News around the World

Latest news

 

Rootpipe Reborn (Part II)

@CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on

 

[0day] Abusing XLM Macros in SYLK Files

A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More

 

An Unpatched Kernel Bug

On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding

 

Ay MaMi – Analyzing a New macOS DNS Hijacker

OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System

 

All Your Docs Are Belong To Us

Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents

 

A Surreptitious Cryptocurrency Miner in the Mac App Store?

Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into

 

Cache Me Outside

Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes

 

Who Moved My Pixels?!

In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,

 

Two Bugs, One Func(), part three

Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More

 

Tearing Apart the Undetected (OSX)Coldroot RAT

I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More

 

Analyzing CrossRAT

The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its

 

[0day] Abusing XLM Macros in SYLK Files

A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More

 

[0day] Abusing XLM Macros in SYLK Files

A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More

 

Middle East Cyber-Espionage (part two)

The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let’s (continue to) analyze their 1st-stage macOS

 

Rootpipe Reborn (Part II)

@CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on

 

Rootpipe Reborn (Part I)

In part one of a guest blog post, @CodeColorist writes about several neat macOS vulnerabilities.Objective-See’s BlogRead More

 

Who Moved My Pixels?!

In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,

 

Ay MaMi – Analyzing a New macOS DNS Hijacker

OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System

 

Weaponizing a Lazarus Group Implant

The Lazarus group’s latest implant/loader supports in-memory loading of 2nd-stage payloads. In this post we describe exactly how to repurposing

 

Mac Adware, à la Python

Let’s tear apart a persistent piece of adware, decompiling, decoding, and decompressing it’s code to uncover its methods and capabilities.Objective-See’s

 

Burned by Fire(fox) (Part I)

Recently, an attacker targeted (Mac) users via a Firefox 0day. In this first post, we triage and identify the malware

 

Why _blank_ Gets You Root

Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the

 

From the Top to the Bottom; Tracking down CVE-2017-7149

High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s

 

High Sierra’s ‘Secure Kernel Extension Loading’ is Broken

A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More

 

WTF is Mughthesec!? poking on a piece of undetected adware

Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More

 

OSX/MacRansom; analyzing the latest ransomware to target macs

Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More

 

OSX/Proton.B; a brief analysis, 6 miles up

Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s

 

A Surreptitious Cryptocurrency Miner in the Mac App Store?

Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into

 

Two Bugs, One Func(), part three

Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More

 

Tearing Apart the Undetected (OSX)Coldroot RAT

I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More

 

Analyzing CrossRAT

The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its

 

An Unpatched Kernel Bug

On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding

 

Ay MaMi – Analyzing a New macOS DNS Hijacker

OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System

 

Mac Malware of 2017

Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &

 

All Your Docs Are Belong To Us

Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents

 

Who Moved My Pixels?!

In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,

 

Analyzing CrossRAT

The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its

 

Website Launch

NSLog(@”Hello World”); Objective-See.com is alive!Objective-See’s BlogRead More

 

From the Top to the Bottom; Tracking down CVE-2017-7149

High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s

 

High Sierra’s ‘Secure Kernel Extension Loading’ is Broken

A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More

 

WTF is Mughthesec!? poking on a piece of undetected adware

Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More

 

OSX/MacRansom; analyzing the latest ransomware to target macs

Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More

 

Analyzing OSX/CreativeUpdater

Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.Objective-See’s BlogRead More

 

All Your Docs Are Belong To Us

Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents

 

Mac Malware of 2017

Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &

 

Why _blank_ Gets You Root

Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the

 

OSX/Proton.B; a brief analysis, 6 miles up

Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s

 

Ay MaMi – Analyzing a New macOS DNS Hijacker

OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System

 

Cache Me Outside

Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes

 

Who Moved My Pixels?!

In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,

 

[0day] Mojave’s Sandbox is Leaky

The macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it’s trivial to

 

[0day] Abusing XLM Macros in SYLK Files

A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More

 

OSX/MacRansom; analyzing the latest ransomware to target macs

Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More

 

OSX/Proton.B; a brief analysis, 6 miles up

Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s

 

All Your Docs Are Belong To Us

Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents

 

Mac Malware of 2017

Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &

 

From the Top to the Bottom; Tracking down CVE-2017-7149

High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s

 

High Sierra’s ‘Secure Kernel Extension Loading’ is Broken

A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More

 

WTF is Mughthesec!? poking on a piece of undetected adware

Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More

 

Analyzing CrossRAT

The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its

 

An Unpatched Kernel Bug

On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding

 

Ay MaMi – Analyzing a New macOS DNS Hijacker

OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System

 

[0day] Abusing XLM Macros in SYLK Files

A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More

 

Why _blank_ Gets You Root

Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the

 

A Surreptitious Cryptocurrency Miner in the Mac App Store?

Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into

 

Two Bugs, One Func(), part three

Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More

 

Tearing Apart the Undetected (OSX)Coldroot RAT

I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More

 

[0day] Mojave’s Sandbox is Leaky

The macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it’s trivial to

 

Rootpipe Reborn (Part I)

In part one of a guest blog post, @CodeColorist writes about several neat macOS vulnerabilities.Objective-See’s BlogRead More

 

A Surreptitious Cryptocurrency Miner in the Mac App Store?

Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into

 

Two Bugs, One Func(), part three

Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More

 

Tearing Apart the Undetected (OSX)Coldroot RAT

I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More

 

Cache Me Outside

Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes

 

Who Moved My Pixels?!

In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,

 

Ay MaMi – Analyzing a New macOS DNS Hijacker

OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System

 

WTF is Mughthesec!? poking on a piece of undetected adware

Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More

 

OSX/MacRansom; analyzing the latest ransomware to target macs

Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More

 

OSX/Proton.B; a brief analysis, 6 miles up

Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s

 

Analyzing OSX/CreativeUpdater

Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.Objective-See’s BlogRead More

 

Website Launch

NSLog(@”Hello World”); Objective-See.com is alive!Objective-See’s BlogRead More

 

All Your Docs Are Belong To Us

Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents

 

Mac Malware of 2017

Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &

 

Mass Surveillance, is an (un)Complicated Business

A massively popular iOS application turns out to be a government spy tool! Here, we analyze the app; decrypting its

 

Why _blank_ Gets You Root

Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the

 

From the Top to the Bottom; Tracking down CVE-2017-7149

High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s

 

High Sierra’s ‘Secure Kernel Extension Loading’ is Broken

A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More

 

All Your Docs Are Belong To Us

Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents

 

Mac Malware of 2017

Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &

 

Analyzing CrossRAT

The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its

 

An Unpatched Kernel Bug

On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding

 

Ay MaMi – Analyzing a New macOS DNS Hijacker

OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System

 

Cache Me Outside

Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes

 

Who Moved My Pixels?!

In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,

 

Two Bugs, One Func(), part three

Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More

 

Tearing Apart the Undetected (OSX)Coldroot RAT

I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More

 

A Surreptitious Cryptocurrency Miner in the Mac App Store?

Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into

 

Why _blank_ Gets You Root

Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the

 

Cache Me Outside

Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes

 

From the Top to the Bottom; Tracking down CVE-2017-7149

High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s

 

High Sierra’s ‘Secure Kernel Extension Loading’ is Broken

A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More

 

WTF is Mughthesec!? poking on a piece of undetected adware

Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More

 

OSX/MacRansom; analyzing the latest ransomware to target macs

Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More

 

OSX/Proton.B; a brief analysis, 6 miles up

Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s

 

Analyzing OSX/CreativeUpdater

Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.Objective-See’s BlogRead More