Pierluigi Paganini February 08, 2017

An Iranian espionage group has been using an unsophisticated strain of malware, dubbed MacDownloader, to steal credentials and other data from Mac users.

A cyber espionage group linked to the Iranian Government has been using an unsophisticated strain of malware, dubbed MacDownloader, to steal credentials and other data from Mac computers.

The researchers Claudio Guarnieri and Collin Anderson have analyzed the malicious code that was disguised by nation-state hackers as a Flash Player update and a Bitdefender adware removal tool.

The attacks analyzed by the two researchers were mainly focused on the defense industrial base sector, but it is known that the same threat was used against a human rights advocate.

According to the researchers, the malware was first “poorly” developed the end of 2016, the experts noticed its code was copied from other sources. Anyway, at the time of writing the analysis, MacDownload is undetected by virus scanning engines on VirusTotal, while at the time I was writing just a dozen vendors have recognized the bogus Flash Player and Bitdefender apps as a threat.

Once the MacDownloader infects a device, the malware collects information about the host, including passwords stored in the Keychain.

“MacDownloader seems to be poorly developed and created towards the end of 2016, potentially a first attempt from an amateur developer. In multiple cases, the code used has been copied from elsewhere. The simple activity of downloading the remote file appears to have been sourced from a cheat sheet. The main purpose of MacDownloader seems to be to perform an initial profiling of the infected system and collection of credentials from macOS’s Keychain password manager – which mirrors the focus of Windows malware developed by the same actors.” reads the analysis published by the security duo.

The malicious code was first spotted on a fake website of the aerospace firm United Technologies Corporation, that same site that was used in the past to spread a Windows malware and the Browser Exploitation Framework (BeEF).

The malware researchers linked the MacDownloader with the activity of an Iranian threat actor known as Charming Kitten (aka Newscaster and NewsBeef).

Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHT Partners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.

The analysis of the malware revealed that the authors have attempted to implement remote update and persistence capabilities, but both features don’t work.

“It appears that the application contains an unused attempt to install persistent access to the victim host. One segment provides a poorly-implemented shell script to save a response from the C2 and mark it for persistence by writing an entry in the /etc/rc.common file. In theory, every time the infected computer would start up, the shell script would be launched to download a file from a remote location, check if it changed from the previous iteration, and if so execute that new implant. While we haven’t managed to obtain a proper response from the server before it was taken offline, our initial investigation did not find a subsequent implant.” states the analysis.

The experts have collected evidence that links the malware to other Iranian threat actors, including the Iran Cyber Security Group and Flying Kitten (aka Rocket Kitten).

“Of particular note are wireless networks named Jok3r and mb_1986. Jok3r corresponds with a member of a defacement group, Iran Cyber Security Group, who continues to be fairly active in vandalizing sites. Iran Cyber Security Group also, as with many other defacement groups later identified as involved in state-aligned campaigns, purports to provide commercial security services and penetration testing training.” states the report.

“The “mb_1986″ wireless name is more interesting, as it provides a connection to earlier Iranian campaigns, overlapping with the Flying Kitten actor group and subsequent malware activity in summer 2014.”

The report also includes the IoCs, enjoy it!

(Security Affairs –  Iranian hackers, MacDownloader)

[adrotate banner=”5″]

[adrotate banner=”13″]