Mosyle, the only Apple Unified Platform..In this week’s special edition of , Mosyle, a leader in Apple Device Management and Security, has exclusively revealed to details on a new family of Mac malware loaders.
Mosyle’s Security Research team discovered these new threats are written in unconventional programming languages and use several other sneaky techniques to evade detection.A malware loader is basically a “foot in the door” for cybercriminals.Its primary purpose is to secretly establish an initial presence on a system and create a pathway for more damaging malware to be uploaded.
The new loader samples, discovered earlier this month, were developed using Nim, Crystal, and Rust—programming languages not typically used for malware development.Objective-C, C++, and Bash are most common.This unusual approach suggests the attackers are deliberately trying to circumvent traditional antivirus detection methods.
While this approach is stealthy, I’m skeptical it’ll become a widespread trend.Using less popular programming languages like Nim or Rust is tough for cyber criminals.These languages likely have more complex compilation processes than tried-and-true options like C and Bash, and they come with fewer ready-made libraries and tools.
The steeper learning curve and trickier debugging mean criminals are more likely to accidentally leave digital breadcrumbs that could expose their malware.After all, even cybercriminals want their code to run smoothly—and right now, these experimental languages make that a lot harder.Other evasion tactics observed: Persistence through macOS’s launchctl mechanism Multi-hour sleep intervals Directory checks before transmitting data According to Mosyle’s research, the malware campaign is in its early stages, potentially focused on reconnaissance.
Telemetry data indicates the samples originated from systems in Bulgaria and the United States.Most concerning, the samples remained undetected by VirusTotal for several days after their initial discovery.Below are the hashes of the three malware samples with their corresponding command and control (C2) domains: Nim Sample C2 Domain: strawberriesandmangos[.]com Hash: f1c312c20dbef6f82dc5d3611cdcd80a2741819871f10f3109dea65dbaf20b07 Crystal Sample C2 Domain: motocyclesincyprus[.]com Hash: 2c7adb7bb10898badf6b08938a3920fa4d301f8a150aa1122ea5d7394e0cd702 Rust Sample C2 Domain: airconditionersontop[.]com Hash: 24852ddee0e9d0288ca848dab379f5d6d051cb5f0b26d73545011a8d4cff4066 Mosyle’s security team continues to actively monitor and research these threats.
I’ll continue to provide updates here as we learn more.[.] are to help keep domains from being actively clicked on.The Moysle team tells me these C2 servers could still be active.
More: Ransomware groups surge in Q3 2024, with shifting dominance
Follow Arin: Twitter/X, LinkedIn, Threads
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day.Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop.Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel
