Recyling Mac malware
March 2nd 2020
Security researching Patrick Wardle demonstrated the concept of repurposing sophisticated macOS malware to deliver a different payload. The malware in question allegedly was developed by government agencies.
Ars Technica:
â€"There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that’s fully featured and also fully tested,†Wardle said during a talk titled "Repurposed Malware: A Dark Side of Recycling."
â€"The idea is: why not let these groups in these agencies create malware and if you’re a hacker just repurpose it for your own mission?†he said.
Generally, state-sponsored malware is targeted at individuals or population groups. That's not good, but it at least has defined scope. It's disconcerting to consider others could use the same sophisticated exploits with wider audiences.
Rather than develop his own fileless payload installer for macOS, Wardle made just one minor modification to AppleJeus.c: instead of obtaining the fileless payload from the server originally hardcoded into AppleJeus.c, the modified malware now got the payload from a server he controlled.
â€"This means that when the [first stage of the] malware is executed, it will now talk to our server instead of the hacker’s original infrastructure, and it will create the custom command and control server that packages off the payload,†Wardle said.