Malware descriptions

Rogueware campaign targeting Mac users

Not only Windows users are a target of bad guys that want to distribute rogueware. Now they are also attacking Mac users using the same and old blackhat SEO techniques, poisoning search results in popular search engines.

During our research about Osama Bin Laden’s death we saw the same malicious domains serving two rogueware applications specific to Mac OSX, called Best Mac Antivirus and MACDefender.

When doing searches the user can be redirected to some malicious domains, like this for example:

So the malicious pages check for: browser agent (it must be Safari), the IP address (only US domains now) and the referrer (if it is Google or other search engine). After these checks the malicious page will show a fake scan screen:

Even though the page is showing a fake Windows screen, the file offered will be a .mpkg: the installer of the rogue application:

For the application to be installed, the user needs to input his root password.

This is the main window of the rogue application:

And the fake scanning:

The malicious application also displays gay-porn website and asks the user to pay US $79,95 to buy it:

As our researcher Kurt Baumgartner pointed out last April this was expected:

While the FakeAv rotation through is not a shocker to security researchers at this point, one interesting domain popped out from the tens of thousands of sub domain fakeav hits over the past day…”antispyware-macbook(dot)co(dot)cc”. This marketing quirk is odd, even for these guys. Does this domain suggest that another Apple based malware is in the works? Possibly.”

Both applications are detected by Kaspersky Antivirus for Mac.

Rogueware campaign targeting Mac users

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox