How Attackers Hide Mac Malware Using Steganography In AD Images

Malvertizing they call it. This technique is capable of injecting ads into encrypted web traffic. Most malwares target Windows, but Macs are not immune too. Years ago, people thought Mac users were immune from malware. Now everyone from regular users to power users to apple itself know that's simply not true.

Researches have detected about 191,970 bad ads and estimate that around 1 million users were affected. With cybercrime on the rise, the concept of finding malware on Mac OS is not surprising. However, in the recent years, Apple has created a variety of security layers all in a bid to to strengthen the security of its OS and protect its users.

The new macOS High Sierra keeps ransomware at bay with its FileVault encrypting data procedure, new safer apps through Gatekeeper, and an intelligent Safari that has mechanisms to thwart advertisers engaging in cross-site tracking.

However, with all this, Apple can't still protect you from unknowingly getting infected with malware.

The attackers use steganography, which is the process of hiding a file, message, video or image behind another file, message, video or image, to prevent detection and hide the malicious code in an ads image.

It has been analyzed and researchers believe that it has been around since 11th January to 13th January. The benchmark cost impact for the first day alone is estimated to be around $1.2 million in ad fraud.

Disguised as a flash player update, the malware acts as a Trojan Horse and dropper for additional payloads, most probably Adware. As a result, your machines will be running slower and will cause you to purchase applications you do not need.

Little is known about the perpetrators behind this attack, except that researchers have named them 'VeryMal' based on one of their domain names (veryield-malyst[.]com) and that their payload is malicious JavaScript code that evades filters by hiding behind an image. The image(sscc.jpg), which is a small white bar, is unnoticeable to the unsuspecting eye. So when the ad loads, a small piece of seemingly harmless JavaScript comes with it. That module reads through the images pixels to recreate the hidden malicious code and execute it.

The code will then check if mac specific fonts are on the system, because it is mac-specific, if not it proceeds further by doing nothing and assuming this is a PC, otherwise, the extraction continues. It will then try to trick the user into downloading a malicious fake Adobe Flash update.

The downloaded fill will install itself in the background, and it will start creating unclicked traffic to the perpetrators ads in the background, drawing revenue to their account. This can be prevented by using a little common sense by not clicking on ads or by setting up ad blockers, which google will most probably make harder in the future.

Even if the malware uninstalls itself, the potential for damage is not over, given that it leaves behind the tools it uses to execute another attack. This means that another piece of malware could leverage the tools for their own nefarious purposes.

No comments

Powered by Blogger.