“Cyber criminals, APT groups, nation state actors, are extensively targeting Apple iOS/MacOS devices for various reasons: continuous innovation and development of Apple platforms leads ultimately to new attack surfaces (and more 0-days sold in the underground)”, — report Confiant specialists.
The attack begins with the malicious ad launching the malicious code in the victim’s browser and redirecting it to a site that displays pop-ups stating that the user needs to urgently install a software update (usually this is Adobe Flash Player). The users who fall into this trick, of course, receive not an update, but two malware at once: OSX/Shlayer, as well as OSX/Tarmac.
According to Confiant, this Shlayer and Tarmac ad campaign has been active since January of this year. It is noteworthy that the company’s researchers wrote about Shlayer last winter, but then they could not find Tarmac.
“Confiant detected and analyzed OSX/Shlayer since January 2019, originating from a malvertiser that Confiant have dubbed VeryMal. It’s estimated based on the scope of our coverage that as many as 5MM visitors maybe have been subject to this recent malware campaign”, — explain Confiant specialists.
Now, experts have supplemented their report on this still active campaign and its payload.
Tarmac acts as a payload of the second phase of infection, that is, it comes into play after Shlayer. All versions of Tarmac discovered by the researcher turned out to be relatively old, and the management servers did not work by the time the malware was discovered (most likely, they were moved to another place). This made it difficult to analyze the threat, and the researchers were not able to fully understand how Tarmac works.
At the moment, it is known that Tarmac is ultimately installed on the Shlayer-infected hosts, which collects information about the victim’s settings and equipment, and then transfers this information to its managing server. After the malware is waiting for new commands, but since the C&C servers did not work, it was not yet possible to determine the functionality of the malware. Experts believe that the threat can be very dangerous, able to download and install additional applications, and are going to continue the study.
Read also: Due to vulnerability in Twitter API, thousands of iOS apps are under attack
Researchers add that Tarmac payloads are signed with legitimate Apple developer certificates, and as a result, Gatekeeper and XProtect do not stop the installation of the malware and do not display any warnings.
About Himalayaview.top Himalayaview.top pop-ups can not launch out of the blue. If you have actually…
About Youdilgad.top Youdilgad.top pop-ups can not expose out of the blue. If you have clicked…
About Alkads.com Alkads.com pop-ups can not launch out of the blue. If you have clicked…
About Bigamirt.xyz Bigamirt.xyz pop-ups can not launch out of nowhere. If you have clicked some…
About Micorban.xyz Micorban.xyz pop-ups can not open out of the blue. If you have actually…
About Msdefender.co.in Msdefender.co.in pop-ups can not expose out of the blue. If you have actually…