishing kit has targeted at least 56,000 Microsoft 365 accounts globally, enjoying a compromise success rate of 14.3%. It has created close to 850 unique phishing websites targeting various industries, including IT, healthcare, and financial services.
  • Professionalized Business Model: W3LL operates a highly efficient and professional business model, offering phishing-as-a-service with a 70/30 profit split and a 10% referral bonus, netting $500,000 since last October. The ecosystem includes customer support through a ticketing system and live webchat, and even offers video tutorials for cybercriminals lacking the necessary skills.

Urgent iOS 16.6.1 Update: Apple Patches Zero-Day Exploits Targeted by Pegasus Spyware

  • Pegasus Spyware Attacks: The notorious Pegasus spyware, developed by the Israel-based NSO Group, has once again been found exploiting vulnerabilities in Apple devices. The spyware was identified on the Apple device of an employee working at a Washington-based civil society organization.
  • Zero-Day Vulnerabilities: Apple has rushed to patch two critical zero-day vulnerabilities identified as CVE-2023-41061 and CVE-2023-41064. These flaws could allow attackers to execute arbitrary code through specially crafted attachments and images. The vulnerabilities were exploited using a zero-click iMessage exploit chain named "BlastDoor," which enabled the deployment of Pegasus spyware on fully patched iPhones running iOS 16.6.
  • Emergency Update iOS 16.6.1: In response to the identified threats, Apple released an emergency update, iOS 16.6.1, urging all users to update their devices immediately to safeguard against potential spyware attacks. The update is available for a range of Apple devices including iPhones, iPads, and Apple Watches.
  • Technical Insights: The exploit involved the use of PassKit attachments containing malicious images sent through iMessage, bypassing Apple's security measures including the BlastDoor sandbox framework. Detailed technical insights into the exploit chain are expected to be released in the future.

Generative AI's Biggest Security Flaw is Not Easy to Fix

  • Generative AI Vulnerabilities: Security researchers have raised concerns over the vulnerabilities present in large language models (LLMs) like OpenAI's ChatGPT and Google's Bard, which are susceptible to indirect prompt injection attacks. These attacks can force chatbots to behave in unintended ways, including engaging in scam activities.
  • Indirect Prompt Injection Attacks: This type of attack has become one of the most concerning ways LLMs can be exploited. It involves a third party providing hidden instructions through a website or a PDF that the AI system can read, influencing the AI to follow potentially malicious directives.
  • Security Measures and Concerns: While there are ongoing efforts to understand and mitigate these security flaws, including the development of guardrails and filters to identify and block malicious inputs, there is no full-proof solution yet. The core issue remains that anyone who can input data into the LLM can potentially manipulate its output, posing a significant risk to both personal and corporate data security.
  • Industry Response: The cybersecurity industry is actively working to raise awareness of these potential dangers, with organizations like the UK's National Cybersecurity Center highlighting the risks. Companies are advised to adhere to security best practices to reduce the risks associated with deploying LLMs.