Back in November 2018, a coworker contacted me regarding a homebrewing website that seemed to be serving malware via fake Adobe Flash updates. Digging further, I found that it was using methods of anti-analysis, employing randomized site loading with location and system fingerprinting, locking the redirect to a dummy site if a single IP is detected to be loading the page too many times in a given interval.

Given this introspection, I first assumed I was being served macOS malware based on my system and user-agent. However, after testing with Windows hosts, it was clear the site was targeting strictly macOS users – as macOS malware is still fairly uncommon, this was an intriguing discovery. With a few hours and some Python magic, we had collected 18 unique samples; all were obfuscated and several were undetected by antivirus and not found on malware sharing sites.

In this talk, I will introduce the techniques employed by this site both to serve malware and to hinder analysis. We will then look deeper into a few of the specific malware samples served out via this site, and commonalities with the malware discovered and recent macOS malware such as WindTail will be discussed.

Details:

Date: Friday - May 16
Time: 16:00
Length: 45 minutes
Location: Grand Ballroom D

Speakers:

Erika Noerenberg

Erika Noerenberg is a Senior Threat Researcher with Carbon Black’s Threat Analysis Unit, with over 15 years of …