Discharging ElectroRAT
Jan 5, 2021, 12:00 AM
The first (macOS) malware of 2021 is an insidious remote access tool (RAT), containing a variety of embedded payload to extend its functionality.
The Mac Malware of 2020
Jan 1, 2021, 12:00 AM
Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more!
Detecting SSH Activity via Process Monitoring
Dec 10, 2020, 12:00 AM
In this guest blog post, the noted Mac security researcher/author Jaron Bradley explains how to detect (potentially malicious) SSH activity...via process monitoring and the analysis of process hierarchies.
Adventures in Anti-Gravity (Part II)
Nov 27, 2020, 12:00 AM
Here we continue to deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces), focusing on its Electron component.
Adventures in Anti-Gravity (Part I)
Nov 3, 2020, 12:00 AM
Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces).
Property List Parsing Bug(s)
Oct 21, 2020, 1:00 AM
In this guest blog post, the security researcher behind @OSCartography, describes a bug related to parsing property lists ...a bug that trivial crashed macOS!
FinFisher Filleted
Sep 26, 2020, 1:00 AM
Interested in learning about a macOS cyber-espionage implant ...that leveraged priv-escalation exploits and a kernel-mode rootkit!? In this post, we analyze the macOS version of FinSpy.
Apple Approved Malware
Aug 30, 2020, 1:00 AM
Unfortunately we didn't have to wait long before hackers found a way to (ab)use Apple's new notarization service to get their malware approved! In this post, we tear apart an adware campaign that utilized malicious payloads containing...
Office Drama on macOS
Aug 4, 2020, 1:00 AM
Even wondered how a system can be persistently infected by simply opening a document? In this post, I detail an exploit chain (created by yours truly), that was able fully infect a fully-patched macOS Catalina system, by simply opening a...
CVE-2020–9854: "Unauthd"
Aug 1, 2020, 1:00 AM
Security researcher Ilias Morad, describes an impressive exploit chain, combining three macOS logic bugs he uncovered in macOS. His exploit chain allowed a local user to elevate privileges all the way to ring-0 (kernel)!
CVE-2020–9934: Bypassing TCC for Unauthorized Access
Jul 28, 2020, 1:00 AM
In this guest blog post, security researcher Matt Shockley describes a lovely security vulnerability he uncovered in macOS. This bug allowed for a complete bypass of TCC's draconian entitlement checks, all without writing a single line of...
Low-Level Process Hunting on macOS
Jul 19, 2020, 1:00 AM
Parent-child relationships are one of the simplest and most effective ways to detect malicious activity at the host level ...however on macOS things can get a little complex. Luckily security researcher Jaron Bradley is here to explain...
OSX.EvilQuest Uncovered (part two)
Jul 3, 2020, 1:00 AM
OSX.EvilQuest is a new piece of malware targeting Mac users. In part two, we analyze the malware's viral infection capabilities, and detail its insidious capabilities.
OSX.EvilQuest Uncovered (part one)
Jun 29, 2020, 1:00 AM
OSX.EvilQuest is a new piece of malware targeting Mac users. In part one, we analyze the malware's infection vector, persistence mechanism, and anti-analysis logic.
Tiny SHell Under the Microscope
Jun 1, 2020, 1:00 AM
Tiny SHell is a lightweight backdoor used in APT attacks against Mac users. In this (guest) post, the noted macOS security researcher (and #OBTS speaker!) Jaron Bradley provides a comprehensive analysis!