@CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on
News around the World
Latest news
[0day] Abusing XLM Macros in SYLK Files
A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More
An Unpatched Kernel Bug
On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding
Ay MaMi – Analyzing a New macOS DNS Hijacker
OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System
Latest
Rootpipe Reborn (Part II)
@CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on
All Your Docs Are Belong To Us
Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents
A Surreptitious Cryptocurrency Miner in the Mac App Store?
Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into
Cache Me Outside
Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes
Who Moved My Pixels?!
In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,
Two Bugs, One Func(), part three
Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More
Tearing Apart the Undetected (OSX)Coldroot RAT
I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More
Analyzing CrossRAT
The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its
[0day] Abusing XLM Macros in SYLK Files
A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More
[0day] Abusing XLM Macros in SYLK Files
A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More
Middle East Cyber-Espionage (part two)
The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let’s (continue to) analyze their 1st-stage macOS
Rootpipe Reborn (Part II)
@CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on
Rootpipe Reborn (Part I)
In part one of a guest blog post, @CodeColorist writes about several neat macOS vulnerabilities.Objective-See’s BlogRead More
Who Moved My Pixels?!
In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,
Ay MaMi – Analyzing a New macOS DNS Hijacker
OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System
Weaponizing a Lazarus Group Implant
The Lazarus group’s latest implant/loader supports in-memory loading of 2nd-stage payloads. In this post we describe exactly how to repurposing
Mac Adware, Ă la Python
Let’s tear apart a persistent piece of adware, decompiling, decoding, and decompressing it’s code to uncover its methods and capabilities.Objective-See’s
Burned by Fire(fox) (Part I)
Recently, an attacker targeted (Mac) users via a Firefox 0day. In this first post, we triage and identify the malware
Why _blank_ Gets You Root
Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the
From the Top to the Bottom; Tracking down CVE-2017-7149
High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s
High Sierra’s ‘Secure Kernel Extension Loading’ is Broken
A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More
WTF is Mughthesec!? poking on a piece of undetected adware
Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More
OSX/MacRansom; analyzing the latest ransomware to target macs
Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More
OSX/Proton.B; a brief analysis, 6 miles up
Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s
A Surreptitious Cryptocurrency Miner in the Mac App Store?
Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into
Two Bugs, One Func(), part three
Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More
Tearing Apart the Undetected (OSX)Coldroot RAT
I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More
Analyzing CrossRAT
The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its
An Unpatched Kernel Bug
On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding
Ay MaMi – Analyzing a New macOS DNS Hijacker
OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System
Mac Malware of 2017
Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &
All Your Docs Are Belong To Us
Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents
Who Moved My Pixels?!
In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,
Analyzing CrossRAT
The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its
From the Top to the Bottom; Tracking down CVE-2017-7149
High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s
High Sierra’s ‘Secure Kernel Extension Loading’ is Broken
A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More
WTF is Mughthesec!? poking on a piece of undetected adware
Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More
OSX/MacRansom; analyzing the latest ransomware to target macs
Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More
Analyzing OSX/CreativeUpdater
Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.Objective-See’s BlogRead More
All Your Docs Are Belong To Us
Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents
Mac Malware of 2017
Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &
Why _blank_ Gets You Root
Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the
OSX/Proton.B; a brief analysis, 6 miles up
Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s
Ay MaMi – Analyzing a New macOS DNS Hijacker
OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System
Cache Me Outside
Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes
Who Moved My Pixels?!
In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,
[0day] Mojave’s Sandbox is Leaky
The macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it’s trivial to
[0day] Abusing XLM Macros in SYLK Files
A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More
OSX/MacRansom; analyzing the latest ransomware to target macs
Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More
OSX/Proton.B; a brief analysis, 6 miles up
Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s
All Your Docs Are Belong To Us
Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents
Mac Malware of 2017
Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &
From the Top to the Bottom; Tracking down CVE-2017-7149
High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s
High Sierra’s ‘Secure Kernel Extension Loading’ is Broken
A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More
WTF is Mughthesec!? poking on a piece of undetected adware
Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More
Analyzing CrossRAT
The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its
An Unpatched Kernel Bug
On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding
Ay MaMi – Analyzing a New macOS DNS Hijacker
OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System
[0day] Abusing XLM Macros in SYLK Files
A 0day logic flaw in Microsoft Excel leads to ‘remote’ code execution on macOS, via malicious macros.Objective-See’s BlogRead More
Why _blank_ Gets You Root
Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the
A Surreptitious Cryptocurrency Miner in the Mac App Store?
Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into
Two Bugs, One Func(), part three
Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More
Tearing Apart the Undetected (OSX)Coldroot RAT
I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More
[0day] Mojave’s Sandbox is Leaky
The macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it’s trivial to
Rootpipe Reborn (Part I)
In part one of a guest blog post, @CodeColorist writes about several neat macOS vulnerabilities.Objective-See’s BlogRead More
A Surreptitious Cryptocurrency Miner in the Mac App Store?
Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into
Two Bugs, One Func(), part three
Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More
Tearing Apart the Undetected (OSX)Coldroot RAT
I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More
Cache Me Outside
Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes
Who Moved My Pixels?!
In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,
Ay MaMi – Analyzing a New macOS DNS Hijacker
OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System
WTF is Mughthesec!? poking on a piece of undetected adware
Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More
OSX/MacRansom; analyzing the latest ransomware to target macs
Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More
OSX/Proton.B; a brief analysis, 6 miles up
Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s
Analyzing OSX/CreativeUpdater
Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.Objective-See’s BlogRead More
All Your Docs Are Belong To Us
Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents
Mac Malware of 2017
Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &
Mass Surveillance, is an (un)Complicated Business
A massively popular iOS application turns out to be a government spy tool! Here, we analyze the app; decrypting its
Why _blank_ Gets You Root
Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the
From the Top to the Bottom; Tracking down CVE-2017-7149
High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s
High Sierra’s ‘Secure Kernel Extension Loading’ is Broken
A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More
All Your Docs Are Belong To Us
Here, we reverse, then ‘extend’ a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents
Mac Malware of 2017
Let’s look at all the mac malware from 2017, for each – discussing their infection vector, persistence mechanism, features &
Analyzing CrossRAT
The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its
An Unpatched Kernel Bug
On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding
Ay MaMi – Analyzing a New macOS DNS Hijacker
OSX/MaMi (the first Mac malware of 2018) hijacks infected users’ DNS settings and installs a malicious certificate into the System
Cache Me Outside
Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes
Who Moved My Pixels?!
In this guest blog post my friend Mikhail Sosonkin reverses Apple’s screencapture utility, discusses Mac malware that captures desktop images,
Two Bugs, One Func(), part three
Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.Objective-See’s BlogRead More
Tearing Apart the Undetected (OSX)Coldroot RAT
I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsObjective-See’s BlogRead More
A Surreptitious Cryptocurrency Miner in the Mac App Store?
Turns out the innocuously named “Calendar 2” app, found on the official Mac App Store, was surreptitiously turning Mac into
Why _blank_ Gets You Root
Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the
Cache Me Outside
Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? …yes
From the Top to the Bottom; Tracking down CVE-2017-7149
High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.Objective-See’s
High Sierra’s ‘Secure Kernel Extension Loading’ is Broken
A new ‘security’ feature in macOS 10.13, is trivial to bypass.Objective-See’s BlogRead More
WTF is Mughthesec!? poking on a piece of undetected adware
Some undetected adware named “Mughthesec” is infecting Macs…let’s check it out!Objective-See’s BlogRead More
OSX/MacRansom; analyzing the latest ransomware to target macs
Looks like somebody on the ‘dark web’ is offering ‘Ransomware as a Service’…that’s designed to infect Macs!Objective-See’s BlogRead More
OSX/Proton.B; a brief analysis, 6 miles up
Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware’s capabilitiesObjective-See’s
Analyzing OSX/CreativeUpdater
Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.Objective-See’s BlogRead More