Security researchers at F-Secure have recently uncovered a small spam campaign aimed at delivering spyware to Mac users that use Exodus wallet.
Security experts at F-Secure have recently spotted a small spam campaign aimed at Mac users that use Exodus cryptocurrency wallet.
The campaign leverages Exodus-themed phishing messages using an attachment named “Exodus-MacOS-1.64.1-update.zip.” The messages were sent by accounts associated with the domain “update-exodus[.]io”, the attackers used it to trick victims into believing that it was a legitimate domain used by the Exodus organization.
The malware poses itself as a fake Exodus update, it is using the subject “Update 1.64.1 Release – New Assets and more”. Experts pointed out that the latest released version for Exodus is 1.63.1.
The zip archive includes an application created earlier this month that contains a mach-O binary with the filename “rtcfg”.The researchers analyzed the code and found several strings and references to the “realtime-spy-mac[.]com” website, a cloud-based remote spy software for Mac systems.
“From the website, the developer described their software as a cloud-based surveillance and remote spy tool. Their standard offering costs $79.95 and comes with a cloud-based account where users can view the images and data that the tool uploaded from the target machine.” states the blog post published by F-Secure. “The strings that was extracted from the Mac binary from the mail spam coincides with the features mentioned in the realtime-spy-mac[.]com tool.”
Experts searching for similar instances of the Mac keylogger in the F-Secure repository and found other applications, including taxviewer.app, picupdater.app, macbook.app, and launchpad.app.
“Based on the spy tool’s website, it appears that it does not only support Mac, but Windows as well. ” concludes F-Secure. “It’s not the first time that we’ve seen Windows threats target Mac. As the crimeware threat actors in Windows take advantage of the cryptocurrency trend, they too seem to want to expand their reach, thus also ended up targeting Mac users.”
Further details about the campaign, including IoCs are reported in the analysis published by F-Secure.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.