Security researchers have uncovered a new type of macOS malware that has been used in the wild to attack iOS software developers through trojanized Xcode projects. From a report: Named XcodeSpy, the malware consists of a malicious Run Script that was added to a legitimate Xcode project named TabBarInteraction. Security firm SentinelOne, which analyzed the malware in a report published today and shared with The Record, said the malicious script ran every time the Xcode project was built, installing a LaunchAgent for reboot persistence and then downloading a second payload, a macOS backdoor named EggShell. "The backdoor has functionality for recording the victim's microphone, camera and keyboard, as well as the ability to upload and download files," said Phil Stokes, macOS malware researcher at SentinelOne.

While the XcodeSpy server infrastructure that controlled the LaunchAgent was down, Stokes said they were able to discover several instances of the EggShell backdoor uploaded on the VirusTotal web-based malware scanner. Stokes said SentinelOne first learned of this malware following a tip from an anonymous researcher, who found an instance of the EggShell backdoor on the network of a US-based company. "The victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities," Stokes said, but the researcher told The Record they were not able to definitively link the malware to a nation-state operation beyond a reasonable doubt.

"For a week we lost control of the Perl.com domain," a long-running site offering news and articles about the programming language, writes the site's senior editor, brian d foy.

"Now that the incident has died down, we can explain some of what happened and how we handled it." This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers...

Recovering the domain wasn't the end of the response though. While the domain was compromised, various security products had blacklisted Perl.com and some DNS servers had sinkholed it. We figured that would naturally work itself out, so we didn't immediately celebrate the return of Perl.com. We wanted it to be back for everyone. And, I think we're fully back. However, if you have problems with the domain, please raise an issue so we at least know it's not working for part of the internet.

What we think happened

This part veers into some speculation, and Perl.com wasn't the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There's no reason for Network Solutions to reveal anything to me (again, I'm not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported. John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder...

Once transferred to Key Systems in late January, the new, fraudulent registrant listed the domain (along with others), on Afternic (a domain marketplace). If you had $190,000, you could have bought Perl.com. This was quickly de-listed after the The Register made inquiries.
"I think we were very fortunate here and that many people with a soft spot in their hearts for Perl did a lot of good work for us," the article notes. "All sides understood that Perl.com belonged to Tom and it was a simple matter of work to resolve it. A relatively unknown domain name might not fare as well in proving they own it..."

But again, the incident ended happily, foy writes, and "The Perl.com domain is back in the hands of Tom Christiansen and we're working on the various security updates so this doesn't happen again. The website is back to how it was and slightly shinier for the help we received."

schwit1 shares a report from ZDNet: Cyberattackers have turned to search engine optimization (SEO) techniques to deploy malware payloads to as many victims as possible. According to Sophos, the so-called search engine "deoptimization" method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google's rankings. SEO optimization is used by webmasters to legitimately increase their website's exposure on search engines such as Google or Bing. However, Sophos says that threat actors are now tampering with the content management systems (CMS) of websites to serve financial malware, exploit tools, and ransomware.

In a blog post on Monday, the cybersecurity team said the technique, dubbed "Gootloader," involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads. The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers -- 400, if not more -- must be maintained at any given time for success. While it isn't known if a particular exploit is used to compromise these domains in the first place, the researchers say that CMSs running the backend of websites could have been hijacked via malware, stolen credentials, or brute-force attacks.

Catalin Cimpanu, reporting for The Record: A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain. The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018. [...] The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU. Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security. Software patches were released at the time, but the Meltdown and Spectre disclosures forced Intel to rethink its entire approach to CPU designs going forward.

At the time, the teams behind the Meltdown and Spectre bugs published their work in the form of research papers and some trivial proof-of-concept code to prove their attacks. Shortly after the Meltdown and Spectre publications, experts at AV-TEST, Fortinet, and Minerva Labs spotted a spike in VirusTotal uploads for both CPU bugs. While initially there was a fear that malware authors might be experimenting with the two bugs as a way to steal data from targeted systems, the exploits were classified as harmless variations of the public PoC code published by the Meltdown and Spectre researchers and no evidence was found of in-the-wild attacks. But today, Voisin said he discovered new Spectre exploits -- one for Windows and one for Linux -- different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.

