Notes from VB2020 localhost

The annual Virus Bulletin security conference was held last week; as has been the case with so many other events this year, the proceedings were fully remote, leading the organizers to call the 2020 instalment of the conference “VB2020 localhost”.

The talks at VB2020 covered a lot of ground, and there were several speakers who presented on Apple security topics. In what follows, we’ll share some selected highlights from those talks:

A true virus for macOS!

Back in August, the world of Mac security was abuzz with news of a new macOS malware variant called ThiefQuest (also known as EvilQuest). ThiefQuest was seen as particularly interesting because it contained several distinct malicious features, including ransomware functionality, data exfiltration capabilities, and surveillance tools.

Mac security expert Patrick Wardle has analyzed ThiefQuest in depth, and presented his research at VB2020. Wardle discussed the extremely unusual viral behavior of the malware: unusual because computer viruses, defined as programs that replicate themselves by infecting other files, are extremely rare nowadays on any platform, and are virtually unheard of on macOS. 

Once it is running on an infected Mac, ThiefQuest creates a list of executable files on the compromised system and proceeds to append its own malicious code to those files, thereby infecting them as well. If one of these infected files is run, the viral code will execute automatically. This makes ThiefQuest very hard to remove from an infected system, because even if you manage to eradicate its persistence mechanism, there will still be files present on the system that contain the malware’s code and, by extension, its capabilities. If you run one of them, the infection starts all over again.

ThiefQuest conforms to the classic definition of a computer virus, making this fascinating piece of Mac malware something truly unique, and underscoring the point that the macOS threat landscape is continuing to evolve!

Are we ready for Big Sur?

As most Mac users are no doubt aware, the next version of macOS is coming very soon: macOS 11 Big Sur (and yes, that’s macOS 11, not 10.x, as Apple feels the new OS will bring some major upgrades!).

We’ve talked about the security and privacy features of Big Sur from a user perspective, but developers of macOS security software are seeing some big changes as well, which was the topic of a talk given by Abhijit Kulkarni and Prakash Jagdale. 

Kulkarni and Jagdale explain that Mac security software has traditionally relied on kernel extensions (kexts) in order to perform basic functions like monitoring filesystem activity, filtering and blocking malicious network activity, and blocking access to unauthorized devices. Kernel extensions are third-party code written by developers in order to extend the functionality of the macOS kernel and permit their apps to work.

At WWDC 2019, Apple announced that it would begin the process of deprecating kexts, citing security and stability concerns about allowing third parties to access the OS kernel. System Extensions and DriverKit are the replacements for kexts, and are considered safer by Apple, since they provide the same functionality to developers without needing to grant them kernel access. In recent versions of macOS Catalina, users of apps that still rely on kexts will see an alert dialog telling them that their app is using a kext that may not work in future macOS versions. In Big Sur, kexts that already have System Extension or DriverKit equivalents simply won’t load. 

Kulkarni and Jagdale cited several examples of commonly used kexts that will have to be replaced by System Extension in macOS 11. The two speakers pointed out some common challenges that developers were facing in transitioning to System Extensions, but noted that in most cases there were clear solutions or viable workarounds, and advised all security software developers who still use kexts in their apps to get to work on developing System Extension alternatives in order to stay compliant with newer versions of macOS (including the soon-to-be-released Big Sur). 

Users of SecureMac’s MacScan 3 security software will be happy to hear that we’ve been developing an updated version of the app that runs smoothly on Big Sur, and expect to have it ready in time for the release of macOS 11.

Snakes in the garden

We’ve previously discussed the phenomenon of fleeceware: subscription-based apps that charge exorbitant fees after an initial free trial period. These apps are considered borderline scams, as they often use deceptive practices to trick users into staying subscribed to the app beyond the trial period, and bury any mention of the excessive charges in the fine print.

At VB2020, security researcher Jagadeesh Chandraiah took a closer look at how fleeceware apps work, and at how their developers convince people to sign up for them in the first place. Chandraiah explained that fleeceware is often advertised using the native ad tools on social media platforms such as Facebook, Instagram, and TikTok. He also notes that developers use pay-per-install schemes and fake reviews to boost the profile of their apps in app marketplaces in the hopes of gaining large numbers of organic subscriptions. 

Unfortunately, fleeceware continues to be an issue in both the iOS App Store and Google Play. While Google and Apple are taking steps to combat the problem, Chandraiah suspects that it won’t be enough, and recommends that users take an active role in vetting apps that they install on their devices. 

So be aware that free trial subscriptions can turn into paid subscriptions, and that simply uninstalling an app won’t cancel your subscription to it (you can see your subscriptions on iOS by going to Settings > [Your Name] > Subscriptions). In addition, before you install any app on your device, make sure you read the terms and conditions regarding billing, and also read the customer reviews (especially the 1 and 2-star reviews) to see if any users have faced unexpected charges or experienced difficulty cancelling a subscription.

Fileless malware on macOS

Security researcher Dinesh Devadoss presented research on the recently discovered fileless malware variant for Mac that has been attributed to Lazarus Group. Fileless malware is malware that can be run without actually requiring a malicious file to be present on disk, executing the malicious code directly in memory instead. This is considered a fairly advanced technique, and can make malware that uses it extremely hard to detect. Lazarus Group is a cybercrime organization thought to have ties to the North Korean government.

Devadoss went deep into the mechanics of how the Lazarus fileless malware works, and also discussed Lazarus Group’s other malicious campaigns and tools. In his research paper, he sums the situation up by saying, “The sophistication of the Lazarus group is ever increasing and the yarn ‘Macs Don’t Get Viruses’ is starting to unravel

much faster now”.

Devadoss also noted that his broad survey of Lazarus Group’s tools and techniques revealed something interesting: the organization relies heavily on social engineering tactics in their attacks. The takeaway here for everyday Mac users is that they can still protect themselves from well-resourced and sophisticated threat actors like Lazarus Group, but that they’ll have to be vigilant in order to do this. This means being very careful about what you install on your system: You should only run apps that come from the Mac App Store, or directly from the website of a third-party developer who you know and trust. It also means that you should pay close attention to all those system dialogs and alerts that macOS provides: if your Mac is trying to tell you that an app can’t be scanned for malicious code, or that the developer is unrecognized, then don’t run that app! 

VB2020 localhost had many more great speakers, and covered security topics of interest to WIndows, Android, and Linux users as well. If you’d like to learn more about the conference and the presenters, you can visit the VB2020 website.