Recently, FortiGuard Labs captured a new malware sample that was spread via Microsoft Word documents. After some quick research, I discovered that this was a new variant of the Agent Tesla spyware. I analyzed another sample of this spyware last June and published a blog about it. In this blog, I want to share what’s new in this new variant.
Over this past Easter weekend, FortiGuard Labs came across a new malicious spam campaign specifically targeting South Korea. What made this campaign unique from others is that it is the first GandCrab 2.0 malspam ransomware campaign that we’ve seen in South Korea targeting organizations in the financial sector. It appears to be originating from the VenusLocker group, which we highlighted in December of last year when we documented that they had switched their game plan from ransomware to cryptocurrency mining. Well, it appears that the VenusLocker group is back in the ransomware game, this time with GandCrab.
Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a new process to execute its malicious activity. So in order to more efficiently and automatically analyze the malicious behaviors of malware targeting macOS, it is necessary to develop a utility to monitor process execution. The MACF on macOS is a good choice to implement this utility. The Mandatory Access Control Framework - commonly referred to as MACF - is the substrate on top of which all of Apple’s securities, both macOS and iOS, are implemented. In this blog, I will detail the implementation of monitoring process execution, including command line arguments, via MACF.
In the previous blog from FortiGuard Labs in this series, we discussed how to monitor process execution with command line arguments using MACF on macOS. In this blog, we will continue to discuss how to monitor file system events (including file open, read, write, rename, and delete operations) and dynamic library loading via MACF on macOS. I will provide all the technical details below. Let’s get started!
In August of 2017, FortiGuard Labs discovered a pre-authenticated remote code execution vulnerability on D-Link router DIR868L. This vulnerability is specific to a local ISP’s customized firmware.
In the two previous blogs in this series from FortigGuard Labs, we discussed how to monitor process execution with command line arguments, file system events, and dylib loading events using MACF on macOS. In this blog, we will continue to discuss how to monitor network activities (another significant behavior for malware) using Socket Filters (a part of the Network Kernel Extension) on macOS. The network activities to be monitored include UDP, TCP, ICMP, DNS query, and response data. I provide all the technical details below, so let’s get started again!
The biggest security challenge facing individuals and businesses today isn’t scale. It’s hyperconnectivity. The various devices and applications being used in homes or at organizations have now become so intertwined that it’s hard to keep them separate. The cloud allows users to access data and information from any device with a Wi-Fi connection or data plan, and IT consumerization encourages those same users to download new applications and storage solutions to use and share across a wide variety of devices.
As data becomes the new currency of the digital marketplace, one of the biggest security challenges organizations face is the number and kinds of endpoint devices that need access to the network. Smartphones, laptops, Chromebooks, tablets, and IoT devices of every function and size, and belonging to both employees and consumers, now regularly connect to some segment of the network to access data.
The volume of cyberattacks is growing at an unprecedented rate, increasing as much as nearly 80% for some organizations during the final quarter of 2017. One reason for this acceleration in the attack cycle is that in order for malware to succeed today it needs to spread further and faster than even before. This allows cybercriminals to stay a step ahead of new efforts by vendors to improve their delivery of updated signatures and patches.