Unix and macOS malware

Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue. The story was about a new vulnerability for *nix-based systems – EternalRed (aka SambaCry). On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry.

In this research we’ll be revisiting the USB port – this time in attempts to intercept user authentication data on the system that a microcomputer is connected to. As we discovered, this type of attack successfully allows an intruder to retrieve user authentication data – even when the targeted system is locked.

The Lamberts is a family of sophisticated attack tools that has been used by one or multiple threat actors against high-profile victims since at least 2008. The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers.

Starting from yesterday, many DSL customers in Germany were reporting problems with their routers. Today we saw news, that a malicious attack could be the reason for this widespread problem.

Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A.

We found a new wave of different campaigns spreading the initial “Banloader” components in Jar (Java archive). It’s able to run on Linux, OS X, Windows. It’s also able to run under certain circumstances even on mobile devices.

Recently Patrick Wardle published an analysis of a new Backdoor and Dropper used by HackingTeam. It looks like the samples mentioned in the blog were found in-the-wild, so we decided to see how this latest Backdoor works.

Yesterday a blog post on “The Linux Mint Blog” caught our attention. Apparently criminals managed to compromise a vulnerable instance of Wordpress which the project used to run their website. The attackers modified download links pointing to backdoored ISO files of Linux Mint 17.3 Cinnamon edition.

Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them.

In December 2014 we discovered a very interesting vulnerability in the Darwin kernel. Using it attackers can send just one incorrect network packet to the victim and the victim’s system (OS X 10.10 or iOS 8) will crash.

In 2013 we registered a sudden surge in the number of attacks targeting users’ financial information and money. In 2014, the situation changed considerably: the number of attacks and attacked users significantly decreased, as did the amount of financial phishing.

In November 2014, an interesting malicious sample was uploaded to a multiscanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle.

This section of the report forms part of the Kaspersky Security Bulletin 2014 and is based on data obtained and processed using Kaspersky Security Network (KSN). Kaspersky Lab products detected and neutralized a total of 6,167,233,068 threats during the reported period.

Next year Kaspersky Lab experts anticipate high-stakes targeted cyber-attacks pinpointing the banks. We expect fraudsters will try to develop new malware that can take cash directly from ATMs. 2015 is also likely to bring even more privacy concerns, security worries about Apple devices and renewed fears about connected devices.

Recently, news appeared about an interesting attack where cybercriminals infect iPhones and Mac OSX users with a rather peculiar malware dubbed WireLurker. Yesterday, our friend Jaime Blasco from Alienvault discovered a Win32 malicious tool that appears to be related.