036. macOS FlexibleFerret Malware: Detection and Hunting Opportunities
Hello everyone! Let's talk a bit about macOS malware! Not very common, I know. And that's why very interesting!
Recently SentinelOne published a report on macOS malware called FlexibleFerret. Let's look at some detection and hunting opportinities.
The first thing that caught my eye is the domain: zoom.callservice[.]us. Adversaries often masquarade domains they use to look like legitimate, so it's always a great idea to hunt for suspicious domains, which contain names of popular applications. Here we have Zoom, but you can search for Teams, Skype and other similar apps as well.
Next thing - persistence, of course! As always, threat actors choose VERY common mechanisms - this time LaunchAgents. Again, masquaraded to look like Zoom (com.zoom.plist), but points to... /private/var/tmp/logd! Doesn't look like Zoom, right?
So, this time it's a bit more difficult to spot malcious activity, but if you know where to look - quite possible!
See you tomorrow!
Comments
Post a Comment