The Iru Blog

Christopher Lopez

•

19 min read

TodoSwift Disguises Malware Download Behind Bitcoin PDF

A signed file named TodoTasks was uploaded to VirusTotal on 2024-07-24. This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK)—specifically the threat actor known as BlueNoroff—such as KandyKorn and RustBucket; given these commonalities, we believe this new malware—which we’re dubbing TodoSwift—is likely from the same source.

Threat Intelligence August 16, 2024

Christopher Lopez

•

13 min read

InfoStealer Uses SwiftUI, OpenDirectory API to Capture Passwords

On July 29, @4n6Bexaminer tweeted about a new macOS stealer. Moments later, Hunt.io tweeted about the same new malware and then released a blog post about it on July 30. That post focused primarily on the malicious bash scripts that were downloaded from the command-and-control (C2) server and then executed as the second stage.

Threat Intelligence August 8, 2024

Csaba Fitzl

•

4 min read

Dock Tile Plugins Could Be Used to Escalate Privileges

I recently came across a persistence feature in macOS that's tied to Dock tile plugins.

Threat Intelligence July 19, 2024

Christopher Lopez

•

7 min read

How Twitch Helper Can Be Used for Privilege Escalation

Privileged helpers are bits of software that assist applications by running elevated privileged actions separate from the app itself. XPC is Apple’s interprocess communication mechanism that makes this possible.

Threat Intelligence June 12, 2024

Adam Kohler & Christopher Lopez

•

5 min read

Update: Cuckoo Malware Evolves

Since our initial report about the Cuckoo malware, there have been some updates to its functionality and infection vector that we wanted to let the Apple security community know about.

Threat Intelligence May 29, 2024

Csaba Fitzl

•

9 min read

How Malware Can Bypass Transparency Consent and Control (CVE-2023-40424)

CVE-2023-40424 is a vulnerability that allows a root-level user to create a new user with a custom Transparency Consent and Control (TCC) database in macOS, which can then be used to access other users’ private data.

Threat Intelligence May 22, 2024

Adam Kohler & Christopher Lopez

•

28 min read

Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware

On April 24, 2024, we found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.

Threat Intelligence April 30, 2024

Adam Kohler & Christopher Lopez

•

11 min read

CloudChat Infostealer: How It Works, What It Does

On April 3, 2024, we came across an undetected file that had been uploaded to the online virus-checker VirusTotal that day named Clip. Right off the bat, we noticed that the file had some red flags that warranted further investigation.

Threat Intelligence April 8, 2024

Csaba Fitzl

•

14 min read

How Apple Mitigates Vulnerabilities in Installer Scripts

Vulnerabilities are hot topics inside the world of security research and—because of their potentially dramatic impacts—outside as well. Unfortunately, the strategies and tactics that companies like Apple take to prevent specific vulnerabilities—or even entire families of exploits—typically attract less attention. But the fact is that engineering high-impact mitigations is typically more challenging than finding a single vulnerability.

Threat Intelligence March 15, 2024

Sam Mayers & Christopher Lopez

•

7 min read

How AMOS macOS Stealer Avoids Detection

Atomic macOS Stealer (AMOS) was first spotted in early 2023. It's a powerful piece of malware that targets Apple users and tricks them into installing the software on their computers. The malware is sold via Telegram; as of January 20, 2024, the price was $3,000 a month.

Threat Intelligence March 2, 2024