Malware for Mac hid in age-old website advertisements

Malware for Mac hid in age-old website advertisements

Every day, operating systems, browsers and firewalls They are becoming more solid and protected against threats of all kinds; macOS is not the exception. In view of this, the crackers and digital evildoers have to crack their brains to find new ways to break into devices and user accounts or, instead, simply resort to methods (almost) as old as going forward.

Mac malware recently discovered by security firm Confiant falls into exactly this classification: it works through a technique called steganography, which consists of hiding messages (in this case codes) in text or images and was already used by Herdoto in Ancient Greece (!) in 440 BC.

Researcher Eliya Stein's article explains how malware works, called VeryMal, very thoroughly. Basically, the whole problem lives in images displayed on website advertisements on the internet. The images themselves pose no threat, but create a canvas element that, when active, performs a series of actions:

  • First, it checks to see if the computer has the default macOS fonts installed. If not, nothing happens.
  • If the fonts are there (as they are on basically every Mac), it creates a loop by codes hidden in the image; O loop corresponding to each pixel generates a character based on the font in question and, when together, the characters form a code.
  • The code is executed, and the user is taken to a fake page that "warns" him that his version of Flash is out of date; The button to install the update actually installs malware on the Mac and displays unwanted advertisements to the user.
Malicious image used to spread VeryMal malware.The malicious image (yes, it's a white rectangle) used to spread malware

It looks like a huge sequence of factors just to install a adware on the machine, because evildoers really need to resort to increasingly complex (and ancient) methods to achieve these ends; Other malware installation strategies, such as including malicious code directly into files, are already quickly wiped out by operating systems and antivirus, so techniques become more insidious.

In fact, the “campaign” for the display of “infected” advertisements yielded: Confiant's researcher estimates that it ran only for two days between January 13 and 15, and reached more than 5 million users. This number represents everyone who has seen one of these advertisements on the sites they visit, but it does not indicate how many of these people were actually taken to the fake Flash site and installed the malware.

Fake Flash install page for VeryMal malware installationThe fake Flash install page

The campaign is already over, so at least this specific malware no longer threatens the world's Macs. But always the reminder: beware of the pages you visit, never click on untrustworthy advertisements, and especially never install files that don't come directly from the trusted developers' website.

via ZDNet