#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Apple macOS | Breaking Cybersecurity News | The Hacker News

"Activator" Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets

"Activator" Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets

Jan 23, 2024 Malware / Cryptocurrency
Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data. Kaspersky, which identified the artifacts in the wild,  said  they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware's ability to infect Macs on both Intel and Apple silicon processor architectures. The attack chains leverage booby-trapped disk image (DMG) files that include a program named "Activator" and a pirated version of legitimate software such as xScope. Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app. Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modif
New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

Dec 20, 2023 Cryptocurrency / Malware
A new Go-based information stealer malware called  JaskaGO  has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems. AT&T Alien Labs, which made the discovery,  said  the malware is "equipped with an extensive array of commands from its command-and-control (C&C) server." Artifacts designed for macOS were first observed in July 2023, impersonating installers for legitimate software such as CapCut. Other variants of the malware have masqueraded as AnyConnect and security tools.  Upon installation, JaskaGO runs checks to determine if it is executing within a virtual machine (VM) environment, and if so, executes a harmless task like pinging Google or printing a random number in a likely effort to fly under the radar. In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumerating
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
New BLUFFS Bluetooth Attack Expose Devices to Adversary-in-the-Middle Attacks

New BLUFFS Bluetooth Attack Expose Devices to Adversary-in-the-Middle Attacks

Dec 04, 2023 Encryption / Technology
New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers. The issues, collectively named  BLUFFS , impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier  CVE-2023-24023  (CVSS score: 6.8) and were responsibly disclosed in October 2022. The attacks "enable device impersonation and machine-in-the-middle across sessions by only compromising one session key," EURECOM researcher Daniele Antonioli said in a study published late last month. This is made possible by leveraging two new flaws in the Bluetooth standard's session key derivation mechanism that allow the derivation of the same key across sessions. While forward secrecy in key-agreement cryptographic protocols ensures that past communications are not revealed, even if the private keys to a particular exchange are re
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Microsoft Uncovers Flaws in ncurses Library Affecting Linux and macOS Systems

Microsoft Uncovers Flaws in ncurses Library Affecting Linux and macOS Systems

Sep 14, 2023 Endpoint Security / Vulnerability
A set of memory corruption flaws have been discovered in the  ncurses  (short for  new curses ) programming library that could be exploited by threat actors to run malicious code on vulnerable Linux and macOS systems. "Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions," Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse  said  in a technical report published today. The vulnerabilities, collectively tracked as  CVE-2023-29491  (CVSS score of 7.8), have been  addressed  as of April 2023. Microsoft said it also worked with Apple on remediating the macOS-specific issues related to these flaws. Environment variables are user-defined values that can be used by multiple programs on a system and can affect the manner in which they behave on the system. Manipulating the variables can cause applica
Beware: MetaStealer Malware Targets Apple macOS in Recent Attacks

Beware: MetaStealer Malware Targets Apple macOS in Recent Attacks

Sep 12, 2023 Endpoint Security / Data Security
A new information stealer malware called MetaStealer has set its sights on Apple macOS, making the latest in a growing list of stealer families focused on the operating system after MacStealer , Pureland , Atomic Stealer , and  Realst . "Threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads," SentinelOne security researcher Phil Stokes  said  in a Monday analysis. In these attacks, MetaStealer is distributed in the form of rogue application bundles in the disk image format (DMG), with targets approached through threat actors posing as prospective design clients in order to share a password-protected ZIP archive containing the DMG file. Other instances have involved the malware masquerading as Adobe files or installers for Adobe Photoshop. Evidence gathered so far shows that MetaStealer artifacts began appearing in the wild in March 2023. The most recent sample was uploade
Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Sep 07, 2023 Malvertising / Endpoint Security
A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called  Atomic Stealer  (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer  first came  to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users. Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers. The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems. "Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops
New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

Aug 22, 2023 Malware / Endpoint Security
A new variant of an  Apple macOS malware  called  XLoader  has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote." "The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes  said  in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C)." XLoader , first detected in 2020, is  considered  a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file. "Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with
Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets

Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets

Jul 26, 2023 Cryptocurrency / Endpoint Security
A new malware family called  Realst  has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system. Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher  iamdeadlyz . "Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes  said  in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts." The cybersecurity firm, which identif
macOS Under Attack: Examining the Growing Threat and User Perspectives

macOS Under Attack: Examining the Growing Threat and User Perspectives

Jul 25, 2023 Endpoint Security / macOS
As the number of people using macOS keeps going up, so does the desire of hackers to take advantage of flaws in Apple's operating system.  What Are the Rising Threats to macOS? There is a common misconception among macOS fans that Apple devices are immune to hacking and malware infection. However, users have been facing more and more dangers recently. Inventive attackers are specifically targeting Mac systems, as seen with the "Geacon" Cobalt Strike tool attack. This tool enables them to perform malicious actions such as data theft, privilege elevation, and remote device control, placing the security and privacy of Mac users at grave risk. Earlier this year, researchers also uncovered the MacStealer malware, which also stole sensitive data from Apple users. Documents, iCloud keychain data, browser cookies, credit card credentials – nothing is safe from the prying eyes.  But that's not all. CloudMensis is malicious software that specifically targets macOS systems,
Japanese Cryptocurrency Exchange Falls Victim to JokerSpy macOS Backdoor Attack

Japanese Cryptocurrency Exchange Falls Victim to JokerSpy macOS Backdoor Attack

Jun 26, 2023 Cryptocurrency / Endpoint Security
An unknown cryptocurrency exchange located in Japan was the target of a new attack earlier this month to deploy an Apple macOS backdoor called JokerSpy. Elastic Security Labs, which is monitoring the intrusion set under the name  REF9134 ,  said  the attack led to the installation of Swiftbelt , a Swift-based enumeration tool inspired by an open-source utility called  SeatBelt . JokerSky was  first documented  by Bitdefender last week, describing it as a sophisticated toolkit designed to breach macOS machines. Very little is known about the threat actor behind the operation other than the fact that the attacks leverage a set of programs written in Python and Swift that come with capabilities to gather data and execute arbitrary commands on compromised hosts. A primary component of the toolkit is a self-signed multi-architecture binary known as xcc that's engineered to check for FullDiskAccess and ScreenRecording permissions. The file is signed as XProtectCheck, indicating an
Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems

Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems

Jun 19, 2023 Endpoint Security / Hacking
Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. "As of now, these samples are still largely undetected and very little information is available about any of them," Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu  said  in a preliminary report published on Friday. The Romanian firm's analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023. Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed  JokerSpy . The first constituent is shared.dat, which, once launched, runs an operating system check (0 for Windows, 1 for macOS, and 2 for Linux) and establishes contact with a remote server to fetch additional instructions for execut
Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass

Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass

May 31, 2023 Endpoint Security / Vulnerability
Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements and perform arbitrary actions on affected devices. Specifically, the flaw – dubbed  Migraine  and tracked as CVE-2023-32369 – could be abused to get around a key security measure called System Integrity Protection ( SIP ), or "rootless," which limits the actions the root user can perform on protected files and folders. "The most straight-forward implication of a SIP bypass is that [...] an attacker can create files that are protected by SIP and therefore undeletable by ordinary means," Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra  said . Even worse, it could be exploited to gain arbitrary kernel code execution and even access sensitive data by replacing databases that manage Transparency, Consent, and Control (TCC) policies. The bypass is made possible by leveraging a built-in macOS tool called  Migrat
Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

May 16, 2023 Endpoint Security / Cyber Threat
A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems. That's according to findings from SentinelOne, which observed an increase in the number of Geacon payloads appearing on VirusTotal in recent months. "While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss  said  in a report. Cobalt Strike  is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad capabilities, illegally cracked versions of the software have been abused by threat actors over the years. While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity. In May 2022, software supply chain firm Sonatype  disclosed  details of a rogue Python package called " pymafka "
LockBit Ransomware Now Targeting Apple macOS Devices

LockBit Ransomware Now Targeting Apple macOS Devices

Apr 18, 2023 Encryption / Malware
Threat actors behind the LockBit ransomware operation have developed new artifacts that can encrypt files on devices running Apple's macOS operating system. The development, which was  reported  by the MalwareHunterTeam over the weekend, appears to be the first time a big-game ransomware crew has created a macOS-based payload. Additional samples identified by  vx-underground  show that the macOS variant has been available since November 11, 2022, and has managed to evade detection by anti-malware engines until now. LockBit is a  prolific cybercrime crew  with ties to Russia that has been active since late 2019, with the threat actors releasing two major updates to the locker in 2021 and 2022. According to statistics  released by Malwarebytes  last week, LockBit emerged as the second most used ransomware in March 2023 after Cl0p, accounting for 93 successful attacks. An analysis of the new macOS version ("locker_Apple_M1_64") reveals that it's still a work in pr
Apple Issues Urgent Security Update for Older iOS and iPadOS Models

Apple Issues Urgent Security Update for Older iOS and iPadOS Models

Mar 28, 2023 Mobile Security
Apple on Monday backported fixes for an actively exploited security flaw to older iPhone and iPad models. The issue, tracked as  CVE-2023-23529 , concerns a type confusion bug in the WebKit browser engine that could lead to arbitrary code execution. It was  originally addressed  by the tech giant with improved checks as part of updates released on February 13, 2023. An anonymous researcher has been credited with reporting the bug. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple  said  in a new advisory, adding it's "aware of a report that this issue may have been actively exploited." Details surrounding the exact nature of exploitation are currently not known, but withholding technical specifics is standard procedure as it helps prevent additional in-the-wild abuse targeting susceptible devices.  The update is available in versions iOS 15.7.4 and iPadOS 15.7.4 for iPhone 6s (all models), iPhone 7 (all models), iPho
New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

Mar 27, 2023 Data Safety / Endpoint Security
A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices. Dubbed  MacStealer , it's the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs. "MacStealer has the ability to steal documents, cookies from the victim's browser, and login information," Uptycs researchers Shilpesh Trivedi and Pratik Jeware  said  in a new report. First advertised on online hacking forums for $100 at the start of the month, it is still a work in progress, with the malware authors planning to add features to capture data from Apple's Safari browser and the Notes app. In its current form, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It al
Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices

Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices

Feb 22, 2023 Endpoint Security / Software Update
Apple has revised the  security advisories  it released last month to include three new vulnerabilities impacting  iOS, iPadOS , and  macOS . The first flaw is a  race condition  in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation. The two other vulnerabilities, credited to Trellix researcher Austin Emmitt, reside in the  Foundation framework  (CVE-2023-23530 and CVE-2023-23531) and could be weaponized to achieve code execution. "An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "improved memory handling." The medium to high-severity vulnerabilities have been patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 that were shipped on January 23, 2023. Trellix, in its own report on Tuesday,  classified  the two flaws as a &qu
Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems

Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems

Dec 20, 2022 Endpoint Security / Vulnerability
Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. The shortcoming, dubbed  Achilles  ( CVE-2022-42821 , CVSS score: 5.5), was addressed by the iPhone maker in  macOS Ventura 13 ,  Monterey 12.6.2 , and  Big Sur 11.7.2 , describing it as a logic issue that could be weaponized by an app to circumvent Gatekeeper checks. "Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS," Jonathan Bar Or of the Microsoft 365 Defender Research Team  said . Gatekeeper is a  security mechanism  designed to ensure that only trusted apps run on the operating system. This is  enforced  by means of an extended attribute called "com.apple.quarantine" that's assigned to files downlo
North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

Sep 27, 2022
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which  delved  into a similar phony job posting for the Coinbase cryptocurrency exchange platform. Both these fake job advertisements are just the latest in a series of attacks dubbed  Operation In(ter)ception , which, in turn, is a constituent of a broader campaign tracked under the name  Operation Dream Job . Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site Linke
Cybersecurity Resources