White Hat Mac – Mac security news from a guy with a hat

Reboot!

This blog has languished without a clear purpose ever since I created it. I simply never had time to flesh it out. It’s time for that to change. Expect to see more articles here, starting now!

A look at a modern Python stealer

The folks over at Jamf found and analyzed a stealer built in Python, and compiled into a Mac app using PyInstaller. As they point out, it’s not new to see Mac malware using PyInstaller, but to their knowledge this is the first stealer to do so. Let’s take a look.

Malicious npm packages infect Cursor AI

Kirill Boychenko revealed, on May 7, findings that showed several malicious npm packages targeting Mac developers. The malware was specifically targeting developers using the Cursor AI code editor, with the purpose of stealing Cursor credentials and modifying the Cursor app.

Mac stealer distributed via fake CAPTCHAs

In a very interesting article on BadByte, it was revealed that a malicious CAPTCHA had been spotted on a legitimate site that had been compromised. The CAPTCHA was designed to trick the user into actions that would infect the machine with Atomic Stealer. Worse, this campaign, dubbed MacReaper, was then tracked to around 2,800 other potentially compromised sites.

Banshee stealer updates

Kaspersky posted a summary of some high-level updates on Banshee back in January. Although it’s a bit light on specific details about behavior, there’s still some very interesting information there.

Insecure iPhone in free fall

Last week, Alaska Airlines flight 1282 was forced to land after a “door plug” popped out of the plane. Fortunately, no one was injured, and the lack of tragedy has led to countless jokes about things like extreme exit row seating and the like.

One of the stories that has captured people’s attention is the finding of an iPhone that was sucked out of the plane and fell 16,000 feet to the ground. Twitter user SeanSafyre reported finding the phone. (If you, like me, prefer not to visit that hellsite, the post is also visible on Mastodon – an open-source alternative to Twitter – via a mirror of the SeanSafyre Twitter account.)

It’s not a virus

(If you don’t read that title in your head the same way Arnold Schwarzenegger said “it’s not a tumor” in Kindergarten Cop, I’d argue you need to rethink your life choices. 😉)

I have a non-functional hot tub that needs repair, which is a problem as my wife and I are preparing to sell our house. (Bear with me for a minute, I’m going somewhere with this.)

macOS bugs are causing kext failures

Back in summer of 2018, customer support at Malwarebytes started seeing people with problems activating the kernel extension (kext) in Malwarebytes for Mac. This opened a can of worms that we’re still struggling with today… as soon as we think the worms are back in the can, we start finding new ones. Unfortunately, these worms all belong to macOS, and are affecting other kexts as well.

Fear-mongering about Mac ransomware

I recently discovered an absolutely atrocious article on Mac ransomware, thanks to a friend who forwarded the link to me. The article, found on the MacUpdate blog, is a minefield of glorious wrongness and fear-mongering.

How I became a Mac security researcher

Over the years, I’ve been attacked and criticized many times over my views on security. At times, it’s been completely justified, while other times, it stems from not knowing the things that I know.

Thus, spurred on by events that are ultimately unimportant, for the first time publicly, I’ve decided to tell the entire story of how I got into security, how I ended up at an antivirus company, and how and why my views have changed. This is the story of someone who went from a rabid “Macs don’t get viruses” fanboy to a professional malware researcher, and why exactly such a strange turn of events occurred. With a smattering of stories about the history of Mac malware thrown in. 🙂