Jonathan Peters

One more heads-up on the DAEMON Tools supply chain incident: Besides the YARA rules and IoCs, my teammate Swachchhanda also contributed Sigma rules covering several useful detection points - including DNS lookups to the typosquatted C2 domain, execution of compromised DAEMON Tools binaries by known bad file versions, and stage-drop activity such as envchk.exe download and mcrypto payload execution. A nice addition for defenders who want to hunt for traces in telemetry, not just by matching file hashes. https://t.co/p7sqd9CQ6u

Low-detection macOS malware used in job / interview-themed phishing. We recently observed a submitted DMG with only 3 / 62 detections on VirusTotal at the time of analysis: WebEx.dmg SHA256: 5fc61384dd6f15e6bb510e0421000c1301a40d7acf05cedbeb6bc789c0a99d00 THOR APT Scanner detected it with: MAL_MACOS_Phishing_Dropper_Feb26 The sample fits a pattern that has become very common in the last months: - fake job or interview flows - fake Zoom / WebEx meeting links - “audio problem” or “meeting component required” lures - macOS DMGs or scripts pushed as required fixes - user-level execution instead of exploits - follow-up payloads focused on credentials, tokens, browser sessions and developer data This tradecraft has been described in recent public reporting around North Korea-linked activity, including fake Zoom meeting flows and macOS backdoors. A separate public incident write-up also described a fake WebEx interview flow that ended with a malicious macOS DMG. We are not making an attribution claim for this specific sample based on a filename and lure alone. But the detection point is the same: these attacks do not need a 0-day or kernel exploit. A plausible meeting flow, a convincing DMG and one bad Terminal step can be enough. That is why detection needs to cover the boring parts too: - suspicious DMG contents - phishing-style dropper behavior - LaunchAgent persistence - osascript / JXA abuse - staged payload retrieval - fake meeting-tool infrastructure patterns References: https://t.co/PSaSk21XAf https://t.co/riTBpsE9fh

Interesting PAM backdoor pattern worth dissecting The sample was found inside a ZIP archive that contained multiple older variants, patch files and build scripts The ZIP parent was first submitted to VirusTotal on 2020-11-29 (!) Bundled ELF variants: 23315bfc9baf3f732c5801ae229cf9da86f35c22d4e23ed01a6e8f6d36aa6960 - https://t.co/yaKj7MBFxD 3d763ccbeafcd7154529b82214dfd7800b12dfff36930078ff36cce0c7034573 - https://t.co/JPxa6FGxQ2 90e2643e5174feb3030c88cfa1200e2623ad5c4f564a148d878c7be1f270b15b - https://t.co/mDlLUPDrdL 6ee22f4d81ab1b7f90c2caacfdd709132abc8ea06bcb54f40c7b26f4254da6ea - https://t.co/m1AfFW8u6F 68af3e8a70cbb84ea4632df5675e52a193db88a2f6eee5a69dc49ad30c742f46 - https://t.co/PodBU672fy 8d1e5cbf207a812711933e99b7b8e13c596e1e35813b8ed689196982faff71b9 - https://t.co/PodBU672fy We also got the patch source code, which makes this one more useful to understand. The backdoor does not use a static hardcoded password. Instead, it accepts a time-based value. The patch calls ctime() and then compares only the first 10 characters: strncmp(p, cts, 10) So the “password” effectively becomes the current day string, for example: Mon Apr 27 If the supplied password does not match that value, normal PAM password verification continues. If it does match, the module returns PAM_SUCCESS. Because PAM sits directly on the authentication boundary, the impact is system-wide: SSH, sudo, login and anything else using PAM. The actual patch is only a few lines added to pam_unix_auth.c. Enough to bypass authentication through the patched PAM module. This ZIP has been around since 2020. The bundled ELF variants still have no AV detections today. Detected by our rule: MAL_LNX_PAM_Backdoor_Aug25