Early last summer, Chinese and Indian troops clashed in a surprise border battle in the remote Galwan Valley, bashing each other to death with rocks and clubs. Four months later and more than 1,500 miles away in Mumbai, India, trains shut down and the stock market closed as the power went out in a city of 20 million people. Hospitals had to switch to emergency generators to keep ventilators running amid a coronavirus outbreak that was among India's worst. The New York Times: Now, a new study lends weight to the idea that those two events may well have been connected -- as part of a broad Chinese cybercampaign against India's power grid, timed to send a message that if India pressed its claims too hard, the lights could go out across the country. The study shows that as the standoff continued in the Himalayas, taking at least two dozen lives, Chinese malware was flowing into the control systems that manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant.

The flow of malware was pieced together by Recorded Future, a Somerville, Mass., company that studies the use of the internet by state actors. It found that most of the malware was never activated. And because Recorded Future could not get inside India's power systems, it could not examine the details of the code itself, which was placed in strategic power-distribution systems across the country. While it has notified Indian authorities, so far they are not reporting what they have found. Stuart Solomon, Recorded Future's chief operating officer, said that the Chinese state-sponsored group, which the firm named Red Echo, "has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure." The discovery raises the question about whether an outage that struck on Oct. 13 in Mumbai, one of the country's busiest business hubs, was meant as a message from Beijing about what might happen if India pushed its border claims too vigorously.

The number of malware strains coded in the Go programming language has seen a sharp increase of around 2,000% over the last few years, since 2017, cybersecurity firm Intezer said in a report published recently. From a report: The company's findings highlight and confirm a general trend in the malware ecosystem, where malware authors have slowly moved away from C and C++ to Go, a programming language developed and launched by Google in 2007. While the first Go-based malware was detected in 2012, it took, however, a few years for Golang to catch on with the malware scene. "Before 2019, spotting malware written in Go was more a rare occurrence and during 2019 it became a daily occurrence," Intezer said in its report. But in the new report, Golang (as it's often also referred to instead of Go) has broken through and has been widely adopted. It is used by nation-state hacking groups (also known as APTs), cybercrime operators, and even security teams alike, who often used it to create penetration-testing toolkits.

Long-time Slashdot reader b0s0z0ku quotes Ars Technica: A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, which are still trying to understand precisely what it does and what purpose its self-destruct capability serves.

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question why the mechanism exists. Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so...

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany.
Red Canary, the security firm that discovered the malware, has named it "Silver Sparrow." Long-time Slashdot reader Nihilist_CE writes: First detected in August of 2020, the Silver Sparrow malware is interesting in several unsettling ways. It uses the macOS Installer Javascript API to launch a bash process to gain a foothold into the user's system, a hitherto-unobserved method for bypassing malware detection. This bash shell is then used to invoke macOS's built-in PlistBuddy tool to create a LaunchAgent which executes a bash script every hour. This is the command and control process, which downloads a JSON file containing (potentially) new instructions.

Besides the novel installation method, Silver Sparrow is also mysterious in its payload: a single, tiny binary that does nothing but open a window reading "Hello, World!" (in v1, which targets Intel Macs) or "You did it!" (in v2, which is an M1-compatible fat binary). These "bystander binaries" are never executed and appear to be proofs-of-concept or placeholders for future functionality.

Microsoft's security team said today it has formally completed its investigation into its SolarWinds-related breach and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers. From a report: The OS maker began investigating the breach in mid-December after it was discovered that Russian-linked hackers breached software vendor SolarWinds and inserted malware inside the Orion IT monitoring platform, a product that Microsoft had also deployed internally. In a blog post published on December 31, Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft's internal network, where they accessed the source code of several internal projects. "Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts," the company said today, in its final report into the SolarWinds-related breach.

The North Dakota state senate voted 36-11 on Tuesday not to pass a bill that would have required app stores to enable software developers to use their own payment processing software and avoid fees charged by Apple and Google. From a report: The vote is a victory for Apple, which says that the App Store is a core part of its product and that its tight control over its rules keeps iPhone users safe from malware and scams. North Dakota's bill is the first major U.S. state-level legislation to address the Apple and Google app stores, which take fees from app store sales up to 30%, including in-app purchases of digital items. If the state senate had passed it, it would still have been debated and voted on in the North Dakota house. The North Dakota bill targeted Apple's fees by requiring companies that make more than $10 million per year in the state through app stores -- essentially, just Apple and Google -- would be required to offer alternative payment processors for purchases through the app store, allowing developers to avoid Apple or Google's cut. It would only apply to companies based in North Dakota. Further reading, from last week: Apple Privacy Chief: North Dakota Bill 'Threatens To Destroy the iPhone As You Know It'

Epic CEO Tim Sweeney said: "The Coalition for App Fairness organized the outreach, lobbying, and developer participation. Can't take credit for it, but Epic is proud to be a part of it!"

France's cyber-security agency said that a group of Russian military hackers, known as the Sandworm group, have been behind a three-years-long operation during which they breached the internal networks of several French entities running the Centreon IT monitoring software. From a report: The attacks were detailed in a technical report released today by Agence Nationale de la Securite des Systemes d'Information, also known as ANSSI, the country's main cyber-security agency. "This campaign mostly affected information technology providers, especially web hosting providers," ANSSI officials said today. "The first victim seems to have been compromised from late 2017. The campaign lasted until 2020." The point of entry into victim networks was linked to Centreon, an IT resource monitoring platform developed by French company CENTREON, and a product similar in functionality to SolarWinds' Orion platform. ANSSI said the attackers targeted Centreon systems that were left connected to the internet. The French agency couldn't say at the time of writing if the attacks exploited a vulnerability in the Centreon software or if the attackers guessed passwords for admin accounts. However, in the case of a successful intrusion, the attackers installed a version of the P.A.S. web shell and the Exaramel backdoor trojan, two malware strains that when used together allowed hackers full control over the compromised system and its adjacent network.

Apple's upcoming iOS 14.5 release will ship with a feature that will re-route all Safari's Safe Browsing traffic through Apple-controlled proxy servers as a workaround to preserve user privacy and prevent Google from learning the IP addresses of iOS users. From a report: The new feature will work only when users activate the "Fraudulent Website Warning" option in the iOS Safari app settings. This enables support for Google's Safe Browsing technology in Safari. The Safe Browsing technology works by taking an URL the user is trying to access, sending the URL in an anonymized state to Google's Safe Browsing servers, where Google accesses the site and scans for threats. If malware, phishing forms, or other threats are found on the site, Google tells the user's Safari browser to block access to the site and show a fullscreen red warning. While years ago, when Google launched the Safe Browsing API, the company knew what sites a user was accessing; in recent years, Google has taken several steps to anonymize data sent from user's devices via the Safe Browsing feature. But while Google has anonymized URL strings, by sending the link in a cropped and hashed state, Google still sees the IP address from where a Safe Browsing check comes through. Apple's new feature basically takes all these Safe Browsing checks and passes them through an Apple-owned proxy server, making all requests appear as coming from the same IP address.

Researchers have discovered new "highly malleable, highly sophisticated" malware from a state-backed Chinese hacker group, according to Palo Alto Network's Unit 42 threat intelligence team. From a report: The malware "stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an Advanced Persistent Threat (APT)," according to Unit 42. The malware, which Unit 42 has dubbed "BendyBear," bears some resemblance to the "WaterBear malware family" (hence the bear in the name), which has been associated with BlackTech, a state-linked Chinese cyber spy group, writes Unit 42. Background: BlackTech has been active since at least 2013, according to Symantec researchers. BlackTech has historically focused chiefly on intelligence targets in Taiwan, as well as some in Japan and Hong Kong. The group has targeted both foreign government and private-sector entities, including in "consumer electronics, computer, healthcare, and financial industries," said researchers with Trend Micro. Trend Micro also previously assessed that BlackTech's "campaigns are likely designed to steal their target's technology."

An anonymous reader quotes a report from Ars Technica: A benign barcode scanner with more than 10 million downloads from Google Play has been caught receiving an upgrade that turned it to the dark side, prompting the search-and-advertising giant to remove it. Barcode Scanner, one of dozens of such apps available in the official Google app repository, began its life as a legitimate offering. Then in late December, researchers with security firm Malwarebytes began receiving messages from customers complaining that ads were opening out of nowhere on their default browser.

[Malwarebytes mobile malware researcher Nathan Collier] wrote: "No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR." Google removed the app after Collier privately notified the company. So far, however, Google has yet to use its Google Play Protect tool to remove the app from devices that had it installed. That means users will have to remove the app themselves.

Google has blocked The Great Suspender extension from the Chrome store "because it contains malware." The extension was very popular for users running Chrome with 8GB or less of RAM, as it would automatically suspend tabs you hadn't used in a while, freeing up precious memory and CPU power. It would then allow you to return to the tab and reload back to where you were. Mishaal Rahman writes via XDA Developers: For some people, this isn't news. Since November of 2020, close followers of the extension have warned that it may be running malicious code. The old maintainer of the extension sold it to an unknown party in June of 2020, and users alleged that the unknown party quietly slipped some trackers into version 7.1.8 of the extension. Although version 7.1.9 removed the tracker, many users were understandably suspicious of the extension. Then in early January of this year, multiple media outlets picked up on the news, and many, including myself, decided to ditch it. Earlier today, however, Google pulled the plug entirely on the popular Chrome extension, forcibly removing The Great Suspender from people's Chrome installations and removing the extension's listing on the Chrome Web Store. You can recover your suspended tabs by opening up your search history and searching for "klbibkeccnjlkjkiokjodocebajanakg." If that doesn't work, you can try the other options outlined in this GitHub post.

Some alternatives to The Great Suspender, as recommended by XDA Developers community member TheMageKing, include: Tabs Outliner, Auto Tab Discard, or Session Buddy.

In December, Ars reported that as many as 3 million people had been infected by Chrome and Edge browser extensions that stole personal data and redirected users to ad or phishing sites. Now, the researchers who discovered the scam have revealed the lengths the extension developers took to hide their nefarious deeds. Ars Technica reports: Researchers from Prague-based Avast said on Wednesday that the extension developers employed a novel way to hide malicious traffic sent between infected devices and the command and control servers they connected to. Specifically, the extensions funneled commands into the cache-control headers of traffic that was camouflaged to appear as data related to Google analytics, which websites use to measure visitor interactions. Referring to the campaign as CacheFlow, Avast researchers wrote: "CacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. We believe this is a new technique. In addition, it appears to us that the Google Analytics-style traffic was added not just to hide the malicious commands, but that the extension authors were also interested in the analytics requests themselves. We believe they tried to solve two problems, command and control and getting analytics information, with one solution."

The extensions, Avast explained, sent what appeared to be standard Google analytics requests to https://stats.script-protection[.]com/__utm.gif. The attacker server would then respond with a specially formed Cache-Control header, which the client would then decrypt, parse, and execute. Avoiding infecting users who were likely to be Web developers or researchers. The developers did this by examining the extensions the users already had installed and checking if the user accessed locally hosted websites. Additionally, in the event that an extension detected that the browser developer tools were opened, it would quickly deactivate its malicious functionality. Waiting three days after infection to activate malicious functionality. Checking every Google search query a user made. In the event a query inquired about a server the extensions used for command and control, the extensions would immediately cease their malicious activity.

A British security researcher has discovered this week that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed. From a report: The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users. Qualys researchers discovered that they could trigger a "heap overflow" bug in the Sudo app to change the current user's low-privileged access to root-level commands, granting the attacker access to the whole system. The only condition to exploit this bug was that an attacker gain access to a system, which researchers said could be done by either planting malware on a device or brute-forcing a low-privileged service account. In their report last week, Qualys researchers said they only tested the issue on Ubuntu, Debian, and Fedora. They said that are UNIX-like operating systems are also impacted, but most security researchers thought the bug might impact BSD, another major OS that also ships with the Sudo app.

A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack. ZDNet reports: The attack was discovered by Slovak security firm ESET on January 25, last week, and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops. ESET says that based on evidence its researchers gathered, a threat actor compromised one of the company's official API (api.bignox.com) and file-hosting servers (res06.bignox.com).

Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server to deliver malware to NoxPlayer users. Despite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn't target all of the company's users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users. Until today, and based on its own telemetry, ESET said it spotted malware-laced NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong Kong, and Sri Lanka. "We discard the possibility that this operation is the product of some financially motivated group," an ESET spokesperson told ZDNet today via email. "We are still investigating, but we have found tangible correlations to a group we internally call Stellera, which we will be reporting about in the near future."

"The domain name perl.com was stolen and now points to an IP address associated with malware campaigns," reports Bleeping Computer: Perl.com is a site owned by Tom Christiansen and has been used since 1997 to post news and articles about the Perl programming language. On January 27th, Perl programming author and Perl.com editor brian d foy tweeted that the perl.com domain was suddenly registered under another person. Intellectual property lawyer John Berryhill later replied to the tweet that the domain was stolen in September 2020 while at Network Solutions, transferred to a registrar in China on Christmas Day, and finally moved to the Key-Systems registrar on January 27th, 2020.

It wasn't until the last transfer that the IP addresses assigned to the domain were changed from 151.101.2.132 to the Google Cloud IP address 35.186.238[.]101...

On the 28th, d foy tweeted that they have set up perl.com temporarily at http://perldotcom.perl.org for users who wish to access the site until the domain is recovered...

d foy has told BleepingComputer that it is not believed that the domain owner's account was hacked and that they are currently working with Network solutions and Key-Systems to resolve the issue. "I do know from direct communication with the Network Solutions and Key Systems that they are working on this and that the perl.com domain is locked. Tom Christiansen, the rightful owner, is going through the recovery process with those registrars."

"Both registrars, along with a few others, reached out to me personally to offer help and guidance. We are confident that we will be able to recover the domain, but I do not have a timetable for that," d foy told BleepingComputer.

The IP address that perl.com is now hosted has a long history of being used in older malware campaigns and more recent ones.
"Anyone using a perl.com host for their CPAN mirror should use www.cpan.org instead," advises an announcement page today at Perl.org, which d foy tweeted "is now going to be the source for the latest http://Perl.com info."

On Thursday d foy tweeted that "There's no news on the recovery progress. Everyone who needs to be talking is talking to each other and it's just a process now."

Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021, ZDNet has learned today. From a report: The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today's largest malware botnet. While servers were located across multiple countries, Dutch officials said that two of three of Emotet's primary command and control (C&C) servers were located inside its borders. Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts. According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on March 25, 2021, at 12:00, the local time of each computer.

International law enforcement agencies said on Wednesday they had dismantled a criminal hacking scheme used to steal billions of dollars from businesses and private citizens worldwide. Reuters reports: Police in six European countries, as well as Canada and the United States, completed a joint operation to take control of Internet servers used to run and control a malware network known as "Emotet," authorities said in a statement. "Emotet is currently seen as the most dangerous malware globally," Germany's BKA federal police agency said in a statement. "The smashing of the Emotet infrastructure is a significant blow against international organized Internet crime."

German police said infections with Emotet had caused at least 14.5 million euros ($17.56 million) of damage in their country. Globally, Emotet-linked damages cost about $2.5 billion, Ukrainian authorities said. Ukraine's General Prosecutor said police had carried out raids in the eastern city of Kharkiv to seize computers used by the hackers. Authorities released photos showing piles of bank cards, cash and a room festooned with tangled computer equipment, but did not say if any arrests were made.