![]() Library/LaunchDaemons/ -> /Library/UnionCrypto/unioncryptoupdater Some interesting highlights come up when we look at it closer: It was an intriguing specimen (internally named macloader), created by the (in)famous Lazarus group. ![]() Recently a new piece of macOS malware was discovered: While Patrick is certainly one of the best at macOS security research and malware reverse engineering, it’d be naïve to think that Patrick alone is capable of this work – so we’ll end the blog with some suggestions on how to protect yourself from repurposed malware, and how Jamf can help.Ī version of this blog was also published at Objective-See Background In this post, he will walk you through his experience researching, breaking down, and customizing a Lazarus Group Implant, specifically a 1st stage loader, to download and execute his own custom “fileless” capabilities. Patrick also finds this a great way to put his reverse engineering chops to work in a tangible way. ![]() The concept is simple minimally modify the malware to allow it to be controlled by the desired testers – and perhaps tweak a bit or two here and there to defeat common signature, and IOC (indicators of compromise) based detections of the known threat. This is a favorite technique of Patrick Wardle, Principal Security Researcher at Jamf, both for the development of penetration testing utilities that (exactly) mimic real life threats and for applied research. Repurposing or recycling malware is a technique that can be used by malware authors to quickly reuse capabilities of existing known malware, reducing development time while confusing attribution should the bad actor be caught. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |