
Newly discovered Mac malware uses “fileless” technique to remain stealthy - praveenscience
https://arstechnica.com/information-technology/2019/12/north-koreas-lazarus-hackers-up-their-game-with-fileless-mac-malware/
======
deminature
Yet another virus for OSX that you have to manually download a DMG and install
to be vulnerable to. Not to be obnoxious, but I'm still waiting for a Windows-
style virus that can proliferate with no action on the user's behalf. That
would be legitimate cause for concern.

~~~
j0hnml
Malware that can proliferate on Windows boxes without user action almost
always requires some remote code execution vulnerability (or some security
misconfiguration issue) to be exploited first. This is true for macOS as well.
That cycle is usually:

Exploit vuln -> download malware payload -> execute malware

~~~
zbentley
I think that was GP's point as well. That fully hands-free RCE process just
doesn't seem to happen as often on OSX as on windows. Whether that's because
of market share, software differences, or something else remains open for
debate.

------
tehwebguy
> Newly discovered Mac malware uses “fileless” technique to remain stealthy

...

> The malware isn’t entirely fileless. The first stage poses as a
> cryptocurrency app with the file name UnionCryptoTrader.dmg

Come on...

~~~
pvg
It's explained in the article and in more detail in the longer analysis it
links

[https://objective-see.com/blog/blog_0x51.html](https://objective-
see.com/blog/blog_0x51.html)

The 'fileless' part is about getting the executable payload that does the
actual malwarin' into memory without touching the filesystem.

~~~
CodeWriter23
Except for the part about moving a launch script into /Library/LaunchDaemons
to achieve persistence.

~~~
pvg
That's the scaffolding, basically. A launch script in itself is not malicious
and the idea is this would be less noticeable to automated or manual scans.

~~~
moralestapia
>An executable file in itself is not malicious

~~~
pvg
I'm not sure who you're quoting but it's not me. Easiest way to get a more
detailed explanation is to read the linked technical analysis. The idea is to
obfuscate and make detection harder by not-placing the actual final payload on
the filesystem. Staging more-malicious things through things that look less-
malicious is pretty much what makes malware mal.

------
chadlavi
TLDR: this probably doesn't affect you if you're not on crypto exchanges.

Check if you're affected:

    
    
        ls /Library/LaunchDaemons/vip.unioncrypto.plist
        ls /Library/UnionCrypto/unioncryptoupdater

~~~
3JPLW
So, there are files?

~~~
chadlavi
Yeah it seems like there are. I guess to a layman user there don't appear to
be, because they're in hidden directories?

But also how many layman users are going to crypto exchanges on a mac?

------
rkagerer
Not exactly fileless. There's a persistent component that remains on-disk
(disguised as a cryptocurrency app), and when the OS launches it after boot it
contacts a server to download the malicious, in-memory payload.

------
zeristor
The curious thing here is I noticed this in my News app on my iPhone, I went
to read more, but I had a message saying the story had been removed.

Yet here it is; still on Ars Technica.

Am I to infer that Apple censured this story in their News App?

Its not appearing as a story in the Ars Technica channel, even thought it was
recently posted.

Does this then suggest that this is a hot issue for Apple?

~~~
machello13
Much more critical stories of Apple than this one have been published on the
News app. It's 100% a bug. Can you imagine the PR disaster if it turned out
Apple was actively censoring negative stories about itself?

~~~
zeristor
A bug?

So how many stories don't get through. Is it that tricky to get a feed of
stories and match them up with items appearing in the newsfeed?

If its not going through you go back and check to see where the story is lost.
I've done this on websites I was supporting, finding that people copying and
pasting from PDF seem to have picked up a number of unicode control characters
that hadn't been rinsed out when stored in SQL, and caused the web API to
splutter.

This was for item records clients were paying for so dropping records looks a
bit naff.

Enough of me though, dare I say it News has just one job, to show news.

