A mutated version of a Trojan designed to incapacitate Mac OS X Lion anti-malware has been found, F-Secure Security Labs revealed yesterday.
Its recent analysis found Trojan-Downloader:OSX/Flashback.C can disable the automatic updater component of XProtect, the built-in OS X anti-malware application Apple provides in its operating system.
The research lab first discovered Trojan-Downloader:OSX/Flashback.A in September, posing as a Flash Player installer.
But the latest iteration of the Trojan also targets the update facility of XProtect that enables the automatic update of malware definitions, rendering it useless and the OS vulnerable to new, undefined attack vectors.
"Attempting to disable system defences is a very common tactic for malware and built-in defences are naturally going to be the first target on any computing platform," wrote F-Secure researchers in a blog post.
Flashback.C works by decrypting the .plist file and binary paths of XProtectUpdater hardcoded in its body. The malware then drops the XProtectUpdater daemon, enabling the malware to overwrite both files with a specified character.
F-Secure found these actions wipe out certain key files required by XProtect to automatically receive future updates.
The security firm advised users to run virus and malware scans to find the particular infected files and eliminate Flasback.C. It also detailed the way to remove a specific entry from two files located within Safari and Firefox .plist files.
Flashback.B, discovered last week, performs a "vmcheck" and aborts itself if virtualised instances of OS X are found. Apple introduced its virtual client capability with the release of Lion earlier this year.
The security firm said at the time that the move was designed to anticipate and hamper researchers' efforts to use virtualised environments during analysis as the number of Mac-targeted threats continues to grow.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
LightSpy malware has made a comeback, and this time it's coming after your macOS devicesNews The LightSpy malware is back, and this time threat actors are targeting macOS devices with improved detection-evasion techniques
-
XLoader malware rises again on macOS disguised as ‘OfficeNote’ appNews Mac users menaced by an old malware enemy dressed up as a Microsoft productivity app
-
Zoom patches privilege escalation flaw for macOS usersNews Threat actors were able to use the application’s updater to distribute malicious files at superuser level
-
Mysterious MacOS spyware discovered using public cloud storage as its control serverNews Researchers have warned that little is known about the 'CloudMensis' malware, including how it is distributed and who is behind it
-
CronRat Magecart malware uses 31st February date to remain undetectedNews The malware allows for server-side payment skimming that bypasses browser security
-
Mekotio trojan continues to spread despite its operators’ arrestsNews Hackers have used it in 100 more attacks since arrests
-
“Trojan Source” hides flaws in source code from humansNews Organizations urged to take action to combat the new threat that could result in SolarWinds-style attacks
-
What is Emotet?In-depth A deep dive into one of the most infamous and prolific strains of malware
