🌐 MacOS Users Beware: Pirated Apps Conceal Backdoor Threat! 🚨

Jan 22 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s your reinforced steel & and concrete bunker against the #StormIsha that is cybercrime β›ˆοΈπŸ’¨πŸ‘€ Kidding, cybercrime is more like Katrina πŸ’€πŸ’€

Today’s hottest cybersecurity news stories:

  • πŸ’» Mac users beware! Backdoor hidden in popular pirated software πŸ΄β€β˜ οΈ

  • πŸ‘¨β€πŸ’» Russian hacking group β€˜Midnight Blizzard’ target Microsoft HQ 🏒

  • 🏧 Argentine β€˜Payoneer’ users wake up to 2FA hacks, funds jacked πŸ’Έ

Hackers be like: I’m a Backdoor MAN!!! πŸŽΆπŸ€˜πŸ’€




🌐 MacOS Users Beware: Pirated Apps Conceal Backdoor Threat! 🚨

πŸ΄β€β˜ οΈ Warning to Apple macOS users: A malicious campaign targeting pirated applications has been identified, exposing a backdoor capable of granting attackers remote control over infected machines. Researchers from Jamf Threat Labs, Ferdous Saljooki, and Jaron Bradley, reveal that these rogue applications are hosted on Chinese pirating websites, specifically macyy[.]cn, to lure victims.

πŸ” Attack Method

Once activated, the malware stealthily downloads and executes multiple payloads in the background, compromising victims’ machines without their knowledge. The backdoored disk image (DMG) files, modified to communicate with actor-controlled infrastructure, incorporate well-known software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

πŸ” Infiltration Tactics

The unsigned applications utilise a dropper component called “dylib,” executed upon application opening. This dropper fetches a fully-featured backdoor (“bd.log”) and a downloader (“fl01.log”) from a remote server, establishing persistence and enabling the delivery of additional payloads.

πŸšͺ Backdoor Features

The backdoor, located at “/tmp/.test,” is built on the Khepri post-exploitation toolkit, ensuring advanced capabilities. Though stored in the “/tmp” directory for temporary execution, it reappears upon reloading the pirated application.

πŸ”— Downloader Persistence

The downloader, written to the hidden path “/Users/Shared/.fseventsd,” creates a LaunchAgent for persistence and sends HTTP GET requests to an actor-controlled server. Though the server may no longer be accessible, the downloader writes the HTTP response to “/tmp/.fseventsds,” launching it.

🦠 Possible Successor

The researchers note similarities with the ZuRu malware, suggesting this threat could be a successor due to shared characteristics like targeted applications, modified load commands, and attacker infrastructure.

⚠️ Stay Protected

MacOS users should exercise caution when downloading applications from untrusted sources, avoiding pirated software to minimise the risk of falling victim to such sophisticated attacks. Vigilance is key! πŸ”’πŸ’»


Signup for Free


Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Call Michael Scarn, it’s Threat Level Midnight Blizzard πŸ˜‚πŸ˜‚πŸ˜‚ #TheOffice (American one 😬)

🚨 Microsoft Breach Alert: Russian State-Sponsored Group Strikes Again! 🌐

πŸ’» Microsoft issued a warning on Friday revealing that some of its corporate email accounts fell victim to a breach orchestrated by a Russian state-sponsored hacking group known as Midnight Blizzard, also recognized as Nobelium or APT29. The attack, detected on January 12th, was traced back to November 2023 when threat actors used a password spray attack to compromise a legacy non-production test tenant account.

πŸ›‘ Breaching Method

The hackers gained access to the “test” account using a brute force attack, suggesting the account lacked two-factor authentication (2FA) or multi-factor authentication (MFA). Microsoft emphasises the importance of these security measures on all online accounts.

πŸ” Targeted Access

Once infiltrated, the Nobelium hackers utilised the test account to access a “small percentage” of Microsoft’s corporate email accounts for over a month. The breached accounts included members of Microsoft’s leadership, as well as employees in cybersecurity and legal departments. Stolen data primarily consisted of emails and attachments.

πŸ”„ Ongoing Investigation

Microsoft clarifies that the breach was not due to vulnerabilities in their products but rather a result of the brute force password attack. The investigation is ongoing, and Microsoft pledges to share additional details as appropriate.

🌐 Nobelium Background

Nobelium, affiliated with Russia’s Foreign Intelligence Service (SVR), gained notoriety for its involvement in the 2020 SolarWinds supply chain attack, impacting Microsoft. Known for cyberespionage and custom malware development, the group previously breached a Microsoft corporate account in 2021.

🌎 Global Impact

Microsoft, a coveted target controlling vast amounts of global data and services, underscores the persistent threat landscape faced by major corporations.

πŸ”’ Security Assurance

Despite the breach, Microsoft reassures that its operations have not been materially impacted. As the investigation unfolds, vigilance remains crucial in the face of evolving cyber threats. Stay secure, stay informed! πŸ’»πŸ”

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can’t get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)

🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)

🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

Argentine hackers: Don’t cry for me, Pay-o-neer πŸŽΆπŸ’€βš°οΈ

πŸ’Έ Payoneer Users in Argentina Fall Victim to Massive Hacks! 😱

🌐 Payoneer, a popular financial services platform, is facing a crisis as numerous users in Argentina report waking up to drained accounts and stolen funds despite having two-factor authentication (2FA) protection. Victims discovered the theft after receiving SMS one-time passcodes (OTPs) while they were asleep, leading to emptied wallets ranging from $5,000 to $60,000.

πŸ”’ Breach Details

The breached accounts, safeguarded by 2FA, were compromised following a phishing SMS requesting approval for a password reset. Users, adamant about not clicking on URLs, found their funds sent to an unknown email address at the 163.com domain. Many affected users were customers of mobile service providers Movistar and Tuenti, with suspicions of a recent Movistar data leak being the root cause.

πŸ€” Theories and Responses

The breach mechanism remains unclear, with theories suggesting a potential breach in the SMS provider used for OTP delivery. Movistar denies responsibility but takes preventive measures. Payoneer blames users, alleging they fell for phishing texts. Users dispute this claim, pointing to the platform’s weaknesses.

🚨 Payoneer’s Weaknesses

The platform’s reliance on SMS-based 2FA and a password recovery process requiring only an SMS code raise concerns about system vulnerabilities. Payoneer’s blame-shifting approach irks affected users, prompting scepticism about the actual cause of the hacks.

πŸ›‘οΈ Ongoing Investigation

Payoneer acknowledges the issue, attributing it to phishing, and is collaborating with authorities. Despite blaming users, the platform faces questions about potential weaknesses. Users are advised to withdraw funds, disable SMS-based 2FA, and reset passwords until clarity is achieved.

πŸ” User Discontent

The dispute between Payoneer and affected users adds complexity to the investigation. Users’ allegations of not falling for phishing attempts raise questions about the platform’s security measures and the accuracy of the breach’s attribution.

πŸ”„ Recovery Efforts

Payoneer states it is actively working to protect funds and recover losses, emphasising fraud prevention measures and customer education. Specific details about the investigation’s progress and restitution plans remain pending.

🌎 Global Impact

While the situation unfolds, the incident underscores the global vulnerability of financial platforms and the imperative need for robust security measures. Stay vigilant and secure your accounts! πŸ”’πŸ’³

Until next time, cyber squad πŸ›‘οΈπŸ›‘οΈπŸ›‘οΈ

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree πŸ’πŸŒ΄ with his stick and banana approach 🍌😏

  • Techspresso:Β Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles