2 hours ago
1
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
In this week’s special edition of Security Bite, Mosyle, a leader in Apple Device Management and Security, has exclusively revealed to 9to5Mac details on a new family of Mac malware loaders. Mosyle’s Security Research team discovered these new threats are written in unconventional programming languages and use several other sneaky techniques to evade detection.
A malware loader is basically a “foot in the door” for cybercriminals. Its primary purpose is to secretly establish an initial presence on a system and create a pathway for more damaging malware to be uploaded.
The new loader samples, discovered earlier this month, were developed using Nim, Crystal, and Rust—programming languages not typically used for malware development. Objective-C, C++, and Bash are most common. This unusual approach suggests the attackers are deliberately trying to circumvent traditional antivirus detection methods.
While this approach is stealthy, I’m skeptical it’ll become a widespread trend. Using less popular programming languages like Nim or Rust is tough for cyber criminals. These languages likely have more complex compilation processes than tried-and-true options like C and Bash, and they come with fewer ready-made libraries and tools. The steeper learning curve and trickier debugging mean criminals are more likely to accidentally leave digital breadcrumbs that could expose their malware. After all, even cybercriminals want their code to run smoothly—and right now, these experimental languages make that a lot harder.
Other evasion tactics observed:
- Persistence through macOS’s launchctl mechanism
- Multi-hour sleep intervals
- Directory checks before transmitting data
According to Mosyle’s research, the malware campaign is in its early stages, potentially focused on reconnaissance. Telemetry data indicates the samples originated from systems in Bulgaria and the United States.
Most concerning, the samples remained undetected by VirusTotal for several days after their initial discovery.
Below are the hashes of the three malware samples with their corresponding command and control (C2) domains:
Nim Sample
C2 Domain: strawberriesandmangos[.]com
Hash: f1c312c20dbef6f82dc5d3611cdcd80a2741819871f10f3109dea65dbaf20b07
Crystal Sample
C2 Domain: motocyclesincyprus[.]com
Hash: 2c7adb7bb10898badf6b08938a3920fa4d301f8a150aa1122ea5d7394e0cd702
Rust Sample
C2 Domain: airconditionersontop[.]com
Hash: 24852ddee0e9d0288ca848dab379f5d6d051cb5f0b26d73545011a8d4cff4066
Mosyle’s security team continues to actively monitor and research these threats. I’ll continue to provide updates here as we learn more. [.] are to help keep domains from being actively clicked on. The Moysle team tells me these C2 servers could still be active.
More: Ransomware groups surge in Q3 2024, with shifting dominance
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.
English (US) ·