Malware descriptions

Rogueware campaign targeting Mac users

Not only Windows users are a target of bad guys that want to distribute rogueware. Now they are also attacking Mac users using the same and old blackhat SEO techniques, poisoning search results in popular search engines.

During our research about Osama Bin Laden’s death we saw the same malicious domains serving two rogueware applications specific to Mac OSX, called Best Mac Antivirus and MACDefender.

When doing searches the user can be redirected to some malicious domains, like this for example:

So the malicious pages check for: browser agent (it must be Safari), the IP address (only US domains now) and the referrer (if it is Google or other search engine). After these checks the malicious page will show a fake scan screen:

Even though the page is showing a fake Windows screen, the file offered will be a .mpkg: the installer of the rogue application:

For the application to be installed, the user needs to input his root password.

This is the main window of the rogue application:

And the fake scanning:

The malicious application also displays gay-porn website and asks the user to pay US $79,95 to buy it:

As our researcher Kurt Baumgartner pointed out last April this was expected:

While the FakeAv rotation through is not a shocker to security researchers at this point, one interesting domain popped out from the tens of thousands of sub domain fakeav hits over the past day…”antispyware-macbook(dot)co(dot)cc”. This marketing quirk is odd, even for these guys. Does this domain suggest that another Apple based malware is in the works? Possibly.”

Both applications are detected by Kaspersky Antivirus for Mac.

Rogueware campaign targeting Mac users

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox