110. A Sad State of Malwares
Here are a few highlights from each article we discussed:
- This malware was first identified in November 2021, so first we’ll start with a refresher. AT&T Alien Labs discovered Golang (Go) malware it calls ‘BotenaGo’ which targets routers and IoT devices.
- The news regarding this malware is that Alien Labs recently discovered the source code (which is 2,891 lines of code) was uploaded to GitHub, meaning anyone can customize it for whatever objectives they have. Alien Labs predicts there will be an uptick in campaigns using BotenaGo against routers and IoT devices.
- What’s worrisome about BotenaGo is that it has a low Antivirus (AV) detection rate.
- Additionally, the source code availability means new variants will use new infrastructure.
- Its capabilities include the following:
- Victim device fingerprinting
- Screen capture
- File download/upload
- Execute terminal commands
- Audio recording
- To minimize risk, ensure IoT devices have minimal exposure to the internet and if detected, patch as quickly as possible.
- What’s interesting about Mac malware is that there hasn’t been a lot of it so far in its lifetime. There’s a Wikipedia page dedicated to Mac malware and it requires no scrolling – that’s how uncommon malware on Macs has been thus far.
- Historically, the reputation Macs have had is that their OS is more secure than Windows, and it might still hold some truth, but we’re seeing (and will continue to see) more instances of threats against Macs, given its market share.
- This latest instance of malware targeting Macs was discovered by the firm, eSet, which calls this malware DazzleSpy. It’s one of the more sophisticated malware packages seen to date: it exploits several vulnerabilities, it’s effective, it’s hard to detect, and hard to remove.
- DazzleSpy is delivered via watering-hole attacks featuring malicious or hacked websites that drop the initial loader, which exploits a code execution vulnerability in webkit, which is Safari’s browser engine. So we at DomainTools certainly see the importance of detecting malicious domains as early in the process as possible.
- Mach-O first downloads a file from the URL supplied as an argument, then decrypts the file and writes the resulting file to $TMPDIR/airportpaird and makes it executable. Mach-O then uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable. Finally, it uses the same privilege escalation to launch the next stage with root privileges. Now DazzleSpy is installed and the Mac is fully backdoored.
- At this point in time, it’s unknown who is behind DazzleSpy, but a working theory is that it’s likely state-sponsored. The victimology may tell us more about who is behind this.
- Currently, the targets for these attacks are narrow (pro-democracy activists for Hong Kong). It would not be surprising if this continued to spread, but right now, the individual odds of being affected are low.
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
[Taylor]: 6.5/10 Hoodies
[Tim]: 10/10 Hoodies
Return of the Mac (Malware)
[Taylor]: 4/10 Hoodies
[Tim]: 5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!