- MacOS malware samples went undetected since its first attack four months ago.
- The Mac malware variants are believed to have been linked to the Windshift hacker group.
Four months after the attack by a mysterious hacker group on Mac users, few of its MacOS malware samples went undetected by most of the antivirus providers. One of these Mac malware variants is believed to have been linked to Windshift the APT group that surveils individuals in the Middle East.
Taha Karim, Security Researcher at Dark Matter profiled the WindShift APT in the Box Conference at Singapore. In August, Karim reported the few things that make Windshift stand out among the other APTs which includes:
- The malware’s reliance on the links which are embedded inside phishing emails and SMS text messages to track the locations, online habits, and other traits of the targets.
- Windshift makes use of the Mac malware to infiltrate documents and take screenshots of the victim’s desktops.
- The technique the malware variants use to bypass MacOS security defenses.
Three Mac malware samples went undetected
Mac security expert Patrick Wardle published an analysis of Karim’s findings, which were revealed at the Box Conference. The findings from VirusTotal at that time stated that only Kaspersky and ZoneAlarm detected the malware file. Later, Wardle detected four more malicious files of which, three had not been detected by any antivirus providers.
Apple not sharing malware definitions with AV community
The findings were surprising for Wardle because Apple had already revoked the cryptographic certificates the developers used to digitally sign their malware.
“The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate... and thus surely this malware as well... yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal. Does this mean Apple isn't sharing valuable malware/threat-intel with AV-community, preventing the creation of widespread AV signatures that can protect end-users? Narrator: yes,” Wardle wrote.
The C2 servers the malware used are no longer available on the Internet, which means that the infected computers are not in danger of being surveilled. However, the number of malware infection detections has gradually risen in the days since Wardle published his analysis.
The lack of timely detection is troubling because Apple has reportedly not been sharing definitions of the malware samples with antivirus providers. Such sharing is standard practice in the industry and is very important in tracking APTs.
"I think the lack of detections highlights that traditional AV struggles with new/APT malware on macOS but also Apple's hubris. We've seen them do this before. It's disheartening, and somebody needs to call them out on it,” Wardle told Ars Technica.