Posted October 8, 2020
The annual Virus Bulletin Security Conference was held last week; As has been the case with so many other events this year, the case processing was completely remote, prompting the organizers to call the 2020 part of the conference “VB2020 localhost”
The conversations at VB2020 covered a lot of ground, and there were several speakers who presented about Apple’s security topics. In the following, we will share some selected highlights from these conversations:
A real virus for macOS!
Back in August, the world of Mac security was full of news about a new MacOS malware variant called ThiefQuest (also known as EvilQuest). ThiefQuest was considered particularly interesting because it contained several different malicious features, including ransomware functionality, data filtering features, and monitoring tools.
Mac security expert Patrick Wardle has analyzed ThiefQuest in depth, and presented his research on VB2020. Wardle discussed the extremely unusual viral behavior of malware: unusual because computer viruses, defined as programs that replicate themselves by infecting other files, are extremely rare today some platform, and is almost unheard of on macOS.
When running on an infected Mac, ThiefQuest creates a list of executable files on the compromised system and continues to add its own malicious code to those files, thus infecting them as well. If one of these infected files runs, the virus code will run automatically. This makes ThiefQuest very difficult to remove from an infected system, because even if you manage to eradicate the endurance mechanism, there will still be files present on the system that contain the malware code and, by extension, its capabilities. If you run one of them, the infection will start again.
ThiefQuest is in line with the classic definition of a computer virus, which makes this fascinating piece of Mac malware something completely unique, and emphasizes the point that the macOS threat landscape continues to evolve!
Are we ready for Big Sur?
As most Mac users are no doubt aware, the next version of macOS is coming very soon: macOS 11 Big Sur (and yes, it’s macOS 11, not 10.x, as Apple feels that the new operating system will provide some major upgrades !).
We’ve talked about the security and privacy features of Big Sur from a user perspective, but developers of macOS security software also sees some major changes, which was the topic of a speech given by Abhijit Kulkarni and Prakash Jagdale.
Kulkarni and Jagdale explain that Mac security software has traditionally relied on kernel extensions (kexts) to perform basic functions such as monitoring file system activity, filtering and blocking malicious network activity, and blocking access to unauthorized devices. Core extensions are third-party codes written by developers to extend the functionality of the macOS kernel and let their apps work.
At WWDC 2019, Apple announced that it would begin the process of phasing out the keywords, citing security and stability issues with allowing third parties to access the OS kernel. System extensions and DriverKit are the replacements for the keys, and are considered safer by Apple, as they provide the same functionality to developers without having to give them core access. In newer versions of macOS Catalina, users of apps that are still dependent on kexts will see a notification dialog telling them that their app is using a kext that may not work in future macOS versions. In Big Sur, keys that already have System Extension or DriverKit equivalents will not just be loaded.
Kulkarni and Jagdale cited several examples of frequently used keywords that need to be replaced by System Extension in macOS 11. The two speakers pointed out some common challenges that developers faced in the transition to System Extensions, but noted that in most cases there were clear solutions or viable solutions, and advised all security software developers who still use keywords in their apps to work on developing system extension options to be compatible with newer versions of macOS (including Big Sur coming soon.
Users of SecureMac’s MacScan 3 security software would like to hear that we have developed an updated version of the app running smoothly on Big Sur, and expect to have it ready in time for the release of macOS 11.
Snakes in the garden
We have previously discussed the phenomenon of fleeceware: subscription-based apps that charge exorbitant fees after an initial free trial period. These apps are considered borderline scams, as they often use deceptive practices to trick users into subscribing to the app beyond the trial period, and bury any mention of the exorbitant costs in fine print.
At VB2020, security researcher Jagadeesh Chandraiah took a closer look at how fleeceware apps work, and how their developers convince people to sign up for them in the first place. Chandraiah explained that fleecewear is often advertised using the native advertising tools on social media platforms such as Facebook, Instagram and TikTok. He also notes that developers use pay-per-install schemes and fake reviews to increase the profile of their apps in app markets in hopes of getting a large number of organic subscriptions.
Unfortunately, fleeceware continues to be a problem in both the iOS App Store and Google Play. While Google and Apple are taking steps to combat the problem, Chandraiah suspects that it will not be enough, and recommends that users take an active role in investigating apps that they install on their devices.
So be aware that free trial periods can be paid subscriptions, and that just uninstalling an app will not cancel your subscription to it (you can see your subscriptions on iOS by going to Settings > [Your Name] > Subscriptions). In addition, before installing any app on your device, make sure that you read the terms and conditions of billing, and that you also read customer reviews (especially 1- and 2-star reviews) to see if any users have encountered unexpected charges or experienced problems canceling a subscription.
Fileless malware on macOS
Security researcher Dinesh Devadoss presented research on the newly discovered fileless malware variant for Mac attributed to the Lazarus Group. Fileless malware is malicious software that can run without actually requiring a malicious file to be present on the disk, and instead executes the malicious code directly in memory. This is considered a fairly advanced technique, and can make malicious software that uses it extremely difficult to detect. Lazarus Group is an cybercrime organization believed to have ties to the North Korean government.
Devadoss delved deeply into the mechanics of how Lazarus’ fileless malware works, and also discussed Lazarus Group’s other malicious campaigns and tools. In his research article, he sums up the situation by saying: “The sophistication of the Lazarus group is constantly increasing and the yarn ‘Macs Don’t Get Viruses’ is starting to erupt.
much faster now ”.
Devadoss also noted that his broad study of the Lazarus Group’s tools and techniques revealed something interesting: the organization relies on social tactics in its attacks. The takeaway here for everyday Mac users is that they can still protect themselves from resourceful and sophisticated threat players such as the Lazarus Group, but that they must be vigilant to do so. This means to be very Be careful about what you install on your system: You should only run apps that come from the Mac App Store, or directly from the website of a third-party developer that you know and trust. It also means that you should be careful about all the system dialogs and alerts that macOS provides: if your Mac tries to tell you that an app cannot be scanned for malicious code, or that the developer is not recognized, then do not run it the app!
VB2020 localhost had many more great speakers, and covered security topics of interest to Windows, Android and Linux users as well. To learn more about the conference and presenters, visit the VB2020 website.