Back in November 2018, a coworker contacted me regarding a homebrewing website that seemed to be serving malware via fake Adobe Flash updates. Digging further, I found that it was using methods of anti-analysis, employing randomized site loading with location and system fingerprinting, locking the redirect to a dummy site if a single IP is detected to be loading the page too many times in a given interval. \n\nGiven this introspection, I first assumed I was being served macOS malware based on my system and user-agent. However, after testing with Windows hosts, it was clear the site was targeting strictly macOS users as macOS malware is still fairly uncommon, this was an intriguing discovery. With a few hours and some Python magic, we had collected 18 unique samples; all were obfuscated and several were undetected by antivirus and not found on malware sharing sites. \n\nIn this talk, I will introduce the techniques employed by this site both to serve malware and to hinder analysis. We will then look deeper into a few of the specific malware samples served out via this site, and commonalities with the malware discovered and recent macOS malware such as WindTail will be discussed.
Erika Noerenberg is a Senior Threat Researcher with Carbon Black's Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development. Previously, she worked as a malware analyst at LogRhythm Labs and as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.