In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […]

A comprehensive analysis of the year's new malware

While conducting routine threat hunting for macOS malware on Ad networks, I stumbled upon an unusual Shlayer sample. Upon further analysis, it became clear that this variant was different from the known Shlayer variants such as OSX/Shlayer.D, OSX/Shlayer.E, or ZShlayer. We have dubbed it OSX/Shlayer.F.

Get root on macOS 13.0.1 with CVE-2022-46689 (macOS equivalent of the Dirty Cow bug), using the testcase extracted from Apple’s XNU source.

Learn about all the new malware targeting macOS users in 2022 and how to stay safe from the latest Mac-focused campaigns.

Expected in Ventura 13.1 is a new lightweight system for applying security patches. This article explains how it uses cryptexes, already being used in macOS 13.

WeightBufs is a kernel r/w exploit for all Apple devices with Neural Engine support. Bugs and Exploit by @simo36, you can read my presentation slides at POC for more details about the vulnerabilities and the exploitation techniques.

True or false? Apple supports macOS for three years. Apple’s security updates are sufficient. New versions of macOS are full of bugs. It’s safer to delay upgrading.

The offensive macOS cyber capabilities of the WINDSHIFT APT group provide us with the opportunity to gain insight into the Apple-specific approaches employed by an advanced adversary. In this talk we’ll comprehensively dissect OSX.WindTape, a second-stage tool utilized by the WINDSHIFT APT group when targeting Apple systems. First we’ll discuss the malware’s anti-analysis mechanisms, and then once these have been thwarted, we’ll explore its capabilities. To conclude, we’ll present heuristic methods that can generically both detect and prevent WindTape, as well as other advanced macOS threats.

Some time ago I was using Logic Pro to record some of my music and I needed a way to start and stop the recording from an iPhone, so I found about Logic Remote and was quite happy with it.

Read how macOS vulnerability in Archive Utility could lead to the execution of an unsigned and unnotarized application without displaying security prompts.

First Coinbase, now Crypto.com. Lazarus campaign targets more crypto exchange platform job seekers with multi-stage malware.