And on top of that, building and compiling new binaries to beat hash and Yara rule checks is also more work for attackers than they would like. The life of a binary file downloaded from the internet is one of a series of hurdles to leap over. Legacy-style AV will scan binaries on execution, while macOS itself will check such binaries for Notarization and codesigning on first launch.
Execute action silent adobe osx code#
The problem with such compiled binaries from a threat actor’s point of view is that they have a lot of code surface for detection. The Mach-O is to macOS what PE is to Windows or ELF to Linux: the standard system executable format at the heart of GUI applications. From adware to OSX.Dok and APT Lazarus group targeted attacks, the first stage infection is typically a standard Apple application bundle containing a malicious Mach-O binary file. Until recently, most threat actors approached macOS infection in pretty much the same way.
This method has proven to be an effective means of beating built-in macOS security controls and, indeed, a number of end user protection tools, too. In this post, we’ll explore in more detail the infection method adopted by Shlayer and other malware families recently. The resounding answer to that is “Yes, of course they do!”, and they’re getting infected at increasing rates because malware authors have adapted and evolved their techniques. Research suggesting that 10% of all Kaspersky-protected Macs had been hit by Shlayer malware in 2019 certainly caught the attention of last week’s news cycle, and hopefully it’s the sort of stat that can serve as a wake-up call to those who still ask in 2020 “Do Macs get viruses?” (by which, of course, they mean ‘do Macs get infected with malware?’). The Myth of the Safe Mac is something we’ve written about before, but sometimes it takes a startling statistic to get people’s attention.
0 kommentar(er)
