Recently, Confiant and Malwarebytes analyzed a steganography based payload which was utilized by a “malvertizer” dubbed “VeryMal” by the two firms, to infect Macs. According to the firms, the attempted attack ad was viewed on as many as 5 million Macs.
This campaign was active from 11th January 2019 until 13th January 2019. Confiant detected and blocked 191,970 impressions across their publisher customers. They said that only the US visitors were targeted in this campaign.
According to Confiant, the Mac users who saw the ad, the attack displayed notices that the Adobe Flash Player needed to be updated and made the users to open a file that would attempt to download in their browsers. The download, when accepted and run, ended up infecting the user’s Mac with the Shlayer trojan.
The image could be viewed without harm despite containing the payload. It is harmful only when the code is run on the file, followed by the browser being redirected to a link included in the payload.
Eliya Stein, Security Engineering and research at Confiant, writes, “As malvertizing detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”
The same malicious actor VeryMal had performed a similar attack at the end December 2018:
- 437,819 Impressions detected and blocked by Confiant across two December campaigns.
- US targeting split between Mac OS and iOS.
However, this attack includes a method, which was difficult to detect.
Malware “is not only limited to advertising-based attacks, with reports in September noting even some apps in the Mac App Store were performing malicious actions, such as extracting a user’s data”, according to an Apple Insider report.
To know more about how Confiant and Malwarebytes carried out this analysis, visit Eliya Stein’s blog post on Medium.