Tea

Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups.

In line with the public service announcement issued by the FBI regarding North Korean social engineering attacks, we have also witnessed several such social engineering attempts, targeting job-seeking software developers in the cryptocurrency sector.

In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update, as well as a previously undocumented macOS variant of a malware family known as Koi Stealer. During our investigation, we observed rare evasion techniques, namely, manipulating components of macOS to remain under the radar.

The characteristics of these attackers are similar to various reports during the past year of North Korean threat actors targeting other job seekers. We assess with a moderate level of confidence that this attack was carried out on behalf of the North Korean regime.

This article details the activity of attackers within compromised environments. It also provides a technical analysis of the newly discovered Koi Stealer macOS variant and depicts the different stages of the attack through the lens of Cortex XDR.

Following the arrest of Telegram founder Pavel Durov in France last summer, some positive changes were reported. The criminal probe is not centered on piracy, but Telegram appeared more responsive. Some reported that the speed at which takedown requests were processed, went from more than 24 hours to less than 20 minutes, for example.

In addition, Telegram updated its terms of service and privacy policy to clarify that, going forward, personal details of alleged infringers, including their IP addresses, would be handed over in response to valid legal requests.

This stricter policy was evident to outsiders as well. Telegram removed accounts of piracy associated websites and services, after initially leaving these untouched for years. That included the official Z-Library channel, which had more than half a million subscribers at its peak.

Although Z-Library’s communication channel didn’t directly link to pirated books, it served as a key information hub, providing updates on new features and access methods. That was enough to warrant a permanent suspension last month.

The Telegram ban was a setback for Z-Library, but the shadow library wasted no time creating a new account and regaining tens of thousands of subscribers. Progress ground to a halt last weekend when the ‘new’ @zlibrary_news account was also suspended for copyright infringement.

“The channel is unavailable due to copyright infringement,” Telegram reports.

In addition to the main communication channel, one of the most used Z-Library download bots on Telegram was also taken offline. The @1lib account had more than 20,000 monthly users, who presumably used it as a handy tool to download books for free.

According to a Z-Library representative posting on X, Telegram took action in response to complaints from a major publisher. Many other ‘personal’ bots are unaffected and remain online for the time being.

Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation.

The malware employs several methods to avoid detection, such as:

• Using benign-looking file names for operating
• Hiding remote command and control (C2) connections using an advanced technique similar to the one used by the Symbiote malware family
• Deploying proprietary encryption algorithms to hide communication and configuration information

Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.

This article will cover aspects of this new Linux malware, including installation, obfuscation and evasion features. We will also discuss its capabilities and indicators of compromise (IoCs), to help others identify this threat on their systems too.

• There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.
• Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
• Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
• Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
• There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.

This is pretty interesting:

The results highlight significant differences in browser security: while Google Chrome and Samsung Internet exhibited lower threat indices, Mozilla Firefox demonstrated consistently higher scores, indicating greater exposure to risks. These observations a slightly contradict widespread opinion.