SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
8 Feb 2017

Hackers are using Mac malware to track Iranian activists

In response to more activists using Apple Mac computers instead of Windows PCs, suspected Iranian government hackers have apparently developed their own Mac-based malware, according to a new report from security researchers.

The finding highlights the constant ebb-and-flow of governments disrupting and tracking activist movements. As one group adopts a new tool or technique, state-sponsored hackers may need to adapt to get the information they're after.

"This demonstrates that Iranian actors are responsive to their environment," Collin Anderson, one of the security researchers behind the report, told in an email. "As their targets move to alternative platforms, often in the interest of security, so to do the tools that Iranian actors develop in order to conduct their espionage campaigns." Anderson authored the report along with Claudio Guarnieri, who are both part of Security Without Borders, a recently-launched initiative that aims to give advice and help to journalists and activists around digital security.

This work is part of the pair's ongoing research on espionage attacks and the Iranian state-sponsored hacking ecosystem, and an upcoming paper for the Carnegie Endowment for International Peace. The researchers first found the malware—called MacDownloader by its designers—on a website impersonating US aerospace firm United Technologies Corporation. Guarnieri and Anderson had already linked this site to Iranian hacking campaigns, Anderson told, and knew it was a staging area for Windows malware. One day it suddenly had Mac-specific references, he added.

The malware comes as a phony Flash update that targets themselves download, and the program then connects to an external server, presumably to grab more modules for the malware to use. At the same time, MacDownloader siphons some information from the system to a server the hacker controls, including the contents of the Mac's keychain folder and a list of installed applications. The malware also creates a fake prompt box asking for the operating system's username and password, before sending that information off too.

"Armed with the user's credentials, the attackers would then be able to access the encrypted passwords stored within the Keychain database. While Chrome and Firefox do not store credentials in Keychain, Safari and macOS's system service do save passwords to sites, remote file systems, encrypted drives, and other criteria resources there," the report reads. From here, the hackers may be able to break into a target's email and social media accounts.

At the time of writing, VirusTotal, a sort of search engine that compares results from different security products, does not flag MacDownloader as malicious; meaning that anti-virus programs may have a hard time detecting the malware. The malware appears to be poorly developed, with some of its code copied from elsewhere, the report adds.

Apart from the malware itself, a danger to activists is that they may assume they are safer using macOS, and be less vigilant when hackers try to attack them. "If macOS users believe that they are not vulnerable due to migrating away from Windows, then they may be more susceptible to compromise as a result of dropping their guard," Anderson told.

Anderson believes this campaign is linked to Charming Kitten, a suspected Iranian-government hacking group. Other security researchers have found Charming Kitten impersonating journalists, targeting the US and Israeli military, and trying to steal credentials from US congressional staff.

In one piece of evidence, a server linked to the malware was exposed, allowing the researchers a peek at what sort of data the hackers had collected. Interestingly, the hackers had seemingly connected to Wi-Fi networks called Jok3r and mb_1986; both names that are connected to previous Iranian hacking campaigns.

Tags:
hackers password Iran Mac information leaks
Source:
Motherboard
1875
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015