We have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we discovered that a developer’s Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most notable in our investigation is the discovery of two zero-day exploits: one is used to bypass the System Integrity Protection(SIP) read feature on macOS, another is used to abuse the development version of Safari.
Read More
This entry is about ThiefQuest, the newly discovered malware targeting macOS. We discuss the differences between the old and new versions of the malware. Related findings include new functions as well as unusual observations in VirusTotal
Read More We found an application sample in April called TinkaOTP, and our investigation showed the application bearing a striking resemblance to Dacls remote access trojan (RAT), a Windows and Linux backdoor discovered in December 2019.
Read More
We recently found and analyzed a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio. We found two variants of the malware family. The first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, is actually incorporates a persistence mechanism.
Read More
We discovered a double free vulnerability (assigned as CVE-2019-8635) in macOS. The vulnerability is caused by a memory corruption flaw in the AMD component. If successfully exploited, an attacker can implement privilege escalation and execute malicious code on the system with root privileges.
Read More