New Mac malware from mystery APT flies under anti-virus radars

Compromised Wordpress sites helping to deliver the malware...

New Mac malware from mystery APT flies under anti-virus radars

In late 2019 security researchers at Kaspersky spotted a unique "fully fledged" C++ Trojan targeting organisations in the Middle East that seemed to represent the work of a new threat actor -- it did not show "any code similarities with known campaigns" Kaspersky said at the time, dubbing it WildPressure.

This week Kaspersky said they have identified a trio of new malware samples from the mystery group, featuring malware developed for both Windows and macOS, with variants in C++, VBSScript, and Python. The malware (a Trojan) lets the controller download/upload files, execute commands with the OS command interpreter, update the Trojan and clean up the target. It appears to be targeting O&G companies.

"The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors", Kaspersky said on July 7. (As The Stack published, the persistent macOS component was not detected by any of the anti-virus engines on VirusTotal -- as Mac security researcher Patrick Wardle noted in his newsletter.)

See also: Microsoft blames key rotation failure for Azure Portal outage. Improvements to “Safe Deployment” pending.

"For macOS, Guard decodes an XML document and creates a plist file using its contents at $HOME/Library/LaunchAgents/com.apple.pyapple.plist to autorun itself; while for Windows, the script creates a RunOnce registry key Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_system" Kaspersky said.

WildPressure is using both VPS and compromised WordPress websites for its C2, Kaspersky said. Its earlier campaign saw it rent OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymisation service to underpin its C2 network.

Wardle suggests that users worried they are infected can run his free tool KnockKnock, which enumerates persistently installed software, and look for a Launch Agent, with a plist named com.apple.pyapple.plist or apple.scriptzxy.plist. For more technical details and IOCs, see here.

Read this: Hackers get esoteric with their C2 -- Look out for